While we’re all distracted by stockpiling latex gloves and toilet paper, there’s a bill tiptoeing through the US Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.
At least, that’s the interpretation of digital rights advocates who say that the proposed EARN IT Act could harm free speech and data security.
Sophos is in that camp. For years, Naked Security and Sophos have said #nobackdoors, agreeing with the Information Technology Industry Council that “Weakening security with the aim of advancing security simply does not make sense.”
The first public hearing on the proposed legislation took place on Wednesday. You can view the 2+ hours of testimony here.
Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.
To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites aren’t liable for user-submitted content.
Here’s how the Electronic Frontier Foundation (EFF) frames the importance of Section 230:
Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions).
EARN IT is a bipartisan effort, having been introduced by Republican Lindsey Graham, Democrat Richard Blumenthal and other legislators who’ve used the specter of online child exploitation to argue for the weakening of encryption. This comes as no surprise: in December 2019, while grilling Facebook and Apple, Graham and other senators threatened to regulate encryption unless the companies give law enforcement access to encrypted user data, pointing to child abuse as one reason.
What Graham threatened at the time:
You’re going to find a way to do this or we’re going to go do it for you. We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.
One of the problems of the EARN IT bill: the proposed legislation “offers no meaningful solutions” to the problem of child exploitation, as the EFF says:
It doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies with resources to investigate claims of child exploitation or training in how to use online platforms to catch perpetrators. Rather, the bill’s authors have shrewdly used defending children as the pretense for an attack on our free speech and security online.
If passed, the legislation will create a “National Commission on Online Child Sexual Exploitation Prevention” tasked with developing “best practices” for owners of Internet platforms to “prevent, reduce, and respond” to child exploitation online. But, as the EFF maintains, “Best practices” would essentially translate into legal requirements:
If a platform failed to adhere to them, it would lose essential legal protections for free speech.
The “best practices” approach came after pushback over the bill’s predicted effects on privacy and free speech – pushback that caused its authors to roll out the new structure. The best practices would be subject to approval or veto by the Attorney General (currently William Barr, who’s issued a public call for backdoors), the Secretary of Homeland Security (ditto), and the Chair of the Federal Trade Commission (FTC).
How would the bill end end-to-end encryption?
The bill doesn’t explicitly mention encryption. It doesn’t have to: policy experts say that the guidelines set up by the proposed legislation would require companies to provide “lawful access”: a phrase that could well encompass backdoors.
CNET talked to Lindsey Barrett, a staff attorney at Georgetown Law’s Institute for Public Representation Communications and Technology Clinic who said that the way that the bill is structured is a clear indication that it’s meant to target encryption:
When you’re talking about a bill that is structured for the attorney general to give his opinion and have decisive influence over what the best practices are, it does not take a rocket scientist to concur that this is designed to target encryption.
If the bill passes, the choice for tech companies comes down to either weakening their own encryption and endangering the privacy and security of all their users, or foregoing Section 230 protections and potentially facing liability in a wave of lawsuits.
Kate Ruane, a senior legislative counsel for the American Civil Liberties Union, had this to say to CNET:
The removal of Section 230 liability essentially makes the ‘best practices’ a requirement. The cost of doing business without those immunities is too high.
Tellingly, one of the bill’s lead sponsors, Sen. Richard Blumenthal, told the Washington Post that he’s unwilling to include a measure that would stipulate that encryption is off-limits in the proposed commission’s guidelines. This is what he told the newspaper:
I doubt I am the best qualified person to decide what best practices should be. Better-qualified people to make these decisions will be represented on the commission. So, to ban or require one best practice or another [beforehand] I just think leads us down a very perilous road.
The latest in an ongoing string of assaults on Section 230
The EARN IT Act joins an ongoing string of legal assaults against the CDA’s Section 230. Most recently, in January 2019, the US Supreme Court refused to consider a case against defamatory reviews on Yelp.
We’ve also seen actions taken against Section 230-protected sites such as those dedicated to revenge porn, for one.
In March 2018, we also saw the passage of H.R. 1865, the Fight Online Sex Trafficking Act (FOSTA) bill, which makes online prostitution ads a federal crime and which amended Section 230.
In response to the overwhelming vote to pass the bill – it sailed through on a 97-2 vote, over the protests of free-speech advocates, constitutional law experts and sex trafficking victims – Craigslist shut down its personals section.
But would it stop online child abuse?
Besides the proposed bill containing no tools to actually stop online child abuse, it would actually make it much harder to prosecute pedophiles, according to an analysis from The Center for Internet and Society at Stanford Law School. As explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity, as it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.
Apple does it with iCloud content, Facebook has used hashing to stop millions of nude children’s images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.
The key word is “voluntarily,” Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they search our digital content, including our email, chat discussions, and cloud storage.
The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, they’re private actors, so the Fourth Amendment doesn’t apply to them.
Turning the private companies that provide those communications into “agents of the state” would, ironically, result in courts’ suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.
That means the EARN IT Act would backfire for its core purpose, while violating the constitutional rights of online service providers and users alike.
Besides the EFF, the EARN IT bill is facing opposition from civil rights groups that include the American Civil Liberties Union and Americans for Prosperity, Access Now, Mozilla, the Center for Democracy & Technology, Fight for the Future, the Wikimedia Foundation, the Surveillance Technology Oversight Project, the Consumer Technology Association, the Internet Association, and the Computer & Communications Industry Association.
Earlier this month, Sen. Ron Wyden, who introduced the CDA’s Section 230, said in a statement that the “disastrous” legislation is a “Trojan horse” that will give President Trump and Attorney General Barr “the power to control online speech and require government access to every aspect of Americans’ lives.”
Read my full statement on the disastrous EARN IT Act, which will give Bill Barr and Donald Trump more control over the internet: pic.twitter.com/LF9WF2F5dV
— Ron Wyden (@RonWyden) March 5, 2020
Wyden’s statement didn’t specifically mention encryption, but his office told Ars Technica that when “[the senator] discusses weakening security and requiring government access to every aspect of Americans’ lives, that is referring to encryption.”
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Mark
The bill isn’t about protecting children. It’s about mass surveillance. Since the American people found out the government is spying on everything we do, more and more people use encryption. This bill is to keep us from going dark. It will be pointless because there will be workarounds developed. One way would be to encrypt your message in an app then copy that message into your messenger app and send the message already encrypted. The receiver would copy the message into the same encryption app and decrypt it. Not elegant but workable. Apps could be developed that don’t directly send messages just encrypt them before hand to be sent by the online message service.
John
I wonder if in this bill it would include something that would prevent encryption so that if you were ever caught encrypting, they could force you to decrypt it through coersion.
Paul Ducklin
I imagine that would conflict with an even bigger raft of existing legislation and regulation about data protection that demands that you embrace encyption when you can, etc.
Interesting times.
kevin king
Exactly people will simply generate their own public/private key pairs and share them with friends and colleagues. And it will be mostly the crooks and the people who have something to hide doing this….
John
Correct if me I’m wrong but this is a US law, so this is hardly going to “End Encryption”.
Perhaps for American’s and those who communicate with the, but them rest of the world would remain largely protected.
I’m also curious, how does the bill affect companies who may operate in the US, but have their HQ/Head Office located outside of the country. Would they have to weaken it just for the US as they operate there, or would the company not be effected by the bill?
Mark Stockley
The bill doesn’t mention encryption explicitly, so that bridge hasn’t been crossed yet. The bill intends to make section 230 protections contingent on compliance with “best practices” that will be approved or vetoed by people with a track record of looking for encryption backdoors.
I assume that any company operating in the US has to abide by US law.
Paul Ducklin
Mark is being a bit modest here – he took on this topic in some depth in S2 Ep31 of the Naked Security pocast. It’s well worth a listen. You’ll find it here (the EARN IT bit starts at 30’55”):
https://nakedsecurity.sophos.com/2020/03/20/s2-ep31-remote-working-malwareless-ransomware-and-earn-it-naked-security-podcast/
Kenny
Hello Big Brother. I knew we’d meet you some day.
Don’t give up America. Our Liberty’s and Freedom ARE worth Dying for.
Bailey Crews
I disagree with it entirely. It sickens me that they would be such snakes in the grass and use children as an excuse. This bill will only destroy social privacy amongst many on Facebook’s messenger, and anything other private messaging media.
Anonymous
you think you have social privacy on facebook?
Andrew
This act needs to be killed. With every removal of self governance by the people of this country we move closer to a police state that does not show the respect for the individuals that make up this country. These invasions into a freedoms both physical, and electronic will not protect the exploited anymore than campaigns against drugs or prostitution have. You are lowering society to their level buy selling a control you want for some Nobel Cause but those same people you seek to control will exploit your controls or find another way around them like they always have. You insult the intelligence of common people by continuing to erode their responsibility to do good deeds. You build a system to handle every problem and no one will pay attention anymore. You want to stop child exploitation? Let the police officers to do their job and quit thinking that another window to watch everyone and everything with will somehow do the work for you. Lastly, people mostly get exploited when they are extremely poor and have no family. Maybe you should start there!