Don't be fooled, experts warn, America's anti-child-abuse EARN IT Act could burn encryption to the ground
Wait, a proposed law tackling the sexual abuse of kids and they name it... the EARN IT Act? Seriously?
On Thursday, a bipartisan group of US senators introduced legislation with the ostensible purpose of combating child sexual abuse material (CSAM) online – at the apparent cost of encryption.
The law bill is called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which folds up into the indignant acronym EARN IT. (See also the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, aka the USA PATRIOT Act.)
Backed by senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), Josh Hawley (R-MO) and Dianne Feinstein (D-CA), the proposed law intends to make technology companies "earn" their exemption from liability allowed under Section 230 of the US Communications Decency Act by requiring internet companies to follow a set of best practices to keep CSAM off their networks.
For the uninitiated, Section 230 gives internet platforms blanket legal protections: simply put, websites can't be held liable for any bad stuff shared by users, plus or minus some minor caveats. Critics say today's rules are too broad, and let technology giants off the hook too easily.
"Companies that fail to comport with basic standards that protect children from exploitation have betrayed the public trust granted them by this special exemption," said Blumenthal in a statement. "Online platforms’ near complete immunity from legal responsibility is a privilege – they have to earn it – and that’s what our bipartisan bill requires."
The best practices contemplated by the lawmakers have yet to be spelled out; they're to be determined by a 19-member government commission that includes 4 non-government experts or "survivors of online child sexual exploitation." Input from these four can be ignored, however, since the best practices require approval only of 14 commissioners. After that, the US Attorney General (AG), who is on the commission, can accept the guidelines, if the heads of the FTC and DHS agree, or send them back to be reformulated.
And therein lies the issue: based on the US government's ongoing efforts to demonize encryption for leaving law enforcement in the dark and AG William Barr's public opposition to encryption, technical experts expect the guidelines will force technology platforms to avoid encryption they can't undo on-demand in order to check for the presence of CSAM.
Departing MI5 chief: Break chat app crypto for us, kthxbaiREAD MORE
"Because the AG continually lambastes end-to-end encrypted messaging for cloaking pedophiles’ exchanges of CSAM and grooming of child victims, this is code for 'encryption is not a viable alternative best practice,'" explained Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, in a blog post. "This will be used to discourage any 'product design' that includes encryption that isn’t backdoored for law enforcement."
Matthew Green, associate professor of computer science at Johns Hopkins University, offered similar analysis in a blog post on Friday.
"The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct 'best practices' for scanning their systems for CSAM," he wrote.
"Since there are no 'best practices' in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use."
In effect, the position advanced by the bill's authors is that because CSAM is bad, all internet content and communication must be subject to scrutiny upon demand. That's a viewpoint that doesn't leave much room for encryption.
"It’s extremely difficult to believe that this bill stems from an honest consideration of the rights of child victims, and that this legislation is anything other than a direct attack on the use of end-to-end encryption," Green concludes.
Other advocacy groups like the ACLU, the Center for Democracy and Technology, and Free Press, among others, have issued similar statements in opposition to the bill.
US Senator Ron Wyden (D-OR) on Thursday called the bill a disaster, suggesting it's a cynical attempt to use concern about children to gain control online speech and harm internet security.
"This terrible legislation is a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans' lives," Wuden said.
"It is a desperate attempt to distract from the Justice Department's failure to request the manpower, funding and resources to combat this scourge, despite clear direction from Congress more than a decade ago."
The EARN IT Act arrived as AG Barr announced that other members of the Five Eyes intelligence alliance – Australia, Canada, New Zealand, and the United Kingdom – have agreed to a set of principles to guide internet companies in their efforts to combat CSAM. Representatives for six online companies – Facebook, Google, Microsoft, Roblox, Snap and Twitter – were there to endorse the initiative.
Pfefferkorn argues that widespread agreement about the need to discourage CSAM shouldn't dissolve the right to privacy and security.
"[W]hile it’s certainly a necessary, urgent, and desirable goal to combat the scourge of online child exploitation, there are still limits on what tech companies should do," Pfefferkorn said. "Stepping up to fight CSAM should not mean wholesale converting their services into even more powerful surveillance tools for law enforcement than they already are." ®