Under Pretext of Protecting Children, EARN IT Act Puts Encryption in Its Crosshairs
Posted on June 1, 2020
The Electronic Frontier Foundation (EFF) recently published a blog post warning of a new proposed bill in the US Senate which could effectively coerce online services and platforms into compromising their users’ encryption. If passed, the EARN IT Act, which enjoys bipartisan support in the Senate, would set up a commission with the ability to propose sweeping changes to how online platform operators protect their users’ communications, which could then be rushed through Congress for passage into law.
In its current iteration, the EARN IT Act establishes a 19-member deliberative commission made up overwhelmingly of law enforcement figures and industry regulators, with only token information security expert representation. The commission’s objective is to adopt “best practices” for identifying, reporting, and preventing child exploitation on the internet, which online services would be compelled to implement. This body is overseen by the Attorney General, the Secretary of Homeland Security, and the Federal Trade Commission Chair, each of whom have unilateral veto power over any measures ratified by the commission.
This governing structure lends itself only too well to enshrining practices that will undermine encryption. Because the Attorney General and DHS Secretary both enjoy veto power, they are perfectly positioned to mandate best practices which thwart encryption as a precondition of their approval. Most concerningly, a provision in the legislation states that if the commission is unable to adopt any best practices, Section 230 of the Communications Decency Act, which absolves online platforms of illegal behavior by their users that they are unaware of, will be automatically weakened. This further incentivizes one of the three veto-wielders to hold out for best practices which defeat encryption, since they can use this Section 230 trigger as leverage.
An internet governed by an enacted EARN IT Act would be bleak for ordinary users. Either the commission would approve rules which require online platforms to backdoor (or otherwise circumvent) the encryption for their users’ communications, or Section 230’s protection for these platforms will erode and force these platforms to insulate themselves from government regulatory lawsuits and fines by dramatically–and, invariably, excessively–cracking down on user speech on their platform. Thus, such a law would induce a lose-lose choice in which Americans must forfeit either their privacy (by neutering encryption) or their free speech (by pushing platforms to over-police user content).
It is worth reiterating what security experts have warned every time the government attempts to bend encryption to its ends: anything short of integral, unmediated end-to-end encryption is fatally flawed. Encryption which only allows law enforcement to tap into a connection or message doesn’t exist–a backdoor intended for use by one party can be discovered and abused by any party.
Civil libertarians would be wise to regard this bill as the overt attempt to break encryption that it is. As the EFF notes in its letter to Congress, federal law enforcement only pursues and prosecutes a small fraction of all the cases that the National Center for Missing and Exploited Children refers to such agencies. In this light, it is clear that legislation like the EARN IT Act is by no means their only, or even best, recourse in better combating child exploitation online–if it were, civil liberties defenders and American citizens would be more inclined to take federal law enforcement at their word on this matter.
Until the federal government can prove it has exhausted all other means of addressing the serious issue of digital child exploitation, the American people would do well to eye efforts like the EARN IT Act the suspicion they deserve as a wolf in sheep’s clothing.
You can read the full blog post from the EFF here.