Security news that informs and inspires

EARN IT Act Revival Renews Debate Over Online Privacy

The controversial Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act was unanimously advanced by the Senate Judiciary Committee on Thursday. The recently revived act, first introduced in 2020, has reignited concerns about its implication for encryption and free online expression by privacy stalwarts.

The EARN IT Act seeks to hold companies, online websites and apps accountable for child sexual abuse material (CSAM) that occurs on their platforms. It does so by proposing to amend Section 230 of the Communications Decency Act, which protects companies from potential lawsuits for content posted by third parties on their platforms, as it relates specifically to CSAM. The bill also proposes the creation of a 19-person federal commission that would outline “best practices” for tackling the issue of online child abuse. Privacy advocates, however, argue that the act would disincentivize popular messaging services and other online platforms from offering end-to-end encryption.

During Thursday’s Senate Judiciary Committee bill markup meeting - a process where proposed legislation is debated, amended and rewritten - the bill unanimously passed out of the committee on a voice vote, but not before a number of senators called on the bill sponsors to address these concerns. Sen. Mike Lee (R-Utah) pointed to worries that the language could enable “open ended policing, accessing and reporting of private and protected data.” Another concern is that, while large platform providers like Facebook and Twitter have teams dedicated to finding and removing CSAM, smaller companies may lack the resources to comply with the patchwork of state laws that could crop up, he said.

“It was good to hear several Democratic senators as well as one Republican senator voice concerns about the bill's consequences for online censorship, privacy, and security, and to hear that there is a desire to do more to protect encryption,” said Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory. “But it was disheartening that not a single member of the committee voted anything other than ‘yes’ on this bill. No matter what language ends up in the bill regarding encryption, this bill is still a serious threat to our rights online. What's more, the bill's sponsors acknowledged its Fourth Amendment problems but evinced no interest in fixing them.”

“No matter what language ends up in the bill regarding encryption, this bill is still a serious threat to our rights online."

Sen. Richard Blumenthal (D-Conn.), a co-sponsor of the bill along with Sen. Lindsey Graham (R-S.C.), argued on Thursday that the approach is intended to be "very narrowly targeted” and that “we’re carving out an exception” when it comes to Section 230. Senators in support of the EARN IT Act have pointed to specific protections that have been included in the bill that they say “explicitly state that a court should not consider offering encryption or privacy services as an independent basis for legal liability.”

However, privacy advocates argue that the bill also specifies that courts will have the ability to consider information about how platforms employ end-to-end encryption as evidence for cases under the EARN IT Act.

“This language… takes the form of a protection for encryption, but in practice it will do the opposite: Courts could consider the offering of end-to-end encrypted services as evidence to prove that a provider is complicit in child exploitation crimes,” according to a letter, penned by 64 privacy groups and tech companies this week, which called for opposition of the bill.

The first version of the act was first introduced in 2020. However, while the bill advanced unanimously through the Senate Judiciary Committee, it was ultimately not given a floor vote in 2020 and died. Now, the lawmakers behind the bill are reintroducing it amid recent concerns around children’s safety online, following a testimony in Congress by Facebook whistleblower Frances Haugen about how the social media platform is harming children. However, with the bill now being favorably referred for a floor vote, privacy advocates like Joe Mullin, policy analyst with the Electronic Frontier Foundation (EFF), remain concerned about its impact on internet end users.

“The EARN IT Act doesn’t target Big Tech,” Mullin said in a recent analysis. “It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies—from the largest ones to the very smallest ones—as its tools.”