Cyber Security

Lawmakers again want to advance the EARN IT Act. Cybersecurity experts still oppose it.

Good morning and happy Thursday! May the fourth be with you. (Sorry, I had to.) Now that we’ve gotten that out of the way, let’s talk cybersecurity. 

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The FTC wants Meta to stop monetizing young people’s data, and lawmakers re-up a satellite cybersecurity bill. First:

Lawmakers again want to advance the EARN IT Act. Cybersecurity experts still oppose it.

For years, many cybersecurity and privacy experts have criticized a bill aiming to curb child sexual abuse material (CSAM) online, arguing that it could also undermine end-to-end encryption.

Lawmakers are hoping the third time’s the charm. The Senate Judiciary Committee could consider the EARN IT Act as soon as this morning.

Proponents of the legislation — which has at least 20 backers in the Senate, including Judiciary Committee Chairman Dick Durbin (D-Ill.) and the committee’s top Republican, Sen. Lindsey Graham (S.C.) — maintain that legislation is needed to stop the spread of CSAM online. 

But cybersecurity advocates fear that such changes could prompt tech companies to stop offering end-to-end encryption for their users. Such encryption helps protect data from hackers, governments and other snoops. (Law enforcement officials have argued that cybercriminals also use end-to-end encryption to share CSAM and plan other crimes, and they’ve criticized tech companies’ efforts to expand their encryption offerings.)

Experts have long taken issue with the bill and encryption. Still, it has advanced through the Judiciary Committee twice in previous sessions of Congress.

  • Even after the bill’s sponsors previously added language to the legislation saying that encryption can’t be the sole reason for a company to be found guilty of knowingly letting CSAM stay on its platforms, around 80 percent of experts convened by The Cybersecurity 202 last year said they still opposed it.

The bill — which hasn’t been significantly changed since last year, when it advanced out of the Judiciary Committee — still faces vocal opposition from cybersecurity, LGBTQ+, technology, civil rights and other groups. Opponents say that while CSAM should be eradicated from the internet, this bill would backfire.

  • “The EARN IT Act would compromise the internet as we know it,” Jenna Leventoff, a senior policy counsel for the ACLU, said in a statement.
  • “Unfortunately, these bills threaten the privacy, security, and free expression of digital communications for all users, including children,” the Electronic Frontier Foundation said in a statement.

Sen. Ron Wyden (D-Ore.) has similar concerns. “Weakening encryption is probably the premiere gift you could give to predators and god-awful people who want to stalk and spy on kids,” he said at a Wednesday event hosted by Fight for the Future, which also opposes the legislation. “It threatens the privacy and security of every single law-abiding American.” 

And concerns around encryption “are even more heightened today” in the wake of the Supreme Court’s overturning of Roe v. Wade and recent state laws impacting LGBTQ+ rights, CyberScoop’s Tonya Riley reported last week.

Some academics also say that the EARN IT Act could pose a legal challenge, arguing that the Fourth Amendment’s protection against unreasonable government searches and seizures could be undermined by the bill. 

“If providers scan for CSAM due to government pressure rather than their own initiative, then what was once a voluntary private search becomes a warrantless government search that violates the Fourth Amendment,” Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, recently wrote.

FTC proposes plan to prevent Meta from monetizing young people’s data

The Federal Trade Commission yesterday proposed a plan that would prevent Facebook parent Meta from profiting off data from people under 18 who use their platforms, our colleague Cat Zakrzewski reports. The FTC alleged the social media giant misled parents over what data is collected from users on its Messenger Kids app and that it continued to provide sensitive information to app developers after its Cambridge Analytica scandal, Cat reports. 

  • “The agency is seeking to update a landmark 2020 privacy settlement with Meta, which it says the company has already violated,” Cat writes. “The $5 billion order required the company to keep close watch over how third-party companies accessed users’ data and submit to regular privacy audits.”
  • “Under the FTC’s new proposal, Meta would only be allowed to collect and use data about users under the age of 18 to provide services or for security purposes. It would not be able to use that data for commercial gain,” Cat writes.
  • Those rules would also apply to any Meta offering, including virtual reality. Meta has 30 days to respond to the plan.

Meta spokesperson Andy Stone called the move a “political stunt” and added that FTC Chair Lina Khan’s “insistence on using any new measure — however baseless — to antagonize American business has reached a new low.”

Amid a months-long slowdown on Capitol Hill to pass comprehensive kids safety and privacy bills, lawmakers this week reintroduced updated legislation aimed at bolstering audits against platforms that pose potential risks to children and preventing targeted ads from being delivered to their feeds.

Russian national charged in vast credit card fraud scheme

New York prosecutors unsealed an indictment against Russian national Denis Kulkov, who is charged for running a service to check the status of stolen credit cards that facilitated tens of millions fraudulent card checks every year, AJ Vicens reports for CyberScoop

  • The 43-year-old “is accused of operating Try2Check, a service criminals could use to verify whether stolen credit card numbers were still active and use to set prices for stolen credit card information,” Vicens writes.

The service was founded in 2005 and is estimated to have earned him $18 million in bitcoin transactions, according to authorities.

  • “Records obtained by investigators suggest Kulkov tried to set up systems to convert his cryptocurrency into fiat currency at a rate of $100,000 per month,” the CyberScoop report says.

Kulkov is still at large and the State Department has posted a $10 million reward for any information provided leading to his arrest.

Peters, Cornyn reintroduce satellite cybersecurity bill

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Sen. John Cornyn (R-Tex.) reintroduced legislation yesterday that would direct the Cybersecurity and Infrastructure Security Agency (CISA) to shore up cybersecurity protections for satellite owners and operators.

  • “The Satellite Cybersecurity Act will require CISA to consolidate voluntary satellite cybersecurity recommendations — including guidance specifically for small businesses — to help companies understand how to best secure their systems,” the senators said in an announcement for the bill.
  • CISA would also need to develop a public resource online to ensure companies can access information on how to protect their satellite infrastructure.

Similar legislation was introduced last Congress. The bill’s reintroduction comes amid growing interest in satellite cybersecurity, The Cybersecurity 202 previously reported.

The successor organization of the congressionally backed Cyberspace Solarium Commission has also recommended the federal government label space systems as critical infrastructure.

City of Dallas hit by Royal ransomware attack impacting IT services (Bleeping Computer)

Former Uber security chief to be sentenced for federal crimes (Wall Street Journal)

The ultimate guide to managing your passwords (By Tatum Hunter)

Twitter won’t make government agencies, public services pay for automated tweets (Axios)

When it comes to online scams, ‘ChatGPT is the new crypto’ (CyberScoop)

Google accounts can now be passwordless (The Verge)

Companies need a wakeup call to fix chronic security shortcomings, cyber experts say (Cybersecurity Dive)

Fight against ransomware follows government recommendations (Bloomberg News)

FCA contacts Capita’s clients over cyberattack (Financial Times)

  • CDM Media convenes its CIO/CISO Public Sector & DC Summit at 9 a.m.
  • Jen Easterly; Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command; and other cyber and national security officials speak at the Vanderbilt University’s Modern Conflict and Emerging Threats summit beginning at 9 a.m.
  • Director of National Intelligence Avril Haines testifies to the Senate Armed Services Committee about worldwide threats at 9:30 a.m.
  • Brian Peretti from the Treasury Department speaks at a George Mason University event on cybersecurity threats to the U.S. financial system at 1 p.m.

Thanks for reading. See you tomorrow.

Related Articles

Back to top button