| > That helps make my point, though, that the legal framework for handling encryption already exists and just needs to be clarified a little bit, instead of making new, far-reaching laws with serious implications on the landscape. I think this can be a reasonable argument, but it depends on whether criminal suspects generally comply with decryption orders. If most don't, then it is understandable that the government also wants the keys to reside with parties that almost certainly will comply: OEMs and service providers. > It will get abused. Just like wire tapping got abused, just like NSA surveillance got abused. Yes, warrants get abused, but they're necessary for the criminal justice system to function. I think we need to be careful not to conflate this issue with warrantless surveillance, which is a different beast. > Furthermore, having a master key floating around means that at some point, inevitably, a foreign government or organization will get ahold of it. I don't see why this is necessarily true, and many Internet services are premised on it not being true. HTTPS requires that you trust the ability of CAs to keep their master keys secret. Gmail and Outlook require that you trust that Google and Microsoft will keep their master keys secret. > But the issue with bills like the EARN IT Act is that they make end-to-end encryption completely infeasible for any company to implement. I realize that. My point was that there's an argument to be made that in practice, most people don't use E2EE or even need it in the first place. E2EE is probably necessary in certain cases -- for example, if you're a dissident in an authoritarian regime. But that doesn't mean it needs to come standard on every iPhone. To be honest, I'm undecided on this issue. Maybe the security benefits of standard E2EE are worth making it more difficult for law enforcement to execute lawful search warrants. But to me the answer isn't obvious. |