EARN IT Act Will Make The Internet Worse For Everyone By Undermining Privacy And Security
from the this-is-bad dept
To save the children, we must destroy everything. That’s the reality of the EARN IT Act. I mean, you can get some sort of sense of what you’re in store for just by reading the actual words behind the extremely labored acronym: Eliminating Abuse and Rampant Neglect of Interactive Technologies Act. Whew. It’s a mouthful. And, given the name, it seems like this would be Congress putting funding towards supporting moderation efforts that target abusive content.
But it’s nothing like that. It’s all about punishing tech companies for the acts of their users. Like FOSTA before it, the bill has zero interest in actually targeting the creators and distributors of illegal content, like child sexual abuse material (CSAM). Instead, it’s only interested in allowing prosecutors to go after the easiest entities to locate: sites that rely on or facilitate the distribution of third-party content.
Specifically, the new bill makes a change to Section 230 that looks similar to the change that was made with FOSTA, saying that you don’t get 230 protections if you advertise, promote, present, distribute, or solicit CSAM. But here’s the thing: CSAM is already a federal crime and all federal crimes are already exempted from Section 230. On top of that, it’s not as if there are a bunch of cases anyone can trot out as examples of Section 230 getting in the way of CSAM prosecutions. There’s literally no evidence that this is needed or will help — because it won’t.
As we’ve detailed before, the real scandal in all of this is not that internet companies are facilitating CSAM, but that the DOJ has literally ignored its Congressional mandate to go after those engaged in CSAM production and distribution. Congress tasked the DOJ with tackling CSAM and the DOJ has just not done it. The DOJ was required to compile data and set goals to eliminate CSAM… and has just not done it. That’s why it’s bizarre that EARN IT is getting all of the attention rather than an alternative bill from Senators Wyden, Gillibrand, Casey and Brown that would tell the DOJ to actually get serious about doing its job with regards to CSAM, rather than blaming everyone else.
The bill’s proponents continue to defend the bill, casually ignoring that not only does it encourage social media sites to engage in no moderation (lest they trigger the “knowledge” clauses), but it’s also intended to undermine encryption — not just by portraying it as something that mainly benefits sexual abusers of children but by introducing incentives that discourage the implementation of end-to-end encryption. In fact, any attempts made to moderate and eliminate illegal content could subject companies to fines because the safest route — given the bill’s mandates — is to do nothing.
How this will help limit the spread of CSAM and help track down the producers of this content is left to everyone’s imagination. Those backing the bill simply assume that stripping immunity from hosts of third-party content will do the trick. They also imagine making all internet users less safe is an acceptable trade-off for limited visibility of CSAM distribution, something that’s going to push CSAM producers to sites not under US jurisdiction (making them tougher to find) and make everyone else using the internet and social media services for purely legal reasons less secure.
Plenty has been said about this truly terrible piece of legislation here at Techdirt. There’s plenty more being said elsewhere as well. The Internet Society has released its critique of the EARN IT Act. Guess what? It’s extremely critical. At stake is the privacy and security of millions of internet users. On the other side are opportunistic legislators who feel “doing something” is the same thing as “doing something useful.” The legislators are wrong. EARN IT will fuck up the internet and its users by turning encryption into a liability.
The EARN IT Act threatens a company’s ability to use and offer end-to-end encryption by putting their liability immunity at risk if they do not proactively monitor and filter for illegal user content. In doing so, it threatens the security, privacy, and safety of billions of people in the U.S. and worldwide who rely on encryption as a foundation for security online. End-to-end encryption (E2EE) is the strongest digital security shield to keep communications and information confidential between the sender and intended receivers. When used correctly, no third party – including the service provider– has the keys to access or monitor content. If passed into law, the EARN IT Act will directly threaten online service providers and Internet intermediaries, which are entities who facilitate interactions on the Internet, that supply or support encrypted services. It will also create risks for Internet infrastructure intermediaries – such as Internet Service Providers and others – that have no direct involvement in providing encrypted services.
The bill holds providers liable for user content and communications. To avoid this liability, proactive measures would need to be taken. When it comes to encrypted communications, none of the options are good under EARN IT. The options would range from on-demand encryption-breaking services to facilitate government investigations, removing one end of the end-to-end encryption entirely to monitor content, or just saying the hell with it and refusing to offer encryption. None of these benefit the hundreds of millions of Americans who don’t create or distribute illegal content.
Undermining use of encryption makes people and businesses more vulnerable to criminal activity, and indeed preventing minors from encrypting their communications would make them more at risk of harm, not less. That’s because preventing companies from using E2EE and offering secure services would undermine security and confidentiality online. This would put millions of law-abiding people in the U.S. – including marginalized groups and children – and billions more worldwide, at greater risk of harm from those seeking to exploit private data for harm.
The latent threat — to users and platforms — is that the government will decide, post-passage, what “best practices” companies will have to use to detect, report, and remove CSAM. The problem is the government’s intercession, which makes Section 230 immunity reliant on compliance with a set of the rules that will add feature creep to the slippery slope. With entities like the FBI continually agitating for encryption backdoors, it will only be a matter of time before the “best practices” include content scanning of some sort, which means end-to-end encryption will no longer be an option. EARN IT doesn’t explicitly make encryption illegal but its mandates and wording may make the use of encryption close enough to a crime to hold companies liable for the actions of their users.
While offering end-to-end encryption in itself is not a crime, the EARN IT Act makes it possible for a court to use encryption as evidence to find a service provider liable in cases related to CSAM. If a user disseminates CSAM and violates Title 18 sections 2252, 2252a, or 2256(8) using an encrypted service, a court could determine the service provider’s offering of encryption makes it liable for negligently or recklessly distributing CSAM because the encryption prevented the service provider from detecting and then blocking CSAM sent by its users – even if the service provider had no knowledge of particular CSAM being transmitted.
A service provider offering E2EE is not aware of and does not have access to the content or communications shared or published online. As such, a court might consider this use of E2EE to determine whether the provider was in reckless disregard of CSAM distributed on its platform or was negligent in permitting its dissemination. Indeed, under the EARN IT Act, a state law could explicitly say that offering an encrypted service could be viewed as evidence of negligence or willful ignorance of CSAM transmission (without ever running afoul of the asserted “carveout” included in the EARN IT Act).
Encryption is more than a way to secure communications. It’s also a way to provide security and privacy for users interacting with other services that don’t connect them to other human beings. The bill won’t just bring the pain to WhatsApp and its competitors. It will make every intermediary — no matter how disconnected from the production/distribution of criminal content — possibly liable. And it will give prosecutors a long list of entities to punish, none of which actually produced or uploaded the content.
The EARN IT Act hinders the ability of intermediaries to use a critical community-adopted building block for Internet security: encryption. It does so by creating liability risk to the intermediary that cannot monitor content users share, store, or publish online. State laws could seek to impose civil liability on every party involved in the creation, carriage, or storage of communications, including ISPs, web hosting providers, cloud backup services, and encrypted communications services like WhatsApp.
[…]
Furthermore, in the face of civil liability for damages under state laws permitted by the EARN IT Act, network operators could decide to stop carrying encrypted traffic or take other actions to block such traffic to avoid the risk of liability. Doing so would make them less interoperable with networks carrying E2EE traffic. Without interoperability, Internet users may experience slower and less secure web browsing.
This is certainly not the intent of the authors and supporters of the bill. Or, at least, it isn’t an intent any of them would admit to. Chances are, most of the bill’s backers haven’t thought about it long enough to consider the undesirable side effects of hitching immunity to government mandates. Others may simply see this as a good way to discourage use of encryption under the mistaken assumption that it will make it easier for investigators to track down child abusers.
All of these assumptions are wrong. And there is certainly a small percentage of bill supporters who see these negative consequences and like them — people who not only don’t understand the internet and social media platforms, but have converted their ignorance into fear.
The problem is, there’s only a few of them and millions of us. In theory, that means we have the upper hand. Unfortunately, when it comes to government work, it’s top down, which means the few decide what the rest of use have to live with.
Comments on “EARN IT Act Will Make The Internet Worse For Everyone By Undermining Privacy And Security”
If monitoring for CSAM is made mandatory, can small sites like Techdirt continue to allow user comments?
Also, does negligence extend to not looking at what an innocent looking link actually links to, which would terminally break the Internet by making links too risky to allow. (A link to an innocent page today, could become a page of illegal content tomorrow)
Silver lining is that it’s the end of the year and it’s quite possible that congress might just run out of time debating EARN IT. But this is Congress we’re talking about, who waste time on everything but the problems, so anything is possible.
If the democrats sneak in graham’s bs bill then I’m never voting again. I’m in georgia so everyone is telling me vote warnock but why give a damn when the dems never listen to us.
Re: Not all bad choices are equal
You’ve got two people in front of a burning house:
1) One person is throwing literal cups of water on it, one every couple of minutes. Every so often they slip in a cup of gasoline. They may be mostly just going through the motions and not accomplishing anything but they’re overall not trying to make things worse, they’re just not doing much to make things better.
2) The other person is throwing buckets worth of liquid on a regular basis but it’s all gasoline.
You have to support one of them, which do you choose?
Re:
Look, I agree with the One Guy on this one. Yes the Democrats can be infuriating at times such as this, but choosing to not vote at all is incredibly defeatist. Political apathy breeds terrible candidates and your vote does count, no matter how insignificant it may seem. Remember that not all democrats are opportunistic moral shills like Bluthmenthal, corrupt as Manchin, nor borderline incomprehensible as Sinema. Very much like the Republican Party, the Democrats are flawed. But I will stick with them, not because I always agree what they say, but they at least try to govern the country. Voting where your conscience stay keeps the fascists away.
Re:
You not voting goes in either one of two ways.
The first way is Trump wins and you get shot for not Sieg Heiling the Orange Dictator.
The second way is 2A. You’re still getting shot anyway.
At least try the option that leaves you with ZERO gunshot wounds first. And yes, I’m the asshole that will tell you 2A is one of your few options left.
Pass the Metamucil
Why does a pool of old people make poop acronyms?
Maybe they can get more creative like Busy Individuals Like Kids Act or Social Commerce Addict Mediators Act for making rules for 3rd world countries online.
Re:
The B.I. L. K. A. S. C. A. M. Act?
Re: Re:
Now thats original, like fee douchy airy (paid wet air from an orifice, as the urban dictionary puts it).
but because those in government are mainly ‘Internet Illiterate’ it wont matter! it’s always the same, the ones with power have little knowledge but they always get what they are paid by big industry and media to do what they are told, fucking up everything they touch. most importantly, they remove as much as possible from ordinary people because, God forbid, we mustn’t have any rights and mustn’t be able to find out what these two-faced fuckers are up to!!
'We screwed up so they're to blame!'
As we’ve detailed before, the real scandal in all of this is not that internet companies are facilitating CSAM, but that the DOJ has literally ignored its Congressional mandate to go after those engaged in CSAM production and distribution. Congress tasked the DOJ with tackling CSAM and the DOJ has just not done it. The DOJ was required to compile data and set goals to eliminate CSAM… and has just not done it. That’s why it’s bizarre that EARN IT is getting all of the attention rather than an alternative bill from Senators Wyden, Gillibrand, Casey and Brown that would tell the DOJ to actually get serious about doing its job with regards to CSAM, rather than blaming everyone else.
Nothing says ‘this is a performative/punitive bill rather that one aimed at solving the problem’ like ignoring that a major government agency is already tasked with the problem, has utterly failed to do anything about it, and therefore someone else needs to be blamed for it.
Unlike the article I’m not willing to give the supporters of the bill any benefit of the doubt here given they are ignoring the real problem to focus on shifting the blame. They either don’t care about anything other than being seen Doing Something or are actively gunning for encryption and are willing to use exploited children to get their way, and in both cases deserve to be called out and condemned for it.