Since the EARN IT Act was introduced in early March 2020, it was met with strong opposition by privacy groups and academia. The Act has been called “a disaster for Internet users’ free speech and security.”
Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, wrote a detailed analysis of the EARN IT Act, where she explained that the bill is an underhanded manipulation whose goal is to ban end-to-end encryption, without banning it.
Organizations like the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT), and a coalition of citizens groups, have argued numerous times that the EARN IT Act could be used to drastically undermine encryption and security without fighting against child sexual abuse material (CSAM). In addition, they have documented how the bill violates the Constitution’s First and Fourth Amendments protections for free speech and privacy.
The Act is now in the House of Representatives
The day before the Act was discussed in the Senate Judiciary Committee, the bill’s sponsors provided an amended version. Following the approval by the Committee, the bill has now been introduced in the House of Representatives.
The amended version introduces two significant changes to the original version:
- Instead of the original non-elected federal committee to provide “best practices” and regulate the internet, this power is now passed to state legislatures.
- Internet websites and platforms are no longer required to “earn” their Section 230 immunity. Rather, state lawmakers are now to create local laws intended to stop CSAM and allow prosecutions against internet platforms if a user promotes CSAM.
A threat to freedom of speech
Section 230 ensures that internet websites and platforms are held liable only for the content they create, not for the content edited or uploaded by their users. If a state prosecutor wants to bring a case for something said or done online, they cannot go after the platform that hosted the illegal content. Instead they need to find the actual owner of the content. It is Section 230 that allowed the internet to flourish as we know it. If the EARN IT Act gets approved, this protection will fade away.
The Act will have a serious impact on the freedom of speech. With the EARN IT Act enacted, websites, forums and messaging platforms will have to take measures to protect themselves against costly prosecutions and reputational damage. It will only take a single private lawyer to accuse the platform of promoting CSAM content for a state prosecutor to “hunt” the platform. As a result, these platforms will close their forums and comments sections, silencing people’s voices.
The Act threatens encryption
The threat the Act presents to freedom of speech is highly related to the threat to encryption. It is true that the amendment to the Bill is an improvement to the previous version. The amendment states that a provider will not be held liable under state and federal law because it:
- “utilizes full end-to-end encrypted messaging services, device encryption, or other encryption services”
- “does not possess the information necessary to decrypt a communication”
- “fails to take an action that would otherwise undermine the ability of the provider to offer full end-to-end encrypted messaging services, device encryption, or other encryption services.”
Despite this improvement in the wording, encryption still remains under threat in the EARN IT Act. To identify and take down CSAM content on internet platforms, the Act requires either a person to report such content, or the provider to be able to view each piece of content being published or sent through their service. This expanded liability for CSAM will essentially deter a provider from offering strong end-to-end encryption (e2ee) because they could be held responsible for content they cannot control.
While big tech companies will be able to cope with the cost of lengthy lawsuits and possible reputation damage for the sake of their users’ security and privacy, smaller providers might easily elect to abandon e2ee, weakening security across the internet. In other words, the EARN IT Act is a disincentive for building strong e2ee systems leaving technology – and users – vulnerable to increased cyber threats.
Another threat is that internet providers could be held liable for failing to implement technologies to view and take down CSAM content at the user’s device. It is easy to understand that these “scanning” technologies will undermine the confidentiality offered by e2ee systems.
Such a technology is known as client-side scanning, where the system scans the user’s images and videos before they are sent as messages and takes a “fingerprint” (also called a hash) of them. These hashes are then compared against a database of known CSAM. If the hash matches an entry in the CSAM database, the message is not sent, and it could also be reported to an appropriate authority.
As Riana Pfefferkorn argued in another article of hers, it is impossible to guarantee that a scanning system will only be used to detect CSAM, and not expand its use to detect terrorist or other extremist content. Additionally, client-side scanning violates the fundamental principle of end-to-end encryption: only the people involved in the conversation can access the content of the message.
What will the future bring?
Some may think that with the Biden – Harris Administration, these threats to encryption and freedom of speech will diminish. Unfortunately, the future might not be so bright. The report of the bipartisan US Cyberspace Solarium Commission, published on November 3, 2020, makes little to alleviate our worries.
As Justin Sherman wrote for Wired “the report takes no real stance on the importance of end-to-end encryption.” “There is broad consensus across industry and the government on the importance of strong encryption,” reads the report initially. However, further down it says that “this form of encryption is a double-edged sword,” and it goes on talking about a “quest for solutions” informed by “core values.”
Robust encryption is essential for protecting almost everything in today’s hyper connected world. It is the same encryption the EARN IT Act is trying to undermine that protects government agencies and critical infrastructure and industrial control systems. Weakening the level of protection offered by encryption is not only endangering peoples’ security and privacy; it is a threat to national security. “The commission’s unwillingness to advocate for encryption, which gives defenders such scalable leverage over attackers, doesn’t comport with the aim of bolstering US cybersecurity,” concludes Justin Sherman.
Let us hope we will be proved wrong.
The EARN IT Act continues to be a threat to significant free expression, encryption, and violates the protections offered by the Fourth Amendment. If the Congress wishes to protect children online, there are other ways to do just that, such as the Invest in Child Safety Act.
At AppViewX we are firm believers in the need for end-to-end encryption. Instead of investing in the sentiments against CSAM to break encryption, state lawmakers and federal agencies should invest more time – and resources – to develop usable privacy enhancing technologies, such as Fully Homomorphic Encryption, which allows for operations on encrypted data without jeopardizing security and privacy.