Bond

The Twenty-Six Words that Created the Internet is Jeff Kosseff’s definitive history and analysis of the current fight over Section 230, the fight over who will be held responsible to forbid speech. In it, Kosseff explains how debate over intermediary liability, as this issue is called, stretches back to a 1950s court fight, Smith v. California, about whether an L.A. bookseller should have been responsible for knowing the content of every volume on his shelves.

But the good thing about a payment gateway like PayPal, Stripe, or 2Checkout is that they take on the security surrounding PCI compliance and, more importantly, assume the risk.

Some large tech behemoths could hypothetically shoulder the enormous financial burden of handling hundreds of new lawsuits if they suddenly became responsible for the random things their users say, but it would not be possible for a small nonprofit like Signal to continue to operate within the United States. Tech companies and organizations may be forced to relocate, and new startups may choose to begin in other countries instead.

The EARN IT act turns Section 230 protection into a hypocritical bargaining chip. At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee “best practices” that are extraordinarily unlikely to allow end-to-end encryption. Anyone who doesn’t comply with these recommendations will lose their Section 230 protection.

Broadly speaking, Section 230 of the Communications Decency Act protects online platforms in the United States from legal liability for the behavior of their users. In the absence of this protection, many of the apps and services that are critical to the way the internet functions today may have never been created in the first place – or they couldn’t have been created in America.

A year’s worth of cajoling back and forth has ultimately resulted in the EARN-IT bill wending its way through the U.S. system, a bill that, if passed, would see messaging services become legally responsible for the content on their platforms. While not mandating backdoors, per se, without some form of probes into message content, the argument runs that the punitive risks become unsurvivable.

there’s a bill tiptoeing through the U.S. Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years... The choice for tech companies comes down to weakening their own encryption and endangering the privacy and security of all their users, or foregoing protections and potentially facing liability in a wave of lawsuits.

Once the platforms introduce backdoors, those arguing against such a move say, bad guys will inevitably steal the keys. Lawmakers have been clever. No mention of backdoors at all in the proposed legislation or the need to break encryption. If you transmit illegal or dangerous content, they argue, you will be held responsible. You decide how to do that. Clearly there are no options to some form of backdoor.

Despite its opposition, EARN-IT is the clearest threat yet to end-to-end encryption, given this clever twist in pushing the onus onto the platforms to avoid transmitting illegal content, rather than mandating a lawful interception approach.

Tiring of the privacy and safety debate, those behind EARN-IT have proposed making the platforms responsible for the content they transmit, encrypted or not. This would mean, as explained by Sophos, that tech companies “either weaken their own encryption and endanger the privacy and security of all their users, or forego protections and potentially face liability in a wave of lawsuits.”

The Digital Millennium Copyright Act (DMCA) has notable safe-harbor provisions which protect Internet service providers from the consequences of their users' actions. (Similarly, the EU directive on electronic commerce provides a similar provision of "mere conduit" which, while not exactly the same, serves much the same function as the DMCA safe harbor in this instance.)

make it as easy to withdraw consent as to give it. The latter gets particularly interesting when considering that in some contexts, consent may be obtained “through only one mouse-click, swipe or keystroke” and therefore “data subjects must, in practice, be able to withdraw that consent equally as easily” per the WP29.

The key change here is the removal of an intent to defraud and replacing it with willfully; it will be illegal to share this information as long as you have any reason to know someone else might use it for unauthorized computer access.It is troublesome to consider the unintended consequences resulting from this small change.

Again, this is stupid that I have to do this, but

Without passing any judgement on any third party developers, we have to advise people to never enter their 1Password Master Passwords into anything other than 1Password. I have no reason to doubt the integrity or competence of these third party developers, and RogueLazer’s project is even open-source. But it would be irresponsible for us to do anything other than advise you never to give your 1Password Master Password to anyone or any other application.

data excluded from Google's interpretation of PII may still be considered personal data under the GDPR

Regardless of where an organization is based (in the EU or otherwise), its website must meet regulatory obligations when processing EU/EEA citizens’ data or the business will face financial penalties.

Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups. “Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.

So basically in an effort to stop 1,000 pieces of infringing content, you'd end up pulling down 50,000 pieces of legitimate content. And that's with an incredible (and unbelievable) 99.5% accuracy rate. Drop the accuracy rate to a still optimistic 90%, and the results are even more stark:

Financial caps linked to the level of fees charged for the work are (in our view) less likely to pass the test.