Is the EARN-IT Act a backdoor attempt to get encryption backdoors?

Last week a pair of US senators on the Senate Judiciary Committee, Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), introduced a flashpoint piece of legislation called The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT). The law, ostensibly designed to dampen the rampant child exploitation activities online, has drawn criticism from civil rights groups, free speech advocates, and cybersecurity professionals during draft discussions. Most observers said it is a sneak attack on end-to-end encryption. The release of the formal version of the bill only solidified this fear.

What’s in the EARN-IT bill?

The 65-page piece of legislation promises to eliminate so-called Section 230 legal liability protection tech and internet companies that don't meet recommendations about how to eradicate child exploitation material. Those recommendations would be made by a 19-member National Commission on Online Child Sexual Exploitation Prevention. Companies can "earn" their liability exemptions granted under Section 230 of the Communications Decency Act, essential protection that enabled the growth of online platforms such as Facebook, Twitter and Google, if they meet the commission's recommendations on how to combat child sexual abuse material (CSAM).

The bill says that the commission should include the attorney general, the heads of the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC), two members with "current experience in matters related to constitutional law, consumer protection, or privacy," and two members with expertise in "computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a nongovernmental capacity." The bill says the commission should also include four members who have "experience in providing victims services for victims of child exploitation" or who are survivors of online child sexual exploitation."

The commission will be charged with developing practices on how to combat child sexual exploitation online, with only 14 votes needed to adopt a best practice. The attorney general, along with the heads of DHS and FTC, will approve each best practice. The practices can consist of such things as scanning media content for abusive images or monitoring communications between suspected child abusers and potential victims.

EARN-IT doesn't specifically bar encryption, a goal unsuccessfully pursued by US law enforcement since the Clinton Administration and now sought in earnest by US Attorney General William Barr. Yet, many public interest organizations and security experts have come out and condemned the bill because it's a hidden means to ban end-to-end encryption.

In a statement, the ACLU's Senior Legislative Counsel Kate Ruane said, "The EARN It Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor."

"The bill, which purports to fight the spread of child sexual abuse material online, undermines not only encryption and the security of internet communications, but also future law enforcement investigations against predators of children," the Center for Democracy and Technology said in its response to the bill's introduction.

Matthew Green, a cryptographer, and professor at Johns Hopkins University, called the bill "a direct attack on end-to-end encryption and wrote in his blog that it "represents a sophisticated and direct governmental attack on the right of Americans to communicate privately. I can't stress how dangerous this bill is, though others have tried."

Despite the bill mentioning cryptography only once (in terms of the kinds of computer science experts named to the commission), the consensus among experts is that Attorney General Barr is pushing the bill on the heels of his failed effort to gain traction on what he calls "lawful access" to encrypted communications, but what most experts call encryption backdoors. Encryption backdoors would break the security chain for not only law enforcement in their hunt for criminals but would also allow criminals and spies into what are now private and protected communications.

EARN IT incentivizes companies to give up end-to-end encryption

Therefore, encryption backdoor components have wrapped themselves in the worthy cause of combatting child exploitation and are pushing the financial incentive of Section 230 exemptions to force tech companies to give up end-to-end encryption voluntarily. The thinking goes that tech and internet companies won't be able to meet the commission's recommendations without abandoning encryption because they won't be able to identify much of the CSAM flowing across their services. Therefore, they will be financially induced to give up end-to-end encryption to earn their legal immunity.

"It's clear that the bill drafters know they have a huge Fourth Amendment problem if they directly mandate the measures they want tech companies to take, and so they're trying to dance around that by making this byzantine structure that creates a fiction that the "best practices" are just voluntary measures that companies could freely choose to do or not to do," Rian Pfefferkorn, associate director of surveillance and cybersecurity at the Center for Internet and Society, tells CSO.

"This bill is a backdoor way to allow the government to ban encryption on commercial services," Professor Green wrote. "And even more beautifully, it doesn't come out and actually ban the use of encryption; it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations."

"While we support the bill's purported end goal of combating child exploitation online, the bill would not be effective in achieving that purpose, and instead appears to be an attempt to ban end-to-end encryption without actually banning it outright," Lauren Sarkesian, senior policy counsel, New America's Open Technology Institute, tells CSO. "Without once using the word 'encryption,' the bill sets the stage for 'best practices' that would require companies to abandon strong encryption services or face liability."

The bill's proponents deny the legislation is an attempt to ban encryption. In a four-page response to critics of the law, the sponsors said, "EARN IT Act is not an encryption bill and does not ban encryption or otherwise impose obligations related to lawful access to data." The response also argues that "best practices will require real buy-in from tech experts and companies."

"I think that's a fairly unconvincing response to that criticism," Hannah Quay-de la Vallee, senior technologist for the Center for Democracy and Technology, tells CSO. "The makeup of the committee means that you still only need 14 out of 19 members. You can totally block out the computer science members of the committee. If they really wanted to say this isn't about encryption, they could have done that, and they didn't."

The surreptitious insertion of requirements that will likely lead to companies abandoning encryption to earn liability protection seems a crooked path to achieve a straightforward goal. "The convoluted structure of the bill is clearly intentional, in my mind," Stanford's Pfefferkorn says. "The drafters of the bill know it would violate the Constitution to directly require tech companies to search for CSAM on their services."

Absent a bill like this that follows a convoluted route to reach encryption backdoors, are there any hopes that Barr, the FBI and the rest of law enforcement, could reach a deal that satisfies all parties? If so, what would that look like?

Alternatives to EARN-IT

Senator Ron Wyden (D-OR) is expected this week to introduce legislation that counters the EARN IT act by proposing more fundamental solutions to the online child exploitation problem, such as boosting funding to law enforcement to go after these kinds of crimes. "That obviously doesn't get at the fact that DOJ has reasons for wanting the backdoor that go beyond child exploitation," Quay-de la Vallee says. But there is "absolutely room to do things" to help law enforcement conduct their investigations in the digital age, such as increasing the usability of the data that companies hand back to law enforcement.

"Increased funding for law enforcement should be uncontroversial, and it should have happened years ago, and the EARN IT act doesn't do anything about that," Berin Szoka, president of the libertarian-leaning policy group TechFreedom, tells CSO.

Szoka advocates for Congress to explore more closely what kind of changes in tech industry practices Congress could foster that wouldn't run afoul of mandating unconstitutional requirements, particularly where the Fourth Amendment is concerned. "There should be a hearing that asks what can be mandated."

"One 'middle ground' proposal I've heard come up several times is client-side pre-upload scanning," Pfefferkorn says. "The idea is that before a piece of content can be transmitted through an end-to-end encrypted app, the content must be scanned to see if it has any match in a hashed database of CSAM. There are technical impediments to implementing that on-device, plus it undermines the security and privacy guarantees that the user expects from using an end-to-end encrypted app."

Yet, even this kind of compromise could end up gutting the privacy protection encryption offers. "The whole point of end-to-end encryption is that nobody but you and the person you're talking to knows what content is being exchanged," Pfefferkorn says. "Vetting every piece of content I want to send someone against a black-box database whose contents I can't see is not my idea of privacy."

Comments are closed.