Sens. Richard Blumenthal (D-Conn.) and Lindsey Graham (R-S.C.) have reintroduced legislation that targets the removal of liability protections for online platforms that have child sexual abuse content. This is rekindling debate around end-to-end encryption (E2EE) since the law could discourage its use due to liability issues.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) was first introduced in 2020, and passed the Senate Judiciary Committee unanimously, with the goal of removing “blanket immunity” that online platforms enjoy for child sexual abuse material (CSAM), as stated by the bill’s authors.
The EARN IT Act of 2022 proposes to remove Section 230 protections – which provides immunity for third-party content – if an online service can’t prove it’s doing enough to limit child exploitation materials. In effect, the new version of the EARN IT Act says a platform’s use of encryption can be used as evidence against it in court.
It would be the first Section 230 amendment since the passage of FOSTA-SESTA in 2018 and, critics fear, may open the floodgates for lawsuits.
End-to-end encryption and EARN IT
Major Internet and social media companies have embraced end-to-end encryption — which encrypts data between a sender and receiver to prevent third-party access — in response to privacy concerns. With the introduction of the EARN IT Act, E2EE has become a hot-button topic since it goes to the heart of age old debates about privacy vs public good.
Privacy advocates support E2EE because, they argue, it ensures online users are free from the threat of unauthorized surveillance from service providers, government agencies, cybercriminals and any other threat actors. Law enforcement agencies, on the other hand, have come out against broad use of E2EE, claiming that it could serve to protect cybercriminals.
A number of voices opposing the reintroduction of the EARN IT legislation cite the damage it can do to the use of encryption and, specifically, E2EE.
“You can’t have a secure internet where all its content is also screened, because you can’t have end-to-end encryption alongside mass scanning requirements. This isn’t just an attack on encryption—it’s an attack on the fundamental security of the internet. As experts have said before, this sort of scanning is in direct conflict with privacy and security.”
There is a chorus of other voices, on both sides of the political spectrum, opposing the EARN IT Act because of the perceived hypocrisy.
“Members of Congress (including EARN IT’s main sponsors) have this unfortunate tendency to bemoan that tech companies aren’t doing enough to protect users’ privacy, then get mad at them for using strong encryption to do just that,” opines the The Center for Internet and Society (CIS) at Stanford Law School.
CIS goes on to say that while protecting children online is a “laudable…goal,” EARN IT “discourages providers from offering encryption by exposing them to liability for doing so.”
Pushing back on liability concerns, Blumenthal said in a recent interview that lawmakers incorporated these concerns into revisions “which prevent the implementation of encryption from being the sole evidence of a company’s liability for child porn,” according to a report in the Washington Post.
Encryption is critical to privacy
Encryption—in general—is critical to protecting the privacy of both individuals and organizations. Any campaign that portrays encryption in a bad light endangers the privacy protections that we all rely on. So, while there may be merit in exposing encrypted communications to certain privileged organizations—such as law enforcement—we should be extremely careful how we portray the value of encryption to those who will benefit most from its protections.