Benjamin Wittes over at Lawfare has posted a particularly silly idea for forcing vendors to install encryption backdoors: simply withdraw CDA §230 protection from any company that does not provide an unencrypted copy of any data they carry. The CDA (Communications Decency Act) protection Wittes is talking about is the law that says a service that merely carries data from third parties can not be held civilly liable for that content. Why shouldn’t the government, Wittes asks, condition its ‘great gift’ to service providers on their willingness to assist the government with decryption?
In the first place, it’s hard to see how saying “you’re not responsible for what someone else does” can be characterized as “a great gift from the government.” Secondly, it shows an astounding ignorance of who the players are and how they depend on §230.
Robert Graham has a splendidly entertaining rant explaining why this is just nonsense by someone who doesn’t understand the Internet or crypto. Graham certainly knows about the Internet and crypto but maybe he’s wrong about the law.
But no, not even Wittes co-bloggers are buying his ideas. Nicholas Weaver takes to Lawfare to describe in detail why Wittes is wrong and his ideas won’t work. Companies like Apple—one of the major targets of those pushing for backdoors—carries virtually no third-party data and does not depend on §230. Companies like AT&T that do depend on it have nothing to do with the encryption that law enforcement is concerned about.
Sadly, Wittes’ argument is typical of those advocating backdoors: it reveals that he doesn’t understand crypto, how it’s used on the Internet, or by whom.