Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Government Encryption Social Networks

Florida Fails To Pass Bill Requiring Encryption Backdoors For Social Media Accounts (techcrunch.com) 32

Posted by BeauHD from the withdrawn-from-consideration dept.
An anonymous reader quotes a report from TechCrunch: A Florida bill, which would have required social media companies to provide an encryption backdoor for allowing police to access user accounts and private messages, has failed to pass into law. The Social Media Use by Minors bill was "indefinitely postponed" and "withdrawn from consideration" in the Florida House of Representatives earlier this week. Lawmakers in the Florida Senate had already voted to advance the legislation, but a bill requires both legislative chambers to pass before it can become law.

The bill would have required social media firms to "provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena," which are typically issued by law enforcement agencies and without judicial oversight. Digital rights group the Electronic Frontier Foundation called the bill "dangerous and dumb." Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused, and encryption backdoors put user data at risk of data breaches.

Florida Fails To Pass Bill Requiring Encryption Backdoors For Social Media Accounts More | Reply

Florida Fails To Pass Bill Requiring Encryption Backdoors For Social Media Accounts

Comments Filter:

  • Has a glass half full kind of guy (Score:5, Interesting)

    by rsilvergun ( 571051 ) on Friday May 09, 2025 @05:31PM (#65365065)
    I don't look at this as failing to pass the law but succeeding in soliciting bribes from social media companies!

    • I don't look at this as failing to pass the law but succeeding in soliciting bribes from social media companies!

      That'd certainly be on-brand for Florida. I'd been trying to figure out why the EV registration tax failed too, and that's probably also the reason - some of our lawmakers got a nice "gift" from a certain tech mogul who might finally be a little worried that his cars aren't selling as well as they used to.

      Florida never does the right thing just because it's the right thing to do. Even when they do the right thing, it's usually motivated by the wrong reason (such as finally addressing Disney's excessive au

    • Far-right maga is fine with government intrusion as long as it is their people doing it. If trump wanted to track everyone of their movements through any means necessary, the scum would all submit immediately.

  • maliciously abused (Score:3)

    by fahrbot-bot ( 874524 ) on Friday May 09, 2025 @05:33PM (#65365079)

    Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused, ...>/quote>

    I can easily imagine that was the (unspoken) intent of the bill.

    • Security professionals have long argued that it is impossible to create a secure backdoor that cannot also be maliciously abused,

      Just to play devil's advocate, those security professionals are being a bit disingenuous every time they make that claim. There is no backdoor into cryptocurrency's encryption and coins still manage to be stolen. Encrypted security is only as strong as the care taken to safeguard the private key, and as crypto "heists" have proven, it is entirely possible to gain access to something you shouldn't without actually compromising the encryption itself.

      They're not doing anybody any favors by acting like lawmak

      • Re: (Score:3)

        by Sique ( 173459 )

        Just to play devil's advocate, those security professionals are being a bit disingenuous every time they make that claim. There is no backdoor into cryptocurrency's encryption and coins still manage to be stolen. Encrypted security is only as strong as the care taken to safeguard the private key, and as crypto "heists" have proven, it is entirely possible to gain access to something you shouldn't without actually compromising the encryption itself.

        This is not playing devil's advocate, this is whataboutism. Even more so, it proves the point of the security professionals. If we can't even make something designed not to have backdoors safe enough to prevent unauthorized access, how much more insecure is something which should be designed to have an obvious and an obscure access? Now we have to fight off even more attack vectors, and apparently, we aren't perfect in it.

        • My point is, "it is technically not possible without compromising the algorithm" is a disingenuous argument every time it is made, and it disregards the fact that lawmakers simply don't care what is or is not technically possible. Look at Florida's age verification laws for adult content. It's an absolute mess, but did the lawmakers consider that? Nope, they signed the bill into law and then it's up to the industry to figure out how they can comply with it.

          If your entire argument is that it's not technic

          • Re: (Score:2)

            by larwe ( 858929 )

            "it is technically not possible without compromising the algorithm" is a disingenuous argument

            No, no, NO. Part of the "algorithm" is the key management strategy. Properly implemented E2E encryption means that the private keys are only stored on end devices. The infrastructure never sees them and has no opportunity to store them. A system that violates that rule is a "compromised algorithm". How useful would SSL be if during the initial key exchange, it negotiated exactly as it does today, but also includes the private key in the negotiation? Crazy sauce.

          • disingenuous
            adjective
            : lacking in candor
            also : giving a false appearance of simple frankness : calculating

            Security professionals are not being disingenuous. They're being 100% truthful that it's not possible to design a backdoor that only the good guys can use. It doesn't matter that it's not the *only* possible attack on encryption. It's the one being proposed now. This is an argument about the proposal.

            Sure, there are other arguments against creating a backdoor. That doesn't make this one disingen

      • Cryptocurrencies were not designed to be theft-proof - that was not part of the threat model. In fact that would be antithetical to the goal of designing a non-reversible bearer token.

        And "safeguarding the private key" - well, yeah, that's important, but that's hardly the only important thing. Cryptosystems leak for all sorts of reasons, and incompetence with keys is just one of many, many failure modes. Hell, that's just one of many failure modes considering only key management.

        The claim "professionals

  • Public/Private key solves all this (Score:5, Insightful)

    by phantomfive ( 622387 ) on Friday May 09, 2025 @05:40PM (#65365095) Journal
    Someone (that I know) recently asked me for my social security number over text message. Of course I said no, since that's not a secure channel of communication.

    PKI solves all of these problems. The reason we don't use PKI is because the UI is difficult. The UI is difficult because governments keep working to prevent strong encryption from happening. For example, the browser certificate problem is easily solved by having a public key DNS entry. But we don't do that.

    • > the browser certificate problem is easily solved by having a public key DNS entry.

      As secure as your DNS server, I suppose. I'm no encryption expert, but it seems it'd be easier to take control of your domain if all I had to do was get a registrar to repoint your DNS instead of having to also compromise a separate entity that provides encryption certificates.

      • A problem worth mentioning, but the only thing added to DNS is the public key. So if DNS is hijacked, I encrypt a message with that fake public key and send it to you, then you can't read it. That's it. We know something weird is going on.

        If we're doing a manual conversation I can just use shared contextual knowledge to authenticate (what did we have for dinner last night? or something similar). Or send you a text message via a separate channel (your phone number). Automated authentication is trickier of [xkcd.com]
      • PKI infrastructure is more than just DNS.

        For example, your addressbook SHOULD have an entry for "public key[s]" (or encryption key or whatever). Then you can import the public key from a text message, or from a twitter message, or a QR code on a business card, or any other way that you get people's email address and phone number.

        OSX has some infrastructure for handling encryption keys that is worth mentioning because it is featureful, but it's not quite user friendly yet, and hasn't been integrated into

    • Re: (Score:2)

      by gweihir ( 88907 )

      Secure encrytion has been available with relatively low effort for anybody since the first releaswe of PGP 34 years ago. It did include very readable documentation that was entirely comprehensible to an average reasonably educated person and did point out all that you needed to know.

      Why did it not take off except among experts? Simple: People are too dumb to care.

      • The UI is bad. In places where people do care (like Debian voting [debian.org]) it gets used. How can the UI be improved?
        • *) A place to store keys. Currently storing them in a text file is just not easy. Apple's Keychain Access does some work here.
        • *) I shouldn't need to copy-paste messages into gpg on the commandline to read email. My mail app should be able to access the Keychain store to decrypt messages.
        • *) Many ways to improve key exchange, including:
          1. (*) copy and pasting the key (which exists now)
          2. (*) scanning int

        • Re: (Score:2)

          by gweihir ( 88907 )

          The UI even of the first PGP was not "bad". It was slightly inconvenient. But that ties in with people not caring. If people did care about their privacy, front-ends suitable for regular consumers (which PGP never blocked, hindered or tried to prevent) would have been establisted at most a year later. But people did not care. And people still do not care. "Surveillance fascism? No problem, I have nothing to hide!" and deranged statements like that.

          Encryption tools can and should be pervasive, but the government does actively fight against making them so.

          Indeed. Governments (and really, all power structures) do no

    • In fact public key encryption is exactly how Signal or WhatsApp work. Each message you send gets encrypted with the public keys of all recipients. Only they can decrypt it. What the proposed mechanism would effectively do is automatically put law enforcement on BCC.

  • We're being led by idiots (Score:1)

    by Anonymous Coward
    n/t

  • Good (Score:2)

    by gweihir ( 88907 )

    Apparently the stupid assholes that want this can now be neutralized with a reasonable degree of reliability.

  • "Backdoor" and "provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena" are technically not the correct framing. This is not how public key encryption works.
    Rather than that, when such mechanisms are in place, each message is additionally encrypted with the public key of law enforcement before sending so that law enforcement can decrypt such a message with their private key without any further ado. This is as if you send a CC of each message to law enforcement. This is

  • Just ask lawmakers if they would be comfortable with the police having a skeleton key to unlock every door in their neighborhood that criminals know the cops are carrying.

Slashdot Top Deals

I'm all for computer dating, but I wouldn't want one to marry my sister.

Close