If Congress Errs, Twitter Will Only Be the Beginning
Recently, hackers launched what appears to have been a coordinated phishing attack targeting Twitter employees. Within hours, the hackers gained control of the accounts of 130 prominent users, including Elon Musk, former President Barack Obama, and presidential candidate Joe Biden. Save for apparent heightened security protocols reserved exclusively for him, President Trump’s account might have been compromised too. Given the president’s penchant for making policy and diplomatic pronouncements via personal tweet, the consequences of this attack could have been dire.
Thankfully, Twitter’s hackers seem to be non-state actors, more interested in soliciting Bitcoin payments in the style of supposed Nigerian princes than disrupting American diplomacy, markets, or elections.
For years, there has been a steady, bipartisan drumbeat to weaken or entirely to eliminate encryption. This movement perhaps reached its peak in 2015, when Apple refused to aid the FBI in its attempts to access an iPhone owned by one of the perpetrators of the San Bernardino terrorist attack. The FBI ultimately abandoned its efforts to conscript Apple into its services once it discovered a private alternative to brute-force unlock the phone.
The current leading proposal—the EARN IT Act—originally sought to have tech companies “earn” vitally-important Section 230 liability protections by complying with “best practices” established via a national commission of government and private actors. An amended version of the Act no longer concerns itself with Section 230, but instead deputizes states to impose criminal or civil liabilities on companies that do not comport themselves with the commission’s “best practices.” As TechFreedom notes, “the revised bill could make it even easier to sue websites for offering strong encryption, for not age-verifying users, or for allowing adults to communicate with minors (even in the most innocent settings).”
Encryption is one of the most important, foundational elements of Internet communications and computing generally. It allows users to store and to send data—including medical records, financial transactions, private messages, and more—online, hidden from the gaze of state and private criminal actors. Encryption is what allows a college student’s parent securely to Venmo him grocery money. It’s also what empowers political dissidents to communicate with one another, as is the case right now in Hong Kong, safe from the prying eyes of authoritarian states.
Broadly speaking, various governments have proposed a “back door” to access encrypted data and devices in one of two ways: (1) compelling tech firms to create intentionally incomplete forms of encryption that they can subsequently breach; or (2) storing encryption keys on the firms’ servers that would allow the firms undetectable access to individual data or devices.
The drawbacks to the first approach are obvious. While encryption is, in truth, a never-ending arms race between tech firms and hackers, compelling tech firms to build deliberately incomplete methods of encryption would likely shift the balance of power to hackers and result in more frequent breaches of private financial, medical, and other sensitive information by hackers. Hackers win; consumers lose.
The second approach is what could have made the recent Twitter attack much worse. Imagine if, instead of the attack we witnessed, Russian hackers managed to obtain the private encryption keys for President Trump and Joe Biden’s Twitter accounts. Or imagine if a hostile entity conducted similarly successful phishing attacks on the employees of Schwab, Robinhood, and Vanguard, allowing them to steal access to the private keys for tens of millions of investors’ accounts, and consequently inflict chaos on American financial markets. The potential hypotheticals are endless.
Of course, outlawing a technology, particularly an Internet technology, is easier said than done. Clever businesses would merely offer services that are encryption services in all but name. On the Internet, businesses and consumers move far more rapidly than government agencies can follow.
There is a delicate balance between individual privacy and the ability of law enforcement to do its job. Indeed, banning front door locks would certainly allow the police to more easily enter crack dens. But this would also allow criminals to plunder the homes of the innocent. The digital analog of this simply cannot happen.
In the words of Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”