Flickr Creative Commons, Daniel Mennerich
show image

Laurie Clarke


EARN IT: the US bill that could end all encryption

A bill currently wending its way through US Congress is ostensibly aimed at combating child sexual abuse material. But privacy organisations are warning that it could have the (perhaps not entirely unintended) consequence of endangering online encryption and providing the US government unfettered powers to comb through citizens’ comms.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies (‘EARN IT’) Act was first introduced by a group of US senators on 5 March. The basic premise of the bill is that tech companies will have to earn Section 230 protections rather than being granted them by default, as the Communications Decency Act has ensured for over twenty years.  

The EARN IT Act would establish the National Commission on Online Child Sexual Exploitation Prevention, whose job it would be to create a set of best practices for online companies to follow, with regard to stopping child sexual abuse material.  The agreed best practices would pass through a series of stages before being enacted by Congress. Companies would have to demonstrate that they’re adhering to those best practices in order to retain their Section 230 immunity.

The beleaguered Section 230 bill means that platform companies are not liable for the content that’s posted on their sites. It’s often considered a pillar upholding free speech on the internet. If the EARN IT act passed, it would effectively mean that tech companies could be held liable for the illegal content uploaded by their users.

The bill says nothing explicitly about encryption, but could indirectly call for a clamp-down on private channels – putatively because they can be used as a means of ferrying illegal content. It’s possible that in looking to weaken encryption, the bill could demand companies build back doors into their products. 

Senate judiciary committee chairman Lindsey Graham, one of the bill’s cosponsors, hinted at this eventuality. “Facebook is talking about end-to-end encryption which means they go blind,” he said, later adding, “We’re not going to go blind and let this abuse go forward in the name of any other freedom.”

Riana Pfefferkorn, the associate director of surveillance and cyber security at the Stanford Center for Internet and Society, wrote a blog post suggesting that this law could be a sneaky way of undermining another bit of legislation that has long been a thorn in the side of US intelligence agencies. This is the Communications Assistance for Law Enforcement Act of 1994 (CALEA).

Pfefferkorn writes: “CALEA requires telecommunications carriers (e.g., phone companies) to make their networks wiretappable for law enforcement. However, that mandate does not cover ‘information services’: websites, email, social media, chat apps, cloud storage, and so on. Put another way, the providers of ‘information services’ are not required to design to be surveillance-friendly. Let’s call that the ‘information services carve-out’ in CALEA. Plus, even covered entities are free to encrypt communications and throw away the keys to decrypt them. Let’s call that the “encryption carve-out.”

She continues: “Both DOJ and the Federal Bureau of Investigation (FBI) have been trying for at least a decade to close them. But Congress has shown no appetite for that. As said, CALEA has never once been amended in the quarter-century since it was passed. And even with the techlash in full swell, there isn’t a furious public frenzy over CALEA. Politicians know that many Americans are fed up with tech companies ‘hiding behind’ Section 230 of the CDA. But nobody is saying, ‘I’m fed up with tech companies hiding behind Section 1002 of CALEA!’

“So, how can law enforcement achieve its long-desired CALEA goal? By pushing a bill that talks about Section 230 instead.”

Facebook and other platforms are increasingly under fire over insufficient moderation of the content posted on their sites. However, another amendment to Section 230, demonstrates the ways in which attacks on this piece of legislation can go awry. 

FOSTA-SESTA, the last bill Congress passed to amend Section 230, was ostensibly about addressing sex trafficking online, and made companies liable for any content posted on their sites that could be related to the illegal practice. However, in practical terms, the amendment made life much harder for the consensual sex workers who used the internet to make their job safer, and drove many who had been using services like Backpage back onto the streets. Evidence that FOSTA-SESTA has done anything to curb sex trafficking is hard to locate. 

Lobbying groups including TechNet and the Internet Association, as well as tech giants like Facebook, have signalled their opposition to the EARN IT law over concerns that the commission could force online services to weaken encryption in order to maintain Section 230 immunity. 

Match Group — the company behind Tinder and OKCupid — has, however, come out in support of the bill

Amnesty International wrote the following in a statement: “In the digital age, access to and use of encryption is an essential component of the right to privacy. Encryption allows people to share their opinions with others without fear of reprisals. It also allows people to access information and to organize, even under repressive regimes. Strong encryption is an essential component of the rights to freedom of expression, information, opinion, and peaceful assembly. Encryption is a particularly critical tool for human rights defenders, activists and journalists, all of whom rely on it with increasing frequency to protect their security and that of others against unlawful surveillance.”

In July 2019, US Attorney General William Barr demanded that internet giants build backdoors into their products to more easily facilitate intelligence snooping:

“We are not talking about protecting the nation’s nuclear launch codes,” Barr told the International Conference on Cyber Security at Fordham University.

“Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, email, and voice and data applications.

“There have been enough dogmatic pronouncements that lawful access simply cannot be done. It can be, and it must be.”

The arrival of the EARN IT Act coincided with AG Barr announcing that members of the Five Eyes intelligence alliance – made up of Australia, Canada, New Zealand, the UK and the US – have agreed to a set of principles to guide internet companies in their efforts to combat child sexual abuse content. Representatives for six online companies including Facebook, Google, Microsoft, Roblox, Snap and Twitter, were present to endorse the initiative.