Riana Pfefferkorn is the associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society (CIS), a technology law and policy program at the Stanford Law School.
Her work explores the intersection of new technologies and the legal frameworks that support it, and aims to address questions pertaining to free speech, innovation, privacy, public commons, diversity, and scientific inquiry.
[Want more interviews with prominent privacy advocates? Sign up for the ExpressVPN newsletter.]
ExpressVPN recently had the chance to talk to Pfefferkorn to discuss issues such as the much-maligned EARN IT Bill, walled-off internets, outsized tech companies, her own interest in internet legislation and privacy, as well as the chance of a federal data privacy law in the U.S.
Here’s what she had to say.
Answers were provided by email.
1) The EARN IT bill is scheduled to be presented in front of the U.S. Senate soon. If this piece of legislation becomes part of U.S. law, what ramifications do you see for the internet and communications platforms in the medium to long term?
I think the ramifications will be felt not just in the U.S. but globally. Most of the world’s major providers of online services are American, meaning they will obey U.S. laws; when they change their products to comply with U.S. law, they will likely apply that change worldwide.
I anticipate that we will see something similar to the reaction by providers after FOSTA passed into law in 2018: mass censorship of users’ voices, the removal of entire sections of websites/services or removal of entire features, restrictions on users’ ability to communicate with one another (especially adult users with users under 18). We can anticipate that the brunt of this censorship will—as usual—fall on marginalized voices, such as LGBTQI+ people and sex workers. Online free speech will be harmed yet again.
2) The Trump administration has been on a warpath against encryption in general, advocating for backdoors and greater access for law enforcement. Do you believe that this is a reflection of the current zeitgeist against tech companies in general or restricted to his administration’s agenda? Given that this is an election year, do you think a change in government might herald a new approach?
This administration, with its emphasis on “law and order” and strongman attitudes, is very much on the side of the law-enforcement agencies, who are anti-encryption. Also, this president does not listen to the advice of U.S. intelligence agencies, who tend to be very dead set against encryption backdoors. Being more willing to listen to law enforcement and less willing to listen to the intelligence community means that the administration is far more receptive to a pro-backdoor agenda than the previous administration (which never really took a strong stance either way, despite having eight years to figure it out).
I don’t think we would necessarily see a Democratic president be super pro-encryption, though. Being anti-encryption is a bipartisan issue, and Joe Biden has said he believes Section 230 (at which EARN IT is aimed) should be repealed. So the issue isn’t going to go away even if there is a change of administration in January. And the fact that we’ve spent the past four years with such an encryption-hostile administration means that the Overton window has shifted to make it harder for Biden, who would likely be a pretty centrist president, to reverse course against the prevailing trends of the past four years and come out strongly pro-encryption.
I have written extensively about how EARN IT is just a way for law enforcement to capitalize on popular antipathy towards tech companies in order to achieve the unrelated goal of encryption backdoors and greater surveillance powers. Part of the reason why everyone is so mad at tech companies is because the 2016 election came out the way it did, because big tech companies—particularly Facebook—are viewed as having played a role in causing that result. So, perversely, the administration is capitalizing on the popular anti-tech zeitgeist that its very existence helped to create.
But I don’t think that the anti-tech attitude is going to vanish overnight, either, if we see a change in government in January. The debate over Section 230, and the encryption debate, will continue regardless.
3) What are the greatest threats to free speech and digital rights in the coming years, and what can ordinary netizens do to prevent that from happening?
I foresee the further splintering of the internet into multiple regional “internets.” The EU, Russia, and China are already moving in the direction of having their own internets.
We’re used to the internet as mostly created by the US, but that US-created internet is going away. Different regions will exercise more and more control over what the internet looks like in their jurisdiction, replacing the open, decentralized internet we are used to.
At the same time, countries around the world are retreating from democratic values. Increasing governmental control, regionalization/splintering, and rising censorship all will combine to threaten free speech and the ability of people in different parts of the world to freely exchange communications and ideas with each other.
I think people can both speak up to their governments and speak out against bills such as the EARN IT Act (or whatever the local equivalent might be in your country) while also figuring out how to use censorship-resistant tools, whether it’s VPNs, the Tor browser, end-to-end encrypted chat apps such as Signal, etc.
4) Can you tell me a little bit about your work at the Center for Internet and Society at Stanford? What made you interested in digital privacy law in the first place?
My work at CIS is primarily focused on encryption policy and law, mostly in the U.S. but also as the issue comes up in other countries, such as Australia, as well. I also work on related issues about government surveillance—such as how governments hack people’s browsers or devices, or pay third parties (such as NSO Group) to do so.
And then another strand of my work has been to try to shed greater light on secret court efforts by the U.S. government to undermine encryption or grab more surveillance authority. I got into this field because I volunteered at the Electronic Frontier Foundation way back when I was still a college student, and I found what they did to be really inspiring. I decided to go to law school, with the goal of pursuing a career at the intersection of technology and civil liberties. Now, that’s exactly what I get to do every day. I am so grateful to be at CIS and to get to work on these critically important issues.
5) We’re in the age of surveillance capitalism, and platforms with a critical mass of data have built enough moats to crowd out any challengers. Do you ever see this changing? How can we truly regain our data, and by extension, our privacy?
Honestly, I think the EU has been a leader here. Instead of the contractual, transactional conception of privacy that dominates in the US and thus dominates the internet we’ve known so far, the EU has conceptualized privacy as a fundamental right and, by passing the GDPR, has called American behemoths to account.
Similar efforts are underway in other populous nations such as Brazil. When these very populous regions with a ton of internet users decide to throw their weight around and force US companies to respect user privacy, they can make a real difference. Already we’ve seen California imitate the GDPR with its own version, and with California being the most populous state in the nation (and home to many major tech companies), it, too, can make a big difference by throwing its weight around. We aren’t there yet but I do believe in the power of regulators to make a difference. The question is whether they will be making a positive difference in privacy while also making a terribly negative difference in terms of freedom of expression.
6) What do you think about the future of internet privacy and security? On the one hand, places like the EU and Brazil are refusing to cave to the demands of tech companies and increasingly recognizing the importance of anonymization. The U.S., however, does not have a federal data privacy law, and this is unlikely to change anytime soon. What’s the endgame here?
The U.S. has been in a downward spiral of abdicating its traditional role of leadership and authority on the world stage. GDPR is an example: We invented the internet! We should have been the leaders on internet privacy! But we let Europe do it instead. (Granted, GDPR was in the works well before the current administration took office.)
I think this trend—of letting someone else call the shots—will only continue. I believe that EARN IT and other anti-big tech bills are stand-ins for Congress’s total inability to get its act together. They can’t seem to pass a comprehensive federal data privacy law or put teeth back into U.S. antitrust law (which has been getting intentionally weakened over recent decades), so they’re going after Section 230 instead, even though that is obviously the wrong tool to address problems about privacy and competition. So I won’t hold my breath for a federal data privacy law.
I also think that security will continue to be pulled in two different directions: As long as there continue to be stupid anti-encryption bills such as EARN IT, we can’t rest easy that U.S. law will really value and safeguard cybersecurity.
But at the same time, regulators at the state and federal levels have increasingly been exercising their authority to penalize companies for poor data security.
Companies are going to be in a real bind if they are expected to secure user data on the one hand but insert backdoors on the other. It’s a foreseeable and avoidable conundrum. Meanwhile, the Covid-19 epidemic has forced us to live far more of our lives online, throwing into sharp relief the overwhelming importance of cybersecurity. That all gives me some hope that Congress will come to its senses on security and that backdoor bills like EARN IT won’t pass. Hopefully that’s not too optimistic.