A proposed piece of legislation called the EARN IT Act is currently making its way through the Senate, and despite its innocuous name, the bill has drawn criticism from a variety of activist groups who warn that it could have dire consequences for the future of the internet.
To help understand what the act says and how it would affect the web if passed, here’s a quick rundown of the most important parts.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (shortened to EARN IT) is a bill sponsored by Sen. Lindsey Graham (R-South Carolina) and Sen. Richard Blumenthal (D-Connecticut) designed to fight child sexual exploitation online.
The bill’s first step is to establish a National Commission on Online Child Sexual Exploitation Prevention. The commission would consist of three agency heads — the attorney general, secretary of Homeland Security, and chairman of the Federal Trade Commission — along with 16 other members chosen by the leaders of the Senate and the House of Representatives.
The commission’s role is to come up with “best practices” that internet companies should follow in regard to child sexual abuse material online. These best practices could be broad, and that’s a problem for free speech and cybersecurity activists, who worry the commission will use its broad scope to target encryption, given that Attorney General William Barr has argued in favor of government backdoors into encrypted files. Graham has criticized encryption as well.
Originally, the bill required internet companies to follow the commission’s best practices in order to “earn” the protections granted by Section 230 of the Federal Communications Act. Section 230 is a crucial law in the development of the internet as we know it, shielding internet companies from liability for content users post on their platforms.
The recently amended bill removes the “earn it” idea entirely, however. The commission’s best practices would now be voluntary, however, states would be able to bring criminal or civil charges against companies that violate them.
Despite the bill’s stated intent to crack down on child sexual abuse material, activist groups including Human Rights Watch have spoken out against the EARN IT Act. What exactly is the problem?
Critics of the bill focus on a couple issues: That the bill curbs free speech by threatening platforms’ protection under Section 230, that it won’t actually do much to protect children, and that the bill is a stealth attempt at ending end-to-end encryption.
Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, writes that the EARN IT Act is a “bait and switch” that uses widespread resentment about Section 230 to stage an attack on encryption. Pfefferkorn argues that “ encryption, particularly end-to-end encryption, is likely to be targeted as being contrary to ‘best practices’ for preventing [child sexual abuse material], because if a provider cannot “see” the contents of files on its service due to encryption, it is harder to detect [child sexual abuse material] files.”
Sen. Patrick Leahy (D-Vermont) introduced an amendment to the bill specifically to protect encryption, but according to critics, it doesn’t go far enough. Pfefferkorn says that Leahy’s amendment “essentially gives providers a defense against liability, which is less strong than the a priori immunity from liability in the first place that Section 230 currently provides.”
In a statement for the Electronic Frontier Foundation (EFF), Joe Mullin said: “Sen. Leahy’s amendment prohibits holding companies liable because they use end-to-end encryption, device encryption, or other encryption services. But the bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient.”
According to the EFF, all 50 states would be able to craft their own laws, any of them capable of pressuring companies to weaken privacy protections like encryption. In that legal landscape, tech companies could err on the side of caution, gutting privacy protections to avoid running foul of state child sexual abuse material laws.
The American Civil Liberties Union also took a stand against the bill in an open letter to the committee, saying “these legal standards could force platforms to undermine or weaken their own encryption and privacy practices in order to avoid legal liability because plaintiffs could argue that end-to-end encryption, itself, is reckless or negligent conduct. Such liability claims could be bolstered if the advisory committee’s best practices recommend that platforms create encryption backdoors or otherwise take steps to weaken the encryption of their services.”
Sen. Ron Wyden (D-Oregon), who has advocated for digital privacy before, criticized the new version of the EARN IT Act, saying that “by allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.”
After unanimous approval by the Senate Judiciary Committee, the next step for the bill is a debate on the floor of the Senate. Blumenthal told Politico that he and Graham want to see the Senate take up the bill this year, and that the House would be developing its own version of the bill soon.