Amended Cooper Davis Act Is A Direct Threat To Encryption

by India McKinney and Andrew Crocker
Electronic Frontier Foundation
Reprinted under Creative Commons License

Last week, the Senate Committee on the Judiciary amended and passed S.1080, which would require private messaging services, social media companies, and even cloud providers to report their users to the Drug Enforcement Administration (DEA) if they find out about certain illegal drug sales. EFF opposes this bill, both in its original and amended form.

The bill, also called the Cooper Davis Act, laudably seeks to address the proliferation of illegally-made fentanyl and resulting overdose deaths in the United States. Unfortunately, the amended bill is still likely to result in a host of inaccurate reports to law enforcement by prodding Internet companies to trawl through users' innocent conversations, including discussions about past drug use or treatment. This bill contains no warrant requirement, no required notice, and limited user protections, and deserves to be defeated on the Senate floor.

Although the bill does not explicitly require providers to seek out illegal activity by users, it walks up to that line by requiring reporting when providers obtain actual knowledge of this activity, and creating criminal penalties for failure to do so. S.1080 is modeled on existing law that requires providers to report actual knowledge of child sexual abuse material (CSAM) to a group called the National Center for Missing and Exploited Children, a quasi-governmental entity that later forwards on some reports to law enforcement.

Companies base some of their reporting on matches found by comparing digital signatures of images to an existing database of previously removed CSAM. Notably, this new bill requires reporting directly to the DEA, and the content at issue (drug sales) is markedly harder and more subjective to identify. While actual CSAM is unprotected by the First Amendment, mere discussion of drug use is protected speech. Due to the liability they would face for failing to report, some companies may overreport using content-scanning tools that we know have large error rates in other contexts.

Unfortunately, the Judiciary Committee's amendments increase the incentives on companies to search their users' private communications for discussions of drugs, even at the expense of undermining encryption and other important security measures.

The most concerning update to the bill is a new carveout which says that providers cannot be penalized for failing to conduct “additional verification or investigation” into users' communications unless they “deliberately blind” themselves. Just as in the EARN IT Act, this language squarely implicates the very security and privacy features that protect users' communications from prying eyes, especially those of the companies themselves. This language will encourage providers to undermine those features out of the fear that law enforcement will argue that, by taking themselves out of the loop and allowing all users to have truly secure conversation, providers are “blinding” themselves. Although the amendments improve on other areas of the bill—most notably by requiring some minimization of reports—the anti-encryption language is a step backward in an already extremely flawed bill. It deserves to be defeated on the Senate Floor.