A bipartisan group of senators has introduced a bill they claim is intended to crack down on the proliferation of child exploitation online. In reality, the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) is an attempt to destroy end-to-end encryption and force companies to create backdoors that allow law enforcement officials to access private and personal communications under much looser standards than currently exist.
The United States government has been transparent in its pursuit of this goal during both the Obama and Trump Administration. For years, the DOJ has argued that technology companies could create private backdoors for US law enforcement without making their products fundamentally insecure in the process. This is factually false — a product with a backdoor is definitionally less-secure than one without one, and there is no way to ensure with 100 percent certainty that the details of the backdoor will never leak online. Having completely failed to convince the security industry that it should become less secure, the US government has adopted a new tactic: Tie the anti-encryption push to efforts to end the distribution of child pornography.
How EARN IT Works
Currently, companies like Facebook, Google, YouTube, and Twitter enjoy what is known as Section 230 protection. Section 230 of the Communications Decency Act states that companies are not legally responsible for the stated opinions of their users. If they were, it’s difficult to see how the modern internet could exist. Everything from YouTube videos to Tweets would have to be pre-screened by the services themselves. The sheer amount of content being created every second by billions of users worldwide makes this functionally impossible. The EFF calls Section 230 “The most important law protecting internet speech.” The reason Section 230 is a problem for law enforcement is that the DOJ can’t bring legal pressure to bear on companies that refuse to cooperate.
EARN IT is designed to dismantle Section 230 protection from companies that currently enjoy it. The law creates a 16-person committee that would be responsible for drafting a list of best practices for stopping the distribution of child pornography. Companies that refused to follow this list of recommendations would be stripped of their Section 230 protections and subject to unlimited liability for any lawsuits related to the distribution.
We’ve already seen evidence of how this can play out at smaller scale. After FOSTA-SESTA removed Section 230 protection for any website found to be aiding/abetting sex trafficking, a number of websites shut down their Personals sections rather than risk being prosecuted. Whether you think FOSTA-SESTA was itself a good law or not, it set a clear precedent: Companies buckled under and removed potentially offending content rather than risk losing Section 230 protection.
If 11 or more members of this new committee declare that the best practices to fight child porn preclude the use of end-to-end encryption, companies could be forced to choose between securing user data and exposing themselves to unlimited liability in child abuse cases. This allows Section 230 to be effectively repealed without ever actually repealing it.
Who Sits on the Committee?
The 16-person committee is officially known as the National Commission on Online Child Sexual Exploitation Prevention and would, according to Eric Goldberg, consist of:
The US Attorney General or his designee, who will chair the committee.
The Homeland Security Secretary (or designee)
FTC Chair (or designee)
2 law enforcement members
2 representatives from NGOs dedicated to victims of online child sexual exploitation.
2 representatives of large internet services with experience in child safety (30M+ users)
2 representatives of small internet services with experience in child safety (<10M users)
1 representative with “experience in consumer protection matters related to privacy and data security representing civil society or public interest organizations.”
Out of 16 positions, two are explicitly reserved for technologists and one for privacy. The four industry positions are explicitly reserved for those workers at online companies that work closely with law enforcement. Nine positions are reserved for the government, or for organizations that work closely with government law enforcement. There’s nothing intrinsically wrong with working for/with government efforts to crack down on child pornography, but the viewpoints represented on this committee are overwhelmingly tilted to favor voices most likely to call for restricting end-to-end encryption. 11 votes would be required to change the rules, ensuring that the privacy advocate and technologists can be permanently silenced.
But You Don’t Have to Take My Word for It
Matthew Green, cryptographer and professor at Johns Hopkins: “It’s extremely difficult to believe that this bill stems from an honest consideration of the rights of child victims, and that this legislation is anything other than a direct attack on the use of end-to-end encryption.”
Virtually all Internet services consider CSAM [Child Sexual Abuse Material] the most pernicious type of user-supplied content and already apply zero-tolerance policies. It’s laughable to imply that Internet services are blase about CSAM on their networks. Of course Internet services could do more to suppress awful content generally, but those steps aren’t specific to CSAM and are likely to affect wide swathes of legitimate UGC [User Generated Content].
In sum, in light of the anti-CSAM efforts already being deployed, exactly what new anti-CSAM steps will be motivated by the removal of Section 230 immunity? The EARN IT Act appears to be motivated more by other considerations, not actually helping combat CSAM or protecting CSAM victims.
Joe Mullin, EFF: “You shouldn’t need to get a pass from a commission of law enforcement agencies just to set up a website. That’s the type of system we might hear about under an authoritarian regime. Yet, in the name of protecting children, U.S. lawmakers might be about to set up such a system here. That’s what the EARN IT bill comes dangerously close to prescribing.”
- The CIA Secretly Ran One of the World’s Largest Encryption Firms for Decades
- Australia Becomes First Western Nation to Ban Secure Encryption
- How Google Legally Profits From Massive Fraud on Its Platform (and What You Can Do About It)