The department’s voluntary principles and new legislation leave encryption in question.
The Justice Department last week released 11 “voluntary principles” to counter online child sexual exploitation in collaboration with top tech companies and leading senators introduced bipartisan legislation to establish a national commission on the prevention of such crimes.
Neither initiative explicitly mentions the word “encryption,” but both stirred longstanding debate on the issue.
“Encryption remains the elephant in the room,” said James Brokenshire, the United Kingdom’s minister of security.
Brokenshire spoke during a press conference at the Justice Department Thursday along with Canadian Minister of Public Safety and Emergency Preparedness Bill Blair, Australian Minister for Home Affairs Peter Dutton and New Zealand Minister of Internal Affairs and Children Tracey Martin.
Their countries are members of the Five Eyes intelligence-sharing pact with the U.S. Justice hailed the event surrounding the principles—which Facebook, Google, Microsoft, Roblox, Snap and Twitter endorsed—as a historic one for fighting child sex exploitation.
“Last year, Facebook identified around 12 million incidents of child sexual exploitation and abuse on Messenger, something that I absolutely commend them for doing,” Brokenshire said. “Yet, plans to encrypt this service would leave you blind to the same crimes, blind to the same abuse, sending predators back into the shadows, back into the darkness, protected from the [artificial intelligence] advances that could expose them and call them out.”
Attorney General William Barr and Department of Homeland Security Acting Secretary Chad Wolf also delivered remarks, describing “warrant-proof encryption” as an impediment to tracking down purveyors of child pornography and related criminals.
“We recognize encryption as an essential cybersecurity tool in the hands of the right people,” Wolf said. “But like any tool, it can be abused.”
As the Justice Department document says, the principles released Thursday “are intended to provide a consistent and high-level framework for industry actors that is flexible and can be applied across different services.”
Principle 10, for example, states: “Companies support opportunities to share relevant expertise, helpful practices, data and tools where appropriate and feasible.”
That leaves sufficient room for tech companies to maneuver.
“We believe companies and governments can work together to keep children safe online while still protecting people’s privacy and continuing to secure their messages with encryption,” a Facebook spokesman told Nextgov.
And in Congress
Sens. Lindsey Graham, R-S.C., Dianne Feinstein, D-Calif., and eight others emerged as leading champions of the Justice department’s efforts by introducing legislation on the issue Thursday.
Their bill, the Eliminating Abusive and Rampant Neglect of Interactive Technologies, or EARN IT, Act would make the attorney general chair of a new commission for establishing “best practices” for the prevention of online child sex exploitation.
The commission’s best practices would address areas such as the “retention of evidence and attribution or user identification data relating to child exploitation or child sexual abuse, including such retention by subcontractors.”
Again, the bill does not mention the word “encryption,” and in fact, it instructs the commission to “consider the interest of providers of interactive computer services in providing customers with quality products, data security, and privacy."
But the legislation gives the attorney general the power to approve the best practices and to investigate and determine whether companies that say they’re adhering to the best practices are doing so.
“It shall be unlawful for an officer of a provider of an interactive computer service to knowingly submit a written certification...that contains a false statement,” the bill reads, noting any person in violation shall be fined, imprisoned or both.
It’s unclear what the best practices would look like, but the bill drew the ire of a broad swath of entities including the tech companies they target and privacy advocates such as the American Civil Liberties Union, which feared it would threaten the use of encryption.
The measure “would lead to a ‘backdoor’ in encrypted services, thereby jeopardizing the security of every individual,” the ACLU wrote. “Technology experts and civil society organizations have repeatedly warned that backdoors could be exploited by bad actors and that no backdoor could guarantee only law-abiding officials have access.”
“This terrible legislation is a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans' lives,” Sen. Ron Wyden. D-Ore., said in a press release Thursday.
The tech companies also have a business interest in preserving their ability to offer encryption to consumers. They argue, if they don’t, U.S. commerce could be in jeopardy as consumers would turn to companies in other international jurisdictions.
“There's three legs to the stool, so you have a Justice Department, and you have a court system, and you have the owners of the technology. You're not going to have all those people be the same entity,” Sen. Maria Cantwell, D-Wash., ranking member of the Senate Commerce Committee, told reporters Wednesday.
She said she would be taking a look at the EARN IT Act.