Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Government Encryption Social Networks

Florida Fails To Pass Bill Requiring Encryption Backdoors For Social Media Accounts (techcrunch.com) 17

An anonymous reader quotes a report from TechCrunch: A Florida bill, which would have required social media companies to provide an encryption backdoor for allowing police to access user accounts and private messages, has failed to pass into law. The Social Media Use by Minors bill was "indefinitely postponed" and "withdrawn from consideration" in the Florida House of Representatives earlier this week. Lawmakers in the Florida Senate had already voted to advance the legislation, but a bill requires both legislative chambers to pass before it can become law.

The bill would have required social media firms to "provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," which are typically issued by law enforcement agencies and without judicial oversight. Digital rights group the Electronic Frontier Foundation called the bill "dangerous and dumb." Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused, and encryption backdoors put user data at risk of data breaches.

Florida Fails To Pass Bill Requiring Encryption Backdoors For Social Media Accounts

Comments Filter:
  • by rsilvergun ( 571051 ) on Friday May 09, 2025 @05:31PM (#65365065)
    I don't look at this as failing to pass the law but succeeding in soliciting bribes from social media companies!
    • I don't look at this as failing to pass the law but succeeding in soliciting bribes from social media companies!

      That'd certainly be on-brand for Florida. I'd been trying to figure out why the EV registration tax failed too, and that's probably also the reason - some of our lawmakers got a nice "gift" from a certain tech mogul who might finally be a little worried that his cars aren't selling as well as they used to.

      Florida never does the right thing just because it's the right thing to do. Even when they do the right thing, it's usually motivated by the wrong reason (such as finally addressing Disney's excessive au

  • by fahrbot-bot ( 874524 ) on Friday May 09, 2025 @05:33PM (#65365079)

    Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused, ...>/quote>

    I can easily imagine that was the (unspoken) intent of the bill.

    • Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused,

      Just to play devil's advocate, those security professionals are being a bit disingenuous every time they make that claim. There is no backdoor into cryptocurrency's encryption and coins still manage to be stolen. Encrypted security is only as strong as the care taken to safeguard the private key, and as crypto "heists" have proven, it is entirely possible to gain access to something you shouldn't without actually compromising the encryption itself.

      They're not doing anybody any favors by acting like lawmak

      • by Sique ( 173459 )

        Just to play devil's advocate, those security professionals are being a bit disingenuous every time they make that claim. There is no backdoor into cryptocurrency's encryption and coins still manage to be stolen. Encrypted security is only as strong as the care taken to safeguard the private key, and as crypto "heists" have proven, it is entirely possible to gain access to something you shouldn't without actually compromising the encryption itself.

        This is not playing devil's advocate, this is whataboutism. Even more so, it proves the point of the security professionals. If we can't even make something designed not to have backdoors safe enough to prevent unauthorized access, how much more insecure is something which should be designed to have an obvious and an obscure access? Now we have to fight off even more attack vectors, and apparently, we aren't perfect in it.

        • My point is, "it is technically not possible without compromising the algorithm" is a disingenuous argument every time it is made, and it disregards the fact that lawmakers simply don't care what is or is not technically possible. Look at Florida's age verification laws for adult content. It's an absolute mess, but did the lawmakers consider that? Nope, they signed the bill into law and then it's up to the industry to figure out how they can comply with it.

          If your entire argument is that it's not technic

      • Cryptocurrencies were not designed to be theft-proof - that was not part of the threat model. In fact that would be antithetical to the goal of designing a non-reversible bearer token.

        And "safeguarding the private key" - well, yeah, that's important, but that's hardly the only important thing. Cryptosystems leak for all sorts of reasons, and incompetence with keys is just one of many, many failure modes. Hell, that's just one of many failure modes considering only key management.

        The claim "professionals

  • by phantomfive ( 622387 ) on Friday May 09, 2025 @05:40PM (#65365095) Journal
    Someone (that I know) recently asked me for my social security number over text message. Of course I said no, since that's not a secure channel of communication.

    PKI solves all of these problems. The reason we don't use PKI is because the UI is difficult. The UI is difficult because governments keep working to prevent strong encryption from happening. For example, the browser certificate problem is easily solved by having a public key DNS entry. But we don't do that.
    • > the browser certificate problem is easily solved by having a public key DNS entry.

      As secure as your DNS server, I suppose. I'm no encryption expert, but it seems it'd be easier to take control of your domain if all I had to do was get a registrar to repoint your DNS instead of having to also compromise a separate entity that provides encryption certificates.

      • A problem worth mentioning, but the only thing added to DNS is the public key. So if DNS is hijacked, I encrypt a message with that fake public key and send it to you, then you can't read it. That's it. We know something weird is going on.

        If we're doing a manual conversation I can just use shared contextual knowledge to authenticate (what did we have for dinner last night? or something similar). Or send you a text message via a separate channel (your phone number). Automated authentication is trickier of [xkcd.com]
      • PKI infrastructure is more than just DNS.

        For example, your addressbook SHOULD have an entry for "public key[s]" (or encryption key or whatever). Then you can import the public key from a text message, or from a twitter message, or a QR code on a business card, or any other way that you get people's email address and phone number.

        OSX has some infrastructure for handling encryption keys that is worth mentioning because it is featureful, but it's not quite user friendly yet, and hasn't been integrated into

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...