If you follow privacy and encryption news, you may have already heard of the EARN IT Act, which is being described as a major threat to encryption and the internet. What exactly is in the bill though, what powers are granted, and who could actually be affected?
The EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), a bi-partisan bill proposed by senators Richard Blumenthal (D) & Lindsey Graham (R), is intended to combat child exploitation online [Full Text — published by the EFF]. Side note: any time a bill is titled or claims to do something moral that everyone would support, red flags should be raised to investigate further. It’s often used as an appeal to emotion, or as Helen Lovejoy would say, “Won’t somebody please think of the children‽”
“The purpose of the Commission is to develop recommended best practices for providers of interactive computer services regarding the prevention of online child exploitation conduct.”
Obviously every decent person would find the exploitation of children disgusting and want to do something about it, but what is also disgusting is using the victimization of children as an excuse to expand law enforcement powers and directly attack our liberties.
The draft may not explicitly mention encryption or backdoors anywhere in it, but it’s a bait-and-switch that would grant extensive powers to regulate and control internet services to a small committee of 15, forcing them to comply with what they consider to be “best practices”. Those who refuse would lose Section 230 protections and potentially be held liable civilly & criminally for actions taken by users on their site/platform.
What Is Section 230 and Why Does It Matter For The Internet?
Section 230 of the Communications Decency Act of 1996 protects internet companies and users from liability for information posted by third parties. Specifically it states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
It’s the difference between a publisher and a platform. Without this protection, companies that allow user engagement and content could be considered liable for any libelous or illegal content. If someone says something defamatory on or posts something illegal to Facebook, Twitter, Cyph, or anywhere else, they are the ones responsible for that content, not the platform.
To blame the platform would be like blaming the United States Postal Service for anthrax scares and mail bombs, instead of the evil-doers behind it. In an environment like that, the internet as we know it could not exist. How can you call anything a “recommendation” if you’re withholding something as important as Section 230?
One thing to note that is commonly overlooked as well, is that Section 230 doesn’t just protect large companies, but also covers other individual and smaller content producers like bloggers, YouTubers, forums, etc.
Who Would Be Appointed?
15 total members (all unelected), with the agency heads being: the Attorney General (DOJ/FBI), Secretary of Homeland Security, and the Chairman of the Federal Trade Commission. The other members would consist of:
- Law Enforcement — 4
- “2 shall have experience in handling internet crimes against children in a law enforcement capacity”
- “2 shall have experience in handling internet crimes against children in a prosecutorial capacity”
- Victims Advocates — 2
- “2 shall have experience in providing victims services for victims of child exploitation”
- Software Background — 2
- “2 shall have experience in computer science or software engineering”
- Existing/Large Internet Companies — 4
- “2 shall have experience in child safety at an interactive computer service with not less [sic] than 30,000,000 registered monthly users in the United States”
- “2 shall have experience in child safety at an interactive computer service with less [sic] than 10,000,000 registered monthly users in the United States.”
“[T]he Commission shall develop and submit to the Attorney General recommended best practices regarding the prevention of online child exploitation conduct.”
What Are “Best Practices”?
Well they could be just about anything, so long as the committee approves it. For a “best practice” to be added to the list, it must be approved by two thirds of the members, but a majority of them are too close to the issue, giving them inherent biases and no clear limitation on power (except maybe ultimately from the courts, which is a slow process).
The current AG, William Barr, has openly attacked encryption, and the FBI/DOJ in general has a history here. Barr and the previous acting Secretary of Homeland Security wrote a letter to Facebook in 2019 essentially imploring them to not implement any end-to-end encrypted messaging unless law enforcement was given a backdoor. Law enforcement and victims advocates will care more about expanding investigative power & increased convictions than loss of essential liberties or any economic impact. The same applies a bit to the representatives who have child safety experience from internet services with 10M- and 30M+ monthly users, but also have an incentive to increase the barrier to market entry for any smaller competition that can’t afford to implement “best practices”. Or in the case of Cyph and other encryption companies, it’s highly likely that these practices would directly conflict with us providing a secure service for our users.
One would hope that anyone with a computer science or software engineering background worth their salt would adamantly oppose something like a mandatory or compelled backdoor, but of course the position is appointed and the qualifications are incredibly vague. Even if they were a voice of reason, they could be outvoted any time, or silenced since, “Any vacancy in the Commission shall not affect the powers of the Commission.”
Looking at what is explicitly mentioned in the matters to be addressed (see sec 4(a)3), many of them would be impossible for us to implement without infringing on our users’ anonymity, privacy, and/or putting in a backdoor.
The proposed bill would also update the mens rea (criminal intent) in a way that would make companies like Cyph liable for the actions of one bad user.
“Conduct by a provider of an interactive computer service … that would violate section 2252 if that section were applied by substituting ‘recklessly’ for ‘knowingly’ each place that term appears shall be considered a violation of section 2252 for purposes of paragraph (1) of this subsection.’’
So by refusing to adopt the Attorney General’s standards, whatever they may be, it seems like we could be liable for felonious content of any of our users despite having zero knowledge of it. To be charged with anything we’re not responsible for is egregiously wrong, especially when you consider the loss of liberties that come with being convicted of a felony, like the right to vote, own a firearm, or leave the state.
We would never implement any “best practice” that would violate our users’ trust, privacy, or security, and would rather fight it in court (or even shut Cyph down in the worst case scenario).
Why Not Require Backdoors?
If you’re unfamiliar with the term, a backdoor would essentially be a skeleton key for decrypting any encrypted communications, that in this case is meant for the government to use.
Proponents of backdooring encryption like Barr will try and say that they’re reasonable, support encryption/privacy, and only need this power to combat dangerous criminals; so why wouldn’t we want law enforcement to have access?
First of all, the suggestion is based on a false premise. There is no way to implement a backdoor for one party that doesn’t fundamentally destroy our security against all other parties.
Secondly, the potential for abuse is way too high; our government has quite a history of doing exactly that, e.g. PATRIOT Act & PRISM/NSA spying. For those who already distrust the government wielding that much power, the argument is already pretty clear. If the power is granted and established, not only will it never be given back, but the scope for use would likely expand as well. After all, if law enforcement has this capability, why limit it to just child exploitation, and not terrorism, drug dealing, and all other manner of crime?
“Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Commission.”
Section 14 of FACA establishes rules regarding the termination of committees.
If the practices recommended require companies to provide decrypted user information on demand, that could easily establish the groundwork for (more) warrantless mass surveillance on American citizens and the rest of the world. It could essentially use means of extortion to compel companies to comply with a program similar to PRISM.
In addition powers would be granted to, “Secure directly from any Federal department or agency such information as the Commission considers necessary”, meaning they would also have unfettered access to information already collected by organizations such as the FBI/DOJ, NSA, CIA, etc.
Even if you assume that these kinds of powers would never be abused by the Trump administration or any future government, it would fundamentally weaken both your personal freedom and the national security of the United States. Once a backdoor has been implemented, it’s only a matter of time before other nation states or hackers get their hands on the ‘skeleton key’ and unlock your private data. There is no way to do it safely, and anyone who says otherwise has no idea what they’re talking about.
Non-backdoored encryption already exists and is open source — savvy criminals who use encryption as a means to hide their illegal activity could still use methods like PGP, but law-abiding citizens would be caught up in the dragnet of mass consumer services and have their privacy violated for nothing.
What Can I Do?
First and foremost, contact your representatives in government. We know you hear that a lot and likely never do, but the EFF provides a really useful tool for doing so. This is far from the first time that the government has tried to weaken encryption, and the constitutionality of government-compelled backdoors hasn’t been addressed in the Supreme Court yet. So in addition to voicing your opposition to EARN IT, we recommend pushing them to introduce proactive legislation that would definitively restrict the government from being able to compel software companies to modify their code.
Disclaimer: We aren’t lawyers; we’re software engineers who are privacy & free speech advocates. The information provided here is for educational and informational purposes, and should not be considered legal advice.
Modified Image Credits: “NSA Graphics” by EFF licensed by CC; “Lindsey Graham” by Gage Skidmore (https://www.flickr.com/photos/gageskidmore/) CC 2.0; “BlumenthalPresser5_2-7-17” by SenateDemocrats (https://www.flickr.com/photos/sdmc/) CC 2.0