X

Feds see opening on encryption as tech firms sign on to protect children

Facebook, Google and others are adopting voluntary guidelines to help prevent child sexual exploitation online. Requirements on encryption aren't included, but officials are raising the issue.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
phone-encryption-01.jpg

The Department of Justice announced an initiative on Thursday that sets up another encryption battle with tech giants. 

Angela Lang/CNET

Google , Facebook , Microsoft, Twitter, Snap and Roblox have agreed to adopt 11 voluntary principles to prevent online child sexual exploitation, government officials said Thursday. But the effort also hints at the potential to undercut encryption , an essential element of online security.

US Attorney General William Barr announced the initiative, joined by acting Homeland Security Secretary Chad Wolf and senior government officials from Canada, the United Kingdom, Australia and New Zealand. 

Representatives from the six companies were also at the press conference. 

The voluntary principles would require companies to prevent child sexual abuse from spreading on their platforms and to adopt enhanced safety measures for protecting children online. The principles also ask tech companies to share more information with one another and with governments. 

"We stand behind these principles and will be working with our members to both spread awareness of them and redouble our efforts to bring industry together to promote transparency, share expertise and accelerate new technologies to combat online child sexual exploitation and abuse," the coalition said in a statement.

"The principles unveiled today," said Del Harvey, Twitter's vice president of trust and safety, "represent a valuable step in driving collective action across industry, government, and civil society."

The initiative doesn't include requirements on encryption, but government officials at the press conference addressed their issues with the security technology.

"We recognize encryption is an essential cybersecurity tool in the hands of the right people, but like any tool, it can be abused," Wolf said. "Should certain platforms go dark, our investigatory capabilities and lawful access will be significantly affected."

Governments have made many efforts to weaken end-to-end encryption provided by tech giants. The technology protects people's data from being spied on or stolen, but governments have argued that criminals are taking advantage of that protection too. 

As the officials made their announcement Thursday, a bipartisan group of senators announced the EARN IT Act. The legislation , which stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies, looks to revoke Section 230 immunity for platforms that don't comply with guidelines, which could include bypassing encryption for public safety purposes. 

The announcement of the voluntary principles was focused on preventing online child sexual exploitation, which governments argue thrives on encryption.
"They communicate using virtually unbreakable encryption," Barr said at the press conference. "Predators' supposed privacy interests should not outweigh our privacy and security. There is too much at risk."

The fight over encryption

The US government has a long history of battling tech companies over encryption -- famously taking on Apple in 2016 after the tech giant refused to create tools that would unlock an iPhone belonging to terrorists. 

The government's argument against encryption stems from how the security technology can hinder its investigations. When messages, phone calls and devices are encrypted, that prevents law enforcement from gathering evidence or keeping an eye out for potential threats.

But the same encryption that law enforcement argues protects criminals also protects the vast majority of people online. Your data is secured through end-to-end encryption, which means, for instance, that when thieves steal your phone, they can't easily access your credit card or health information.

Watch this: Tech companies adopt online child protection guidelines, but not on encryption

Encryption also prevents oppressive government regimes from spying on their citizens, as well as tech giants from accessing protected data. 

The federal government has argued that it doesn't want to end encryption that protects the average person, and instead wants "lawful access." The concept would mean creating a technical opening, or backdoor, that only law enforcement could use in investigations -- something cryptography experts have long argued is impossible

Tech companies like Apple, Facebook, Google and Microsoft agree with those experts and have refused to create backdoors to their encryption protocols. They've warned that if they're forced to create such openings, it would essentially weaken security for everyone by creating an unlock tool that could fall into the wrong hands. 

But the tech companies may not have a choice for long. Countries like Australia have passed laws on encryption, while lawmakers in the UK urged similar action. At Thursday's press conference, UK Security Minister James Brokenshire said privacy concerns must be "balanced against the safety of our children," calling encryption "the elephant in the room."

In the US, lawmakers have warned the likes of Apple and Facebook that if they can't reach a compromise with the Justice Department, then legislation will come along to require the companies to bypass their own encryption.

'Tech companies need to do better'

The EARN IT Act was introduced by Sen. Lindsey Graham, a Republican from South Carolina, and Sen. Richard Blumenthal, a Democrat from Connecticut, and has a scheduled hearing in front of the Senate Judiciary Committee on March 11. 

"Simply put, tech companies need to do better," Blumenthal said in a statement. "Tech companies have an extraordinary special safeguard against legal liability, but that unique protection comes with a responsibility."

Section 230 is an important component of the Communications Decency Act of 1996, which protects online platforms from being held liable for what their users post. If someone posts hate speech on Twitter, for example, that person and not Twitter is legally responsible for damages. 

The draft bill is centered on protecting children online from sexual predators, which aligns with the Justice Department's latest anti-encryption efforts. Barr alluded to the bill during the press conference.

"We are also addressing child exploitation in our efforts on retaining lawful access and in analyzing the impact of Section 230 of the Communications Decency Act on incentives for platforms to address these crimes," Barr said.

The bill faces criticism from privacy advocates, as well as from Sen. Ron Wyden, a Democrat from Oregon. Wyden warned that the bill threatens free speech, security and privacy without solving the problems it's intended to. 

"This terrible legislation is a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans' lives," Wyden said in a statement. "It is a desperate attempt to distract from the Justice Department's failure to request the manpower, funding and resources to combat this scourge, despite clear direction from Congress more than a decade ago."

Facebook has laid out plans to encrypt its messaging services, which the Justice Department and child protection organizations warn would protect child predators online. 

The social network plays a major role in reporting child exploitation cases, providing 16.8 million reports to the US National Center for Missing and Exploited Children in 2018. Government officials are concerned that if messages are encrypted, Facebook wouldn't be able to provide the same amount of evidence for investigations.  

"Plans to encrypt this service," Brokenshire said, "would leave you blind to the same crimes, blind to the same abuse."

Watch this: California's new privacy law: Everything you need to know