This post was originally published on August 20, 2020.
Riana Pfefferkorn is the associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society (CIS), a technology law and policy program at the Stanford Law School.
Her work explores the intersection of new technologies and the legal frameworks that support it, and aims to address questions pertaining to free speech, innovation, privacy, public commons, diversity, and scientific inquiry.
[Want more interviews with prominent privacy advocates? Sign up for the ExpressVPN newsletter.]
ExpressVPN recently had the chance to talk to Pfefferkorn to discuss issues such as the much-maligned EARN IT Bill, walled-off internets, outsized tech companies, her own interest in internet legislation and privacy, as well as the chance of a federal data privacy law in the U.S.
Here’s what she had to say.
Answers were provided by email.
1) The EARN IT bill is scheduled to be presented in front of the U.S. Senate soon. If this piece of legislation becomes part of U.S. law, what ramifications do you see for the internet and communications platforms in the medium to long term?
I think the ramifications will be felt not just in the U.S. but globally. Most of the world’s major providers of online services are American, meaning they will obey U.S. laws; when they change their products to comply with U.S. law, they will likely apply that change worldwide.
I anticipate that we will see something similar to the reaction by providers after FOSTA passed into law in 2018: mass censorship of users’ voices, the removal of entire sections of websites/services or removal of entire features, restrictions on users’ ability to communicate with one another (especially adult users with users under 18). We can anticipate that the brunt of this censorship will—as usual—fall on marginalized voices, such as LGBTQI+ people and sex workers. Online free speech will be harmed yet again.
2) The Trump administration has been on a warpath against encryption in general, advocating for backdoors and greater access for law enforcement. Do you believe that this is a reflection of the current zeitgeist against tech companies in general or restricted to his administration’s agenda? Given that this is an election year, do you think a change in government might herald a new approach?
This administration, with its emphasis on “law and order” and strongman attitudes, is very much on the side of the law-enforcement agencies, who are anti-encryption. Also, this president does not listen to the advice of U.S. intelligence agencies, who tend to be very dead set against encryption backdoors. Being more willing to listen to law enforcement and less willing to listen to the intelligence community means that the administration is far more receptive to a pro-backdoor agenda than the previous administration (which never really took a strong stance either way, despite having eight years to figure it out).
I don’t think we would necessarily see a Democratic president be super pro-encryption, though. Being anti-encryption is a bipartisan issue, and Joe Biden has said he believes Section 230 (at which EARN IT is aimed) should be repealed. So the issue isn’t going to go away even if there is a change of administration in January. And the fact that we’ve spent the past four years with such an encryption-hostile administration means that the Overton window has shifted to make it harder for Biden, who would likely be a pretty centrist president, to reverse course against the prevailing trends of the past four years and come out strongly pro-encryption.
I have written extensively about how EARN IT is just a way for law enforcement to capitalize on popular antipathy towards tech companies in order to achieve the unrelated goal of encryption backdoors and greater surveillance powers. Part of the reason why everyone is so mad at tech companies is because the 2016 election came out the way it did, because big tech companies—particularly Facebook—are viewed as having played a role in causing that result. So, perversely, the administration is capitalizing on the popular anti-tech zeitgeist that its very existence helped to create.
But I don’t think that the anti-tech attitude is going to vanish overnight, either, if we see a change in government in January. The debate over Section 230, and the encryption debate, will continue regardless.
3) What are the greatest threats to free speech and digital rights in the coming years, and what can ordinary netizens do to prevent that from happening?
I foresee the further splintering of the internet into multiple regional “internets.” The EU, Russia, and China are already moving in the direction of having their own internets.
We’re used to the internet as mostly created by the US, but that US-created internet is going away. Different regions will exercise more and more control over what the internet looks like in their jurisdiction, replacing the open, decentralized internet we are used to.
At the same time, countries around the world are retreating from democratic values. Increasing governmental control, regionalization/splintering, and rising censorship all will combine to threaten free speech and the ability of people in different parts of the world to freely exchange communications and ideas with each other.
I think people can both speak up to their governments and speak out against bills such as the EARN IT Act (or whatever the local equivalent might be in your country) while also figuring out how to use censorship-resistant tools, whether it’s VPNs, the Tor browser, end-to-end encrypted chat apps such as Signal, etc.
4) Can you tell me a little bit about your work at the Center for Internet and Society at Stanford? What made you interested in digital privacy law in the first place?
My work at CIS is primarily focused on encryption policy and law, mostly in the U.S. but also as the issue comes up in other countries, such as Australia, as well. I also work on related issues about government surveillance—such as how governments hack people’s browsers or devices, or pay third parties (such as NSO Group) to do so.
And then another strand of my work has been to try to shed greater light on secret court efforts by the U.S. government to undermine encryption or grab more surveillance authority. I got into this field because I volunteered at the Electronic Frontier Foundation way back when I was still a college student, and I found what they did to be really inspiring. I decided to go to law school, with the goal of pursuing a career at the intersection of technology and civil liberties. Now, that’s exactly what I get to do every day. I am so grateful to be at CIS and to get to work on these critically important issues.
5) We’re in the age of surveillance capitalism, and platforms with a critical mass of data have built enough moats to crowd out any challengers. Do you ever see this changing? How can we truly regain our data, and by extension, our privacy?
Honestly, I think the EU has been a leader here. Instead of the contractual, transactional conception of privacy that dominates in the US and thus dominates the internet we’ve known so far, the EU has conceptualized privacy as a fundamental right and, by passing the GDPR, has called American behemoths to account.
Similar efforts are underway in other populous nations such as Brazil. When these very populous regions with a ton of internet users decide to throw their weight around and force US companies to respect user privacy, they can make a real difference. Already we’ve seen California imitate the GDPR with its own version, and with California being the most populous state in the nation (and home to many major tech companies), it, too, can make a big difference by throwing its weight around. We aren’t there yet but I do believe in the power of regulators to make a difference. The question is whether they will be making a positive difference in privacy while also making a terribly negative difference in terms of freedom of expression.
6) What do you think about the future of internet privacy and security? On the one hand, places like the EU and Brazil are refusing to cave to the demands of tech companies and increasingly recognizing the importance of anonymization. The U.S., however, does not have a federal data privacy law, and this is unlikely to change anytime soon. What’s the endgame here?
The U.S. has been in a downward spiral of abdicating its traditional role of leadership and authority on the world stage. GDPR is an example: We invented the internet! We should have been the leaders on internet privacy! But we let Europe do it instead. (Granted, GDPR was in the works well before the current administration took office.)
I think this trend—of letting someone else call the shots—will only continue. I believe that EARN IT and other anti-big tech bills are stand-ins for Congress’s total inability to get its act together. They can’t seem to pass a comprehensive federal data privacy law or put teeth back into U.S. antitrust law (which has been getting intentionally weakened over recent decades), so they’re going after Section 230 instead, even though that is obviously the wrong tool to address problems about privacy and competition. So I won’t hold my breath for a federal data privacy law.
I also think that security will continue to be pulled in two different directions: As long as there continue to be stupid anti-encryption bills such as EARN IT, we can’t rest easy that U.S. law will really value and safeguard cybersecurity.
But at the same time, regulators at the state and federal levels have increasingly been exercising their authority to penalize companies for poor data security.
Companies are going to be in a real bind if they are expected to secure user data on the one hand but insert backdoors on the other. It’s a foreseeable and avoidable conundrum. Meanwhile, the Covid-19 epidemic has forced us to live far more of our lives online, throwing into sharp relief the overwhelming importance of cybersecurity. That all gives me some hope that Congress will come to its senses on security and that backdoor bills like EARN IT won’t pass. Hopefully that’s not too optimistic.
Comments
I wholly agree with Howard ^^. This article is noticeably politically motivated. While we all can advocate for internet privacy, free speech, and end-end encryption, this article fails to provide a clear and technical viewpoint of the subject matter. For an article supposedly focused on threats to free speech on the internet, the author fails to mention the assault on free speech perpetrated by big tech (primarily against conservative voices). Google has outright expressed its skepticism towards free speech by claiming it has become a “social, economic, and political weapon.” This is just as important to the future of civil liberty in America. as back doors and government surveillance.
I really smell something bad lying in the road ahead with all the relatively sudden urgency for legislation like this ‘earn-it’ bill to ‘authorize’ back door access for law enforcement usage? They’ve already been doing it for years just because they can. When they run into some advanced form of encryption they bring in their friendly Israeli hackmasters to bust the lock and find everything they need to know. An agent once told me that a search warrant only really has to describe the place or what is to be searched, and what they are looking for? In matters of relative national security in active pursuit of bad actors intent on performing bad acts on U.S. soil, these standards are even less restricted in general context for pragmatic purposes. The warrant doesn’t really specify the physical methodology for the search. For instance with drugs, the police can choose to use body cavity searches, drug sniffing dogs, or wall penetrating radar? Whose going to complain about ‘illegal’ methods of searching when the results of the search were instrumental in preventing a terrorist act? Naturally, these tactics eventually become a breeding ground for abuse. A few years ago when drones were starting to become tools of police, There was a county Sheriff in N or SD I believe, who made a public statement over concerns of privacy rights being violated by random warrantless fly over searches in his venue, and his reply to the press was something like, That’s how I would get the probable cause to do a raid and search, by using the drone to see something suspicious on someone’s back porch. (of course the FBI has been doing exactly that type of warrantless aerial surveillance with ‘special’ cameras for years with their own dedicated fleet of small aircraft, and of course now small drones. (We still don’t know ‘who’ was behind that mysterious huge swarm of drones over Nebraska not too long ago that was documented on video and witnessed by officials)
I think the ‘authorities’ are really worried about beefed up Privacy laws-when enough people start to become angry enough about it- emerging that simply shut off their reckless unwarranted privacy violation of the 1st/A AND 4th/A with random or algorithm focused surveillance on people’s private internet communications and business. So they want to preclude that eventuality before the public wakes up and does something about it by exempting themselves from punishment for violating the Constitution any time they feel like it. Because ‘They’ know they can never help themselves from abusing their authority. It’s the nature of the beast. They have absolute power, and as we know from history, absolute power ALWAYS absolutely corrupts. Especially with nobody or nothing to regulate them. except themselves. By the way, What they are doing is a crime. 18 USCC 240-241 . They cannot deprive you of your right to privacy or any Constitutional right,even under color of law… But this is the most ‘un-prosecuted’ crime out there.
Great Article Ms. Riana. You are a true Champion of Liberty!
As a technologjst, with over thirty years experience in computers and security, I agree with some of the sentiment in this article. However, I think that the lead-off discussion regarding president Trump is merely a lightly veiled, and unjustified political attack, consistent with the so-called Trump Derangement Syndrome (TDS).
Instead of presenting more substance, and unbiased recommendations, the author or the editor has chosen to use it as vectored attack.
The author’s, or again the editor’s, political persuasions should not be given such prominence in a supposedly technical forum.
Howard A Higgins is right on the mark.