Security news that informs and inspires

EARN IT Act Not Earning Much Support


The highly controversial EARN IT Act, which would present serious challenges to the operators of end-to-end encrypted services, was introduced Thursday amid opposition from technology companies and privacy advocates.

The bill has been circulating in Washington for several weeks as a discussion draft as its sponsors, Sen. Lindey Graham (R-S.C.) and Richard Blumenthal (D-Conn.), have tried to build support for it. The core idea of the bill is to establish a commission that would develop a set of best practices that companies must follow as they try to find and remove child exploitation material from their platforms. Platform providers such as Facebook and Twitter have teams dedicated to that task already, but the EARN IT Act would require them to follow these as-yet-undefined best practices or risk losing their exemption from government wiretaps under Section 230 of Communications Decency Act.

“Simply put, tech companies need to do better. Tech companies have an extraordinary special safeguard against legal liability, but that unique protection comes with a responsibility. Companies that fail to comport with basic standards that protect children from exploitation have betrayed the public trust granted them by this special exemption," Blumenthal said in a statement Thursday.

Though the bill does not even mention the word encryption, it could make it difficult, if not impossible, for providers to operate encrypted services such as chat or messaging. If those services are encrypted from end to end, the provider does not have visibility into the messages’ content and therefore would not be able to find and remove abuse material. But the fact that encryption isn’t the explicit focus of the bill may be a ploy.

“It’s possible that law enforcement may try to amend this bill in a way that sidesteps the damage they’re doing to encryption and privacy. It could be as straightforward as putting a clause in the bill explicitly saying the bill doesn’t apply to encryption,” Joe Mullin, a policy analyst at the Electronic Frontier Foundation, wrote in an analysis of the bill.

“But sidestepping that issue wouldn’t be sufficient to make it a good bill—and it likely won’t even be true. That’s because the DOJ is likely to ‘define down’ what encryption is. It will simply say that something like client-side scanning, for instance, doesn’t into the realm of encryption. That would be patently false, since client-side scanning very much does break end-to-end encryption. But with 11 out of 15 commission members being law enforcement or those who work with them, you can bet their definition of ‘encryption’ will differ in important ways from those of computer scientists.”

The EARN IT Act has earned more than a little criticism in the tech community and has not garnered much support on Capitol Hill as of yet. Like much of the country, Congress has been preoccupied with the coronavirus, to the exclusion of just about everything else. But that will change at some point and legislators will get back to legislating and the Graham-Blumenthal bill will be waiting.

“The EARN IT Act would give government officials unprecedented powers to craft de facto regulations for online speech. Online service providers would almost certainly err on the side of caution and take down anything—including a lot of lawful, constitutionally protected speech—that the Attorney General might not like,” said Emma Llansó, the Center for Democracy and Technology’s Director of Free Expression.

In the meantime, top law enforcement officials have been working behind the scenes to build support for some legislation that would give them the ability to get into encrypted services, whether it’s the EARN IT Act or something else. The new push is tied to the growing dissatisfaction with big tech companies’ privacy policies, according to The Washington Post, and uses the lever of child exploitation to address the encryption issue.

“Previously, the answer from Congress was ‘do nothing,’ both on passing an anti-encryption law -- something for which Congress has heretofore shown no appetite -- and on passing comprehensive federal privacy legislation. But the tide has shifted, the Hill is awash in the techlash, and the DOJ has succeeded in equating being pro-encryption with being anti-child safety,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, wrote.

“If pedophiles benefit from strong encryption built in by default to popular software and devices, then, according to Senator Graham, nobody should get that benefit anymore. (Never mind that it won’t work out the way he thinks.) In a Congress already dithering over passing a federal privacy law, the child safety rationale may prevail, at the expense of the many interests that encryption protects -- privacy not least among them.”

This story was update on March 5 to add new information about the bill's introduction.