Legislation called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (or, the EARN IT Act) was introduced by senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) on March 5. The bill represents an attempt by the U.S. government to stop the distribution of child sex abuse material online.
However, according to many online privacy advocates and tech-related media , such as the Electronic Frontier Foundation and WIRED Magazine, the bill is also the federal government’s latest attempt to put an end to encryption and user privacy on the internet.
The bill specifically targets Section 230 of the Communications Decency Act, which protects “interactive computer service providers” from being held liable for the messages or posts of users on their platforms (with the exception of those that are federal crimes). In a nutshell, it means that if you are defamed by a post from another individual online, you cannot sue the platform for defamation.
With EARN IT, tech companies would lose this protection if they fail to comply with a list of best practices for identifying and reporting child sex abuse material to the National Center for Exploited Children (NMEC). Without the protections enshrined in Section 230, companies would be vulnerable to lawsuits that could leave them bankrupt, giving them significant financial incentive to comply.
These best practices, which mandate the technology and techniques to be used by tech companies, would be created by a 19-member commission and approved by Attorney General William Barr. Lily Hay Newman from WIRED Magazine writes, “companies would have to ‘earn’ the protection by showing that they are following recommendations for combatting child sexual exploitation.”
While the premise of EARN IT certainly has good intentions — the distribution of child sex abuse material on the Internet is a serious problem that needs to be addressed — the bill is much more complicated than it first appears. It does not mention encryption specifically, but Newman notes that “the EARN IT Act has definite implications for encryption.”
Matthew Green, a cryptographer and professor at Johns Hopkins University, writes that EARN IT puts tech companies in an extremely difficult position when it comes to encryption. They can either figure out how to scan user data for child sex abuse material so it can be reported to the NMEC while somehow maintaining end-to-end encryption for users (something no one yet knows how to do), or get rid of encryption for user data altogether. “It’s likely that ‘stop using encryption’ is really the preferred goal,” Green speculates.
This is due to the fact that the best practices mentioned in the bill don’t yet exist. It’s unlikely that the list would include the effectively impossible task of scanning user data and maintaining thorough encryption. “Needless to say,” Green continues, “the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.”
On top of this, Joe Mullin writes for the EFF that Attorney General Barr has historically opposed encryption. Since the list of proposed best practices requires Barr’s approval, this makes it even more unlikely that pro-encryption technologies or techniques will make the cut.
I believe allowing the federal government to mandate the technologies and techniques used by service providers by threatening to take away invaluable legal protections sets a dangerous precedent. The fact that there are no preexisting definitions of the best practices the bill requires means that, if it passes, the commission tasked with creating them can essentially make them whatever Barr desires. These potential practices could be as benign as only cross-referencing possible child sex abuse material with a database to report offenders to the NMEC, or as Orwellian as scanning and sending all online communications to law enforcement agencies. The latter brings the government one step closer to restricting free speech of U.S. citizens — an unlikely scenario, perhaps, but one that I think EARN IT strays too close to.
This would not be limited just to social media platforms like Instagram or Twitter; it would also affect messaging apps, such as Facebook Messenger, WhatsApp, GroupMe or Signal. Communications that you would expect to be private (or, at the very least, inaccessible by the government) could be compromised.
The sharing of child sex abuse material by anonymous users is a tragic reality on the internet, and more action needs to be taken to catch and punish the people who participate in this behavior. It’s possible that this will require incentivizing tech companies to address the problem.
However, a bill that takes sweeping measures to undermine end-to-end encryption is not the answer. Let alone a bill that, according to Sophia Cope, Aaron Mackey and Andrew Crocker from the EFF, is in violation of both the First and Fourth Amendments. While I recognize the good that EARN IT aims to do, I am entirely opposed to the passing of this bill.
I highly encourage anyone who wants to know more about how the EARN IT Act works to read Matthew Green’s blog post or, for a much more in-depth understanding, these posts by Riana Pfefferkorn in The Center for Internet and Society at Stanford Law School. If you want to find out how to take action, the EFF provides a tool that helps you contact your representatives here.