Security news that informs and inspires

House Version of EARN IT Act Introduced

The EARN IT Act, which was introduced in the Senate in March and would have some negative effects on encrypted services, now has a companion in the House of Representatives that is nearly identical.

The House version of the bill was introduced Wednesday by Reps. Sylvia Garcia (D-Texas) and Ann Wagner (R-Mo.) and includes virtually all of the same language as the Senate bill. Both bills are intended to curb the spread of child exploitation material by placing some new responsibilities on platform providers to identify and report such material. Providers already have a legal obligation to report that kind of material on their platforms, but the EARN IT Act would establish a new commission to create a set of best practices that providers would be encouraged to follow or risk losing their immunity from prosecution under Section 230 of the Communications Decency Act.

The original version of the Senate bill made those best practices mandatory, but that, along with some other language, was changed by a couple of amendments over the summer. The bill now contains an explicit reference to encrypted services and devices, where the original version made no direct reference to encryption at all. An amendment added in July by Sen. Patrick Leahy says that platform providers could not be held liable for offering encrypted services or not having the ability to decrypt users’ communications.

The House bill has similar language, with one significant change that spells out that none of the following factors can be used as the sole basis for liability: “The provider utilizes full end-to-end encrypted messaging services, device encryption, or other encryption services. The provider does not possess the information necessary to decrypt a communication. The provider fails to take an action that would otherwise undermine the ability of the provider to offer full end-to-end encrypted messaging services, device encryption, or other encryption services.”

While the language in Leahy’s amendment provides some cover for platform providers that offer encrypted services, the House version does not.

“But even the limited protection offered by the Leahy amendment is undermined by the House version’s only substantive change: while offering encryption could not be an ‘independent basis for liability,’ it could be considered with other evidence. If this becomes law, this risk will discourage companies from offering encryption to protect user communications. That’s not surprising, because undermining encryption has always been a key purpose of this legislation,” said Berin Szóka, senior fellow at TechFreedom, a non-profit that focuses on technological progress.

In addition to the effect it would have on encrypted services, the EARN IT Act also would create room for state legislatures to write their own legislation to regulate certain aspects of online speech.

“The EARN IT Act would allow all 50 state legislatures, as well as U.S. territories and Washington D.C., to pass laws that would regulate the Internet. By breaking Section 230 of the Communications Decency Act, the EARN IT bill would allow small website owners to be sued or prosecuted under state laws, as long as the prosecution or lawsuit somehow related to crimes against children,” Joe Mullin, a policy analyst at the Electronic Frontier Foundation said.

“We know how websites will react to this. Once they face prosecution or lawsuits based on other peoples’ speech, they’ll monitor their users, and censor or shut down discussion forums.”

The Senate version of the bill was passed out of the Judiciary Committee in July.