Security news that informs and inspires

EARN IT Act Casts a Long Shadow on Encrypted Services

As legislators begin to gather some momentum for the EARN IT Act, more and more civil liberties, privacy, and digital rights organizations are lining up against the bill, which is widely seen as a thinly veiled attempt to limit the use of end-to-end encrypted services.

On Wednesday the Senate Committee on the Judiciary held its first hearing on the bill and committee members spent much of the time insisting that it had nothing to do with encryption and was aimed solely at protecting children from online exploitation. The EARN IT Act, introduced last week by Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.), would establish a large committee headed by the attorney general that would create a set of best practices that online services and platform providers would have to follow in identifying and removing child exploitation material. That requirement would force providers to find a way to scan messages and other content sent over encrypted services or risk losing their protection from wiretapping under Section 230 of the Communications Decency Act.

The legislation itself does not make any mention of encryption or encrypted services, but legal experts and policy analysts have pointed out that the only way for providers to comply with whatever best practices the commission sets up would be to break the end-to-end encryption in services such as WhatsApp.

“You can’t have an Internet where messages are screened en masse, and also have end-to-end encryption any more than you can create backdoors that can only be used by the good guys. The two are mutually exclusive. Concepts like “client-side scanning” aren’t a clever route around this; such scanning is just another way to break end-to-end encryption. Either the message remains private to everyone but its recipients, or it’s available to others,” Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF), said in a post after the hearing.

The EFF is far from alone in its opposition to the bill. This week a large coalition of civil society organizations sent a letter to Graham and Blumenthal expressing serious concerns with its structure, the proposed makeup of the commission, and the effects the legislation could have on online privacy and safety for many people. The coalition includes the EFF, Center for Democracy and Technology, Internet Society, and Wikimedia Foundation.

“Removing encryption would threaten our economy and sacrifice all users’ security and privacy."

“By setting the stage for adoption of best practices that, whether directly or indirectly, require companies to avoid offering strong device encryption or end-to-end encrypted messaging services, the bill could create encryption backdoors. Backdoors to encryption make everyone in society more vulnerable to privacy, cybersecurity, and other risks,” the letter says.

“Removing encryption would threaten our economy and sacrifice all users’ security and privacy, leaving their data and communications susceptible to misuse by bad actors of many sorts, including the military and intelligence services of hostile nation-states, organized criminals, terrorist groups, and malicious hackers. A backdoor for law enforcement is unfortunately a backdoor for all of these bad actors as well.”

During Wednesday’s hearing, both Graham and Blumenthal said that the EARN IT Act is not designed to limit the use of encryption or force providers to create backdoors.

“This bill is not about the encryption debate but about the best business practices. We’re not going to go blind as a nation in the name of any other freedom. America is not going to lose its way,” Graham said.

Blumenthal said encrypted services can coexist with the requirements of law enforcement.

“Strong law enforcement is compatible with strong encryption. I know it and big tech knows it. I don’t think the American people want this to be a fight about encryption. They want the truth,” Blumenthal said.

Prior to the hearing, the Electronic Privacy Information Center (EPIC) sent a letter to the committee members pointing out the effects it would have on encrypted services.

“Providing end-to-end encryption protects users, promotes commerce, and ensures cybersecurity. EPIC recommends that the EARN IT Act make clear that liability should not be imposed for a secure end-to-end encrypted communications system that safeguards the security and privacy of users,” EPIC said in the letter.

Along with Graham and Blumenthal, Sens. Josh Hawley (R-Mo.) and Dianne Feinstein (D-Calif.) also sponsored the EARN IT Act.

“What’s amazing to me is that anyone would have any resistance to this,” Feinstein said during the hearing.