Richard Blumenthal, the US senator sponsoring a bill that critics say will limit the use of encryption, is calling for an investigation of video-conference provider Zoom, in part over its false claim it offered… end-to-end encryption.
The Connecticut Democrat is a sponsor of the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act bill that would create incentives for companies to make changes to their platforms. In return, the companies would receive liability protections for any violations of laws related to online child sexual abuse material. Critics of the proposed law, who include the Electronic Frontier Foundation and Sen. Ron Wyden (D-Ore.), say it’s a Trojan horse designed to allow the government to weaken end-to-end encryption. A Blumenthal representative disagrees with the characterization and says the bill doesn’t hamper encryption.
A pattern of privacy infringements
Citing a “pattern of security failures & privacy infringements,” Sen. Blumenthal on Tuesday called for the FTC to investigate Zoom. Chief among cited privacy infringements is the claim on the Zoom website that meetings were end-to-end encrypted, meaning video, audio, and text was encrypted at all times in transit and couldn’t be decrypted by Zoom or anyone else, other than conference participants. A post published last week by The Intercept reported that Zoom meetings, in fact, used what’s usually called transport encryption, which allows Zoom to decrypt meeting data.
Researchers from Citizen Lab, the University of Toronto group that investigates security and hacking, further reported serious weaknesses in Zoom’s encryption regimen. One flaw was that Zoom “rolled its own” encryption scheme, meaning it used custom algorithms rather than standards that had been widely tested over years. Another flaw: the company’s use of servers located in China to route meetings for North American participants and distribute encryption keys.
Blumenthal on Tuesday wrote: “The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.”
The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.
— Richard Blumenthal (@SenBlumenthal) April 7, 2020
While Tuesday’s tweets don’t explicitly refer to Zoom’s encryption transgressions, Blumenthal addressed them directly last week when he penned a letter to Zoom CEO Eric Yuan. His tweet accompanying the letter included a link to The Intercept article.
Millions of Americans are now using @zoom_us to attend school, seek medical help, & socialize with their friends. Privacy & cybersecurity risks shouldn’t be added to their list of worries. I’m calling for answers from Zoom on how it handles our private data. https://t.co/CEg1P3T3S1 pic.twitter.com/Vl9XyvxZjb
— Richard Blumenthal (@SenBlumenthal) March 31, 2020
“Despite claims in security papers and advertisements that Zoom offers end-to-end encryption for its meetings, technical analysis from The Intercept found that it does not protect the privacy of communications using this form of encryption,” Blumenthal wrote in the March 31 letter. “Zoom users deserve clear and correct answers about how it protects the safety of its users and meetings.” Blumenthal went on to request Zoom to describe when end-to-end encryption is available and how personal data is encrypted.
Watering down encryption
The EARN IT act would designate a commission that would develop “best practices” for Internet services to prevent online child exploitation. Sponsors introduced the bill after US Attorney General William Barr has repeatedly called for encryption backdoors to keep law enforcement from going dark. Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society, has said the best practices are “pretty much up to the AG to determine.” Previously, the group has said the bill is an attempt to “ban end-to-end encryption without actually banning it.”
The EFF, meanwhile, has said that the commission, which currently numbers 19, would be “dominated by law enforcement agencies” that have repeatedly urged tech companies to weaken encryption and implement the same backdoors Barr has demanded.
In an email sent after this post went live, a Blumenthal representative wrote: “The EARN IT Act does not restrict, inhibit, or bar encryption, so there is no contradiction between Senator Blumenthal’s authorship of this bill and his letter to Zoom—or his many decades of work on behalf of consumer privacy and cyber security issues. Senator Blumenthal made this point specifically and repeatedly during the EARN IT Act hearing.”
The representative also took issue with the claim that the attorney general can pretty much determine the best practices. Instead, the representative said, the “attorney general, the FTC Chair, and the Secretary of Homeland Security have the ability to reject the commission’s proposed best practices but not to write or rewrite the rules.”
The representative also disputed the EFF’s position that the commission membership would be dominated by law enforcement agencies. Instead, she said, commission appointees would include “survivors of online child sexual exploitation; constitutional law, privacy, and consumer rights experts; computer scientists and cryptography, data security, or artificial intelligence experts; and yes, representatives from law enforcement who have experience working with survivors of online child sexual exploitation or prosecuting those cases.”
By definition, end-to-end encryption can’t have backdoors. Based on critics’ characterization, Sen. Blumenthal seems to want things both ways—end-to-end encryption to protect Zoom users and, at the same time, a law widely believed to be an attempt to undermine it.
Post updated to add comment from Sen. Blumenthal’s office.