Each Day I’m Kerfufflin’

Kerfuffles come and kerfuffles go in the world of national/international social media law, but (at least until recently) proposals on social media law have been mostly smoke and no fire since the SOSTA/FESTA Law in 2018.

2021 may prove to have some actual changes, though. The American government may have finally gained enough steam (and bipartisan interest) to do something regarding Section 230 of the Communications Decency Act, although it’s not entirely clear what practical changes will result from rhetoric supporting its revocation.

More practically, the EU is getting very antsy about breaking end-to-end encryption. There have been non-binding resolutions! There has been lobbying! Celebrities have been involved! In November, I noticed an interesting flare-up of fears regarding the EU that relate to the complications of how to read a technical genre, so of course I got very excited. The report in question that made many people nervous about the EU’s flagging commitments to security is a feasibility report regarding different technical ways to try to get around encryption. The whole premise of the feasibility report is unpleasant, which is where a lot of the anxiety seems to come from.

However, the report itself is literally just the feasibility of various approaches on a bunch of different vectors (effectiveness, feasibility, privacy, security, transparency, and overall). The final table decides that “encrypted communication with exceptional access” is such a bad idea that it is not applicable to the conversation. It literally gets a score of N/A, not even a single star on a five-star scale. Thus, the report does not suggest true backdoors as an option; it actually does not even consider them as gradable.

This report does not recommend backdoors, even though if you read part of the way through, it discusses backdoors in frank and plausible language. That’s because for a feasibility report to do its job, it has to assess how feasible things are individually and then make assessments. Even if the authors of this report were adamantly opposed to encryption, it would defeat the purpose of the feasibility report to not report whether this idea was possible. Giving a clear-eyed assessment of this individual tactic’s feasibility actually helps the credibility of the authors later when they give no rating at all for feasibility: it allows the authors to say “We looked at it as charitably as possible, and it’s still absolutely a no-go.” However, if one zeroes in only on the section discussing the feasibility of “exceptional access” without reading the conclusion, one could draw a very scary (although inaccurate) conclusion. Genres have conventions, and social media reportage is somewhat difficult on those genre conventions.

However, there are eight other discovery methods that range from “kind of invasive” to “completely invasive.” Even if it’s not a true backdoor, a suggested tactic called client-side scanning is massively invasive. Being a form of warrantless dragnet, it is almost certainly illegal in the US–but as Snowden pointed out, agencies in the US would probably try to use it until it is proven to them that what is legal in the EU may be illegal in the United States.

There was also a draft resolution that went along with the report. (I told you things are getting antsy!) The draft resolution is a call for more research, cooperation, and policy-making surrounding the “clear need to review the effects arising from different regulatory frameworks in order to develop further a consistent regulatory framework across the EU that would allow competent authorities to carry out their operational tasks effectively. Potential technical solutions will have to enable authorities to use their investigative powers which are subject to proportionality, necessity and judicial oversight under their domestic legislation, while upholding fundamental rights and preserving the advantages of encryption.” So there is absolutely no mandate in the draft report, and they want to balance the needs of encryption vs the needs of law enforcement.

Nonetheless, the headline of the (now-adopted in modified form) resolution is ominous: “Security through encryption and security despite encryption.” The resolution also notes that “the EU will leverage its tools and regulatory powers to help shape global rules and standards,” which is also not the greatest thing to hear.

So: kerfufflin’. While these kerfuffles are not thrilling, the situation is not quite as dire as the worst reading–or as positive as the best reading. This is, instead, a thing to watch.