We summarize and analyze the proposed EARN IT Act. We urge Congress to reject the Earn IT Act due to privacy implications. We recommend that you petition Congress to find a better solution.
In our previous post on encrypted instant messaging, we alluded to the EARN IT Act being considered in the US Congress that potentially could cripple vendors of not only encrypted instant messaging tools, but a broad range of product categories that offer privacy through end-to-end encryption.
Background to the EARN IT Act
Legislation known as “Section 230” was passed in the 1990s to exempt internet companies from liability for what their users post or communicate on their platforms. So, for example, if a user posted a defamatory attack on someone on a community site such as Nextdoor.com, or a user posted hateful content on a social media site such as Facebook, or a user uploaded illegal content to a cloud storage site such as Dropbox, or a user sent a shady message on an instant messaging app, then, with some exceptions, under Section 230 the vendor could not be sued or prosecuted as the owner of the platform, but rather only the person who posted or transmitted the content could be held liable. This is analogous to two criminals plotting a murder on the phone could be prosecuted, but not the phone company they were using.
Section 230 enabled the growth of entire internet-based industries from online marketplace platforms, to social media sites, to email and messaging services, because the companies were protected from liability resulting from abuses that their users might commit.
Key provisions of EARN IT
On the surface, the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020) is aimed at providing new tools to law enforcement to fight children sexual abuse. Producing or distributing content with child sexual abuse is already illegal, but the EARN IT Act would stipulate that internet companies must “earn” their non-liability for what their users post or transmit by abiding by “best practices” established by a commission. The commission could set standards for internet companies to which they must adhere or else lose their immunity from liability for user-submitted content.
Privacy worries: urge Congress to reject the EARN IT Act
While all would agree that aggressively pursuing criminals who distribute content that is sexually abusive to children is a noble goal, the specific bill has many flaws. In particular, grave concerns have been voiced not only by tech companies, but many privacy advocates (see, for example, EFF’s Congress Must Stop the Graham-Blumenthal Anti-Security Bill), regarding the adverse effect that commission members could have on individual privacy, free speech, and on the innovative technology industry (see also, for example, Wired’s The EARN IT Act Is a Sneak Attack on Encryption or CNET’s Why your privacy could be threatened by a bill to protect children).
The “best practices,” it is feared, could include scanning everyone’s online content and/or stipulating that internet companies that provide encryption for privacy deliver a “back door” key to law enforcement to decrypt what were thought by its users to be private, encrypted content. Such stipulations by the commission, consisting of 19 unelected officials including the US attorney general, would create a dilemma (or shall we say “quadrilemma”) for technology providers who provide end-to-end encryption for privacy to respond in one of four ways:
remove end-to-end encryption just when it is most needed for privacy and free speech,
keep encryption and assume liability for all content on their platform (not something any vendor would likely do as it could lead to its demise),
acquiesce to providing a backdoor key to law enforcement, risking back door keys discoverable to hackers or over-zealous governments, or
shut down its services.
On the last point, Signal, one of the leaders in end-to-end encrypted and private messaging, has already announced that they will withdraw from the US market if this bill passes in its current form (see Signal’s 230 or not 230: that is the EARN IT question). We have additional concerns: a) a back door key could eventually likely be obtained by hackers, destroying security and privacy in confidential content; b) the structure of the EARN IT act commission making the rules is a “slippery slope” to abuse of monitoring innocent citizens.
Almost all responsible parties would like to see stronger pursuit of criminals, and in particular those disseminating heinous content that sexually exploits children, but we conclude that the EARN IT Act is a fatally flawed method of achieving those goals. We urge Congress to
increase funding for and improve laws that pursue criminals who disseminate illegal content that exploits children, including higher incarceration levels;
pass laws that mandate standards that more reasonably balance law enforcement with privacy protection rather than allow an unelected commission with broad coercive powers to impose “best practices” by threatening disqualification for Section 230
ensure that with any laws there are judicial high standards for probable cause to obtain a warrant and legislative oversight
not throw out the privacy and encryption baby with the criminal bathwater.
Urge your legislative representatives to reject the EARN IT Act in its current form, and adopt alternative legislation to pursue criminals that does not infringe upon everyone else’s privacy.