A cabal of unsavory U.S. senators have introduced a long-anticipated measure that would pressure tech companies to weaken protections for communications privacy in the guise of a measure aimed at child porn.
While the bipartisan bill, S.3398, never mentions the word "encryption," it makes online companies liable for information exchanged by their users unless they adopt practices approved by the government. Smart observers assume that means leaving people's messages open to snoopy officials.
"The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act would create incentives for companies to 'earn' liability protection for violations of laws related to online child sexual abuse material," asserts a March 5 press release from the Senate Judiciary Committee. The release lists Senators Lindsey Graham (R-South Carolina), Richard Blumenthal (D-Connecticut), Josh Hawley (R-Missouri), and Dianne Feinstein (D-California) as leads on the bill, with an additional three Democrats and two Republicans as co-sponsors.
Civil liberties advocates of all stripes pushed back immediately.
"The measure … would lead to a 'backdoor' in encrypted services, thereby jeopardizing the security of every individual," the American Civil Liberties Union and Americans for Prosperity riposted in a joint response. "Technology experts and civil society organizations have repeatedly warned that backdoors could be exploited by bad actors and that no backdoor could guarantee only law-abiding officials have access."
While the official text of S. 3398 is not yet available, draft copies have circulated for weeks, giving lawyers and tech experts plenty of time to examine its implications. In particular, they've scrutinized the bill's reservation of Section 230 protections against liability for the speech of third parties to only a company that has "implemented, and is in compliance with, the child exploitation prevention best practices published by the Attorney General," in the language of the draft bill.
"This bill is trying to convert your anger at Big Tech into law enforcement's long-desired dream of banning strong encryption," warns Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School. "The AG could single-handedly rewrite the 'best practices' to state that any provider that offers end-to-end encryption is categorically excluded from taking advantage of this safe-harbor option. Or he could simply refuse to certify a set of best practices that aren't sufficiently condemnatory of encryption. If the AG doesn't finalize a set of best practices, then this entire safe-harbor option just vanishes."
That's an extrapolation, of course, since the bill doesn't use the word "encryption" at all. Sen. Blumenthal even flat-out insists, "this is not an encryption bill." But the senators' announcement of the EARN IT Act leans heavily on forcing tech companies to adopt "best practices related to identifying and reporting online child sexual exploitation" or else face "civil recourse if companies choose not to comply with best practices or establish reasonable practices." It's difficult to see how companies are going to detect the exchange of forbidden material if they offer their users end-to-end encryption. They'll have to weaken or abandon such offerings to escape liability for users' communications, but without ever explicitly being told to do so.
But weakening encryption with backdoors, or abandoning it entirely, would also do away with the benefits it offers to people seeking to protect themselves from state surveillance, hackers, identity thieves, and nosy busybodies.
"The bill would fall far short of the goal of protecting children, while at the same time making all Americans less safe and less secure by potentially exposing everyone in society to substantially higher risk from malicious cyber actors, including hostile nation-states," cautions the Media Alliance, a coalition of 25 organizations.
That's an excellent point. People use encryption to protect sensitive information from prying eyes. Such information might involve child pornography, but it's far more likely to consist of financial data, personal communications, timely journalism kept from investigative targets, and political messages likely to draw the ire of government officials. The reasons for using encryption are as real and varied as the reasons for keeping your cash in a safe and your front door locked.
Critics also fret that EARN IT would draft private companies into the senators' potentially unconstitutional and ill-defined crusade against … well, ostensibly against "child sexual exploitation," but really against privacy.
"The proposed bill may not comport with the First Amendment, as numerous categories listed as matters to be addressed in the best practices are written in an overly broad fashion, without clear definitions," the Media Alliance adds. The organization also worries that if tech firms abide by the pressure to search users' communications for forbidden material, "a court could find that such private companies were acting as 'agents of the government.'"
But vagueness and the conscription of private parties to enforce politicians' whims should come as no particular surprise when we're discussion an anti-encryption law that masquerades as a strike against kiddie porn. Nothing is as it seems to be in this bill, which prescribes penalties for violators, with the means of avoiding them to be sketched in at some later date.
"Under EARN IT, the Commission would effectively have the power to change and broaden the law however it saw fit, as long as it could claim that its recommendations somehow aided in the prevention of child exploitation," notes the Electronic Frontier Foundation's Elliot Harmon.
But no matter what details are filled in later, the alleged targets of the bill—child pornographers—are likely to remain largely immune to its mandates. Already engaged in criminal activity, and warned by the passage of the law, they're bound to turn to legal or illegal stand-alone encryption products and the dark web to keep their secrets.
"Short of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist," acknowledged a 2016 report from the Berkman Center for Internet and Society at Harvard University.
Lawmakers may despise encryption for the barrier it poses to government surveillance, but their nosy presumption doesn't actually keep kids safe, nor reduce Americans' very real need for privacy. In fact, government officials' overt hostility to public use of end-to-end encryption is all the more reason to keep such privacy protection handy—whether or not snoopy senators think we've earned it.