FTC Warns Tech Giants Not To Bow To Foreign Pressure on Encryption (bleepingcomputer.com)
- Reference: 0178859638
- News link: https://news.slashdot.org/story/25/08/25/1939221/ftc-warns-tech-giants-not-to-bow-to-foreign-pressure-on-encryption
- Source link: https://www.bleepingcomputer.com/news/security/ftc-warns-tech-giants-not-to-bow-to-foreign-pressure-on-encryption/
> FTC Chairman Andrew N. Ferguson signed the letter sent to large American companies like Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X (Twitter). Ferguson stresses that weakening data security at the request of foreign governments, especially if they don't alert users about it, would [1]constitute a violation of the FTC Act and expose companies to legal consequences.
>
> Ferguson's letter specifically cites foreign laws such as the EU's Digital Services Act and the UK's Online Safety and Investigatory Powers Acts. Earlier this year, Apple was forced to remove support for iCloud end-to-end encryption in the United Kingdom rather than give in to demands to add a backdoor for the government to access encrypted accounts. The UK's demand would have weakened Apple's encryption globally, but it was [2]retracted last week following U.S. diplomatic pressure.
[1] https://www.bleepingcomputer.com/news/security/ftc-warns-tech-giants-not-to-bow-to-foreign-pressure-on-encryption/
[2] https://apple.slashdot.org/story/25/08/19/0345252/us-spy-chief-gabbard-says-uk-agreed-to-drop-backdoor-mandate-for-apple
Impossible (Score:1, Interesting)
You must follow the laws of the land to operate in the land. This is an issue of sovereignty, and US cannot dictate otherwise.
Problems here will arise when communications are international, and laws are mutually exclusive. Which jurisdiction is the one invoked.
We may actually end up in a world where users in totalitarian nations like UK will become unable to communicate with users outside it using most popular messaging apps. Or will only be able to communicate using a special unencrypted, fully wiretapped
Re: (Score:2)
> You must follow the laws of the land to operate in the land. This is an issue of sovereignty, and US cannot dictate otherwise.
> Problems here will arise when communications are international, and laws are mutually exclusive. Which jurisdiction is the one invoked.
That is the crux of the problem. With the internet, companies no longer operate in a defined geographic area; and each country will expect the company to fall their laws, even if the only actual connection there is some resident opening a url. Companies already block some EU IP addresses to avoid running afoul of teh EU's data protection and other laws; which of course a non-EU company does not need to follow if they have no presence the EU. Of course, the EU, US, UK are all likely to consider he ability
Re: (Score:2)
> You must follow the laws of the land to operate in the land. This is an issue of sovereignty, and US cannot dictate otherwise.
You follow the rules where your servers are located and your corporation is based. Choose Carefully. All other countries can do is try to block access to your service at their borders, or punish their own citizens for using your service.
Re: (Score:2)
Countries have been known to remove passengers from airplanes stopping at their landing fields for breaking local laws from their home turf. But it *is* less common. (One of those countries is the US.)
Take a Big Check (Score:2)
As a tech startup, if you cannot do business in another land because the government makes to many demands, lic the software and IP and perhaps a bit of the stock.
Re: (Score:2)
> You must follow the laws of the land to operate in the land. This is an issue of sovereignty, and US cannot dictate otherwise.
Yes, respect the laws of sovereign entities, well, except ...
[1]Why Trump's tariffs on Brazil are more about political retaliation than trade [bbc.com]
> President Trump has framed these tariffs as retaliation over the prosecution of his ally, right-wing former Brazilian President Jair Bolsonaro. Bolsonaro is facing trial over an alleged coup attempt after losing the 2022 presidential election, when his supporters stormed government buildings in Brasilia. The case includes claims of a plot to kill President Luiz Inacio Lula da Silva, who won the race. [Noting that the U.S. has a trade surplus with Brazil, meaning the United States sells more to Brazil than it buys, so it can't be about trade deficits...]
[2]Trump again calls for release of ex-clerk guilty of Colorado election data breach [theguardian.com]
> President threatened ‘harsh measures’ if Tina Peters – sentenced to nine years – isn’t released from prison. She was found guilty by a jury in Mesa county in 2024 of seven counts related to misconduct, conspiracy and impersonation, four of which were felony charges. [She was convicted of state crimes, not federal.]
[1] https://www.bbc.com/news/articles/cwy0147vxyqo
[2] https://www.theguardian.com/us-news/2025/aug/21/trump-colorado-election-clerk-prison
Re: (Score:2)
> laws are mutually exclusive
Yeah, that's the play here.
Make sure the US companies know that if they comply more than locally that they will be in violation of US law.
They ought to slow roll it and let the foreign government sue, like in the 4Chan case.
Under the US Constitution when a foreign state is a party to the suit SCOTUS has Original Jurisdiction.
They'll be far less accommodating than a District Court judge.
From the UK (Score:4, Informative)
Good please donâ(TM)t bow . Fuck our creepy government .
Re: From the UK (Score:2)
The US and UK are both members of five eyes, an intelligence sharing coalition created to get around certain countries' laws against spying on their citizens by having other coalition members do it for them.
But wait, the US is altering the deal, and wants to stop that sharing.
That is what this is really about. They want to spy on us and not share the info with these former allies.
I'm not against stopping the information sharing, which was always really just a way to go around laws designed to protect citize
Should Not Even Be A Question (Score:2)
The title says it all. Anyone willing to bow down to opening up Encryption to despotic states for just $$ doesn't deserve the $$ they have.
Re: (Score:2)
> The title says it all. Anyone willing to bow down to opening up Encryption to despotic states for just $$ doesn't deserve the $$ they have.
Did they copy in the FBI on this memo? Aren't they constantly telling everyone how crime will go unsolved if people are allowed to hide things from them?
Re: (Score:2)
I don't use Biomentric Passkeys for this very reason. They cannot compel me to type in or tell them my password, but they can force me to use a fingerprint or facescan.
They cannot compel me without a court order (or three dollar wrench).
"I don't answer questions. I want my lawyer. Am I free to go? Am I being detained and for what RAS do you have right now? I do not have to help you 'investigate' "
Is this a joke? (Score:1)
haha
Sounds like Washington ... (Score:2)
Sounds like Washington wants to be the only one with a back door.
Re: (Score:2)
Of course this is performative, so they can point and misdirect when they eventually get busted asking the same companies to do the same thing but for their own despotic ends. NOT those of another government.
YOU SHALL NOT! (Score:2)
Unless it's us. Then you should. So, just so we're clear: It's naughty when they do it. It's awesome when we do it. Now give us the keys.
For better security, don't use secure services (Score:4, Interesting)
It's easy to forget how utterly fucked up things have become, compared to how a few decades ago, we(? well, at least I ) thought things would evolve, and one of those has to do with dedicated services for secure communications.
The thing that defies my predictions, is that dedicated services for secure communications, exist at all.
When you wanted to secure email, you didn't use a "secure email" service; you (the user!) just added security onto your insecure email service. Send a PGP/MIME message and the email provider doesn't give a damn that it's encrypted, it just cares about SMTP.
But these days (could I call it the "Age of Lack of Standards"?), everyone is trying to manipulate you into depending on their software and services (inextricably linked; you can't use their software without their service, or their service without their software), so you can't just replace the service or easily "tunnel" security through their presumably-insecure (perhaps even mandated insecure) service. Whatever security they offer, is all you can reasonably get (pretty much the opposite of the classic email situation).
Why do I bring this up? Because the regulations are all about services ! Not protocols. Not software. Services. (emphasis mine in all below quotes)
Here's the beginning of The UK Online Safety Act (1)(1)(a):
> imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm
Here's good 'ol CALEA (US Code title 47 Section 1002 (a):
> Except as provided in subsections (b), (c), and (d) of this section and sections 1007(a) and 1008(b) and (d) of this title, a telecommunications carrier shall ensure that ...
CALEA even mentions encryption:
> A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.
I haven't dived into the details of EU's DSA, but I see a hopeful sign right there at the very beginning of Article 1:
> The aim of this Regulation is to contribute to the proper functioning of the internal market for intermediary services by setting out harmonised rules...
Look at all those references to services! Not the code you run; the services you use.
What does it mean? I think it might mean that even in the UK(!) you might be perfectly fine and legal using secure software. You just can't have it rely on some coercible corporation's secure services. Send your encrypted blobs over generic protocols and un-dedicated services, and the law won't apply to your situation. I'm not necessarily saying "Make PGP/MIME Great Again" but I do think following in its spirit is a really great idea.
If you run a service, what you want to be able to tell the government (whether it's US or UK or France/Germany) is "we don't provide any encryption, though some of our customers supply their own."
Stop asking for secure services. Worse is better. Ask for secure software (which assumes that all services are completely hostile) decoupled from any particular service.
Do not bow to "foreign" pressure (Score:1)
But they SHALL bow down to Trump's pressure!
Re: (Score:3)
Not sure where you stand on Opening Up Encryption .... but it sounds like you're pro unecryption
Broken clocks are right every so often, and this is a No Brainer for me. Don't Fold To Foreign Despotic States.
Re: (Score:3)
The problem with Civil Liberties (me being a libertarian) is that government intrusion into our lives is already done, and both D and R have contributed. The Dems take a little here, the R takes a little there and the next thing you know, "Papers Please". Government intrusion says the camel's nose is inside the tent.
Re: (Score:2)
Why do people make every thread about Trump?
It's amazing how much mind power he has over people.