| > Not exactly. Yes, revealing the combination requires the person to implicitly admit that they know the what the combination is. But if the government can prove that they already know this "testimony" -- which they can in most cases -- then the "foregone conclusion" doctrine applies and the 5th Amendment privilege cannot be asserted. That's fascinating, thank you for sharing! That helps make my point, though, that the legal framework for handling encryption already exists and just needs to be clarified a little bit, instead of making new, far-reaching laws with serious implications on the landscape. > I don't see how it violates user privacy or trust. In general, you don't have the right to keep records secure from law enforcement if they have a warrant. If this law is passed, these companies should simply disclose to their customers that they will provide law enforcement with the means to decrypt their data, as many already do. It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused. Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it. If this were implemented correctly—over a special, secure channel that only law enforcement could access (with a warrant!)—that would be mostly harmless, but I simply don't trust our government and businesses to implement anything correctly that has to do with the privacy and security of user data. There have simply been too many previous violations. > I also don't see how it severely undermines encryption. Yes, end-to-end encryption is more secure, but it's not the industry norm. Security is relative, but I wouldn't call Gmail "insecure" just because Google allows law enforcement to read emails with a warrant. But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement. That's the problem: you can't even have E2EE in the first place if it passes, because it conflicts with the requirement to allow law enforcement to be able to read messages. |
I think this can be a reasonable argument, but it depends on whether criminal suspects generally comply with decryption orders. If most don't, then it is understandable that the government also wants the keys to reside with parties that almost certainly will comply: OEMs and service providers.
> It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused.
Yes, warrants get abused, but they're necessary for the criminal justice system to function.
I think we need to be careful not to conflate this issue with warrantless surveillance, which is a different beast.
> Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it.
I don't see why this is necessarily true, and many Internet services are premised on it not being true. HTTPS requires that you trust the ability of CAs to keep their master keys secret. Gmail and Outlook require that you trust that Google and Microsoft will keep their master keys secret.
> But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement.
I realize that. My point was that there's an argument to be made that in practice, most people don't use E2EE or even need it in the first place.
E2EE is probably necessary in certain cases -- for example, if you're a dissident in an authoritarian regime. But that doesn't mean it needs to come standard on every iPhone.
To be honest, I'm undecided on this issue. Maybe the security benefits of standard E2EE are worth making it more difficult for law enforcement to execute lawful search warrants. But to me the answer isn't obvious.