Well Intentioned EARN IT Act Has Serious Implications for End-to-End Encryption and Free Speech
The EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act introduced by Senator Lindsey Graham (R-South Carolina) and Senator Richard Blumenthal (D-Connecticut) is legislation aimed at protecting children from online predators. This bill has a very good premise but a very bad approach. The proposed legislation in its current form threatens end-to-end encryption and freedom of speech.
Introduced in March, the original version of the bill proposed that if online platforms wanted to retain their Section 230 immunity (part of the Federal Communications Act that protects internet companies from liability for user content posted on their platforms), they would need to “earn it” by following the requirements of an unelected government commission.
Recent amendments to the bill make this commission’s best practices requirements voluntary, instead allowing states to bring criminal or civil charges against companies that violate them. The new version of the bill gives each state discretion to enforce their own child exploitation laws, a measure that introduces inconsistency and opens the door for states to create laws that could potentially undermine data protections like end-to-end encryption.
The amended legislation is drawing a flurry of criticism from civil liberties advocates, opposing lawmakers and security experts who believe it will undermine privacy, promote censorship and jeopardize the right to free speech.
The American Civil Liberties Union (ACLU) called the EARN IT Act “a disaster for online speech and privacy” and noted that this bill “will strike at the heart of encrypted communications and undermine free expression on the internet.”
Senator Ron Wyden (D-Oregon), criticizing the amended version of the EARN IT Act, said that “by allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.”
Joe Mullin, policy analyst for the Electronic Frontier Foundation (EFF) also finds the amended version of the legislation problematic, saying: “…the bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient.”
Security experts are particularly concerned about the amended version’s requirement for some form of “client-side scanning,” which requires device makers and internet platforms to scan all data before and after encryption. Under the current version of the legislation, encrypted messaging service providers like NetSfere would be required to monitor messages for abusive material. Such monitoring essentially opens a back door to encryption that compromises security and confidentiality.
The amended version of the EARN IT Act strikes another blow to encryption in that technology platforms will be disincentivized from encrypting messages they can’t moderate because of the risk of being sued by every state attorney general.
While the EARN IT Act is well intentioned, the bill’s serious privacy, security and freedom of speech implications would put American companies at a disadvantage, potentially forcing them to move offshore and go to a geographic location that does not have such draconian requirements.
Rather than developing legislation that strikes a blow to encryption and freedom of speech, lawmakers should look at holding companies like Facebook responsible for the information they disseminate. The lack of legal responsibility on the part of these platforms, demotivates them from investing in technology such as an AI algorithm that flags illicit activity that could be used to monitor nefarious activities without the need for a backdoor.
Security measures such as the end-to-end encryption NetSfere’s enterprise mobile messaging platform provides are now more important than ever as the COVID-19 pandemic increases reliance on digital platforms in every area of life from living to working to socializing. This accelerated digital transformation is widening the threat landscape and exposing networks, devices and data to increasing cyber security risk.
End-to-end encryption is critical to thwarting cybercriminals who are always looking for opportunities to deploy malware attacks on enterprises and who are escalating activities during the pandemic for commercial gain.
As these cyber threats continue to ramp up, the amended version of the EARN IT Act was unanimously approved by the Senate Judiciary Committee in July, paving the way for the bill to head for debate on the Senate floor.
The EEF and other organizations oppose passage of the bill with EEF policy analyst Joe Mullin saying: “offering users real privacy, in the form of end-to-end encrypted messaging, and robust platforms for free speech shouldn’t produce lawsuits and prosecutions. The new EARN IT bill will do just that and should be opposed.”
Combatting child sexual abuse material on online platforms is a serious problem that needs to be addressed, but Congress should go back to the drawing board on the EARN IT Act and develop measures that achieve this without limiting free speech or compromising security.