Council On Foreign Relations Burns EARN IT To The Ground In Powerful Post Criticizing Its Anti-Encryption Aims

from the BURN-IT dept

The EARN IT Act (the tortured acronym stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act) has been bad news ever since its introduction way back in March of 2020. The bill’s original backers were all people who either hated encryption (AG Bill Barr, Sen. Dianne Feinstein) or “Big Tech” (Trump acolytes Josh Hawley and Lindsey Graham).

The stated aim is the disruption of CSAM (child sexual abuse material) distribution. The real goal is the punishing of tech companies for imagined slights by removing their Section 230 immunity and the undermining of end-to-end encryption so law enforcement (and others) can shoulder-surf internet communications. There’s nothing in the bill that targets CSAM producers and consumers. It’s all about going after tech companies for supposedly being willing enablers.

Resisting the bill means siding with child molesters, or so EARN IT’s proponents would have you believe. But if it becomes law, it’s going to make the internet worse for everyone, not just the criminals that take advantage of its distribution features. With its targeting of Section 230 immunity and end-to-end encryption, it will reduce the number of communication services available to people to those that either choose to engage in zero content moderation or remove/break any encryption they offer to users.

The bill kind of went into hibernation for the latter part of 2022, only to reawaken in a no more rested state in April 2023. Nothing much has changed in the interim. This year’s model looks pretty much like the 2020-2022 models: Section 230 on the chopping block and the wording that misleadingly suggests the law won’t target encryption while providing plenty of options for the government to do exactly that.

And the problem it creates — the destruction of encryption — hasn’t gone away. While plenty of government officials like to pretend it’s possible to create a form of encryption that is still secure despite apparently being able to be broken at will, those who actually work in the encryption field or exercise common sense know both things can’t be true.

A very strongly worded post by Tarah Wheeler on the Council on Foreign Relations (CFR) site doesn’t pull any punches when it discusses this mythical form of encryption that only exists in the minds of people whose occupations depend on believing something that obviously isn’t true.

The bill would force companies to break encryption and keep a running log of all communications from all users. Anything else would potentially allow service providers to be held liable for the actions of their users. Supposedly, this is OK because this is the internet and none of this is real. Wheeler puts it in real-world terms that might make more sense to the octogenarians crafting internet-facing legislation.

If this bill was pointed at landlords and tenants, it would be the digital equivalent of requiring landlords to constantly search their unknowing and unconsenting tenants’ homes for any evidence of child sex crimes. It’s already illegal for landlords to knowingly permit crimes—but demanding they go search their tenants’ homes repeatedly to turn over evidence becomes distressingly dystopic and forces them into becoming unwilling agents of the state instead of private citizens or companies. (Which is unconstitutional, by the way: if a law dragoons a digital landlord into being an agent of the state, its warrantless searches of the tenant’s online home violate the Fourth Amendment.) Continuing the brick-and-mortar metaphor, EARN IT’s authors want landlords to replace tenants’ strong locks with ones that open whenever anyone wants to poke about looking for child sex crimes whether there’s any reason to do so or not. And they swear that privacy and security for those tenants will not be meaningfully affected.

It’s terrible enough that the legislators behind this bill believe this is an acceptable outcome. And it’s even worse that they still claim most users’ privacy and security won’t be affected by these mandates.

But they also want us to believe this. They want us to believe encryption can be compromised but still be secure. That’s where it gets downright Orwellian, in pretty much the most literal sense. And this is where Wheeler just goes off:

It is not mathematically possible, as lawmakers repeatedly demand, to only break encryption a little bit in order to search for CSAM. Once encryption is broken, it is all the way broken. Here’s an analogy to illustrate. Remember 1984 by George Orwell? There’s a moment when Winston Smith sees O’Brien holding up four fingers, and is told that if he only says there are five fingers up, he can go free. For those of you who remember the incredible performances of Sir Patrick Stewart and David Warner in Star Trek: The Next Generation’s retelling of Orwell’s story in the brilliant two-part episode Chain Of Command, Captain Picard is being told by his Cardassian captor that he must say that there are five lights in the room, though there are only four. What if O’Brien or Gul Madred, in that situation, had been willing to compromise, as the U.S. government often says they’re willing to do? All Winston had to do was say there were 4.5 fingers up. The only thing Picard needed to do was say there were 4.5 lights. That’s meeting their opponents halfway, right? It may be a compromise, but it’s neither a meaningful one, nor a true one. It’s not physically possible for there to be 4.5 fingers up or 4.5 lights; there either is or is not an extra finger or one more light, and saying anything else may stop the torture but it doesn’t make it true. We cannot tell policymakers that it is possible to compromise on encryption, because there’s no compromise to be had. It’s either broken or not. There are four fingers. THERE ARE FOUR LIGHTS. Saying there are 5 because that’s what a policymaker wants to hear, or saying there are 4.5 because it seems like a compromise, makes us liars without solving any of the underlying problems.

It can’t be both things. It can’t even be partially both things. Encryption works or it doesn’t. Flaws deliberately introduced to satisfy government demands break encryption. Permanently. The criminal acts cited as the impetus for this legislation are horrific. But there’s supposed to be a tradeoff here — one that all stakeholders, including the governed agree to.

But there is no tradeoff. Legislators want us to believe it’s worth the sacrifices we’ll be making. The government isn’t giving up anything of its own. It’s just getting more power. And these legislators are unwilling to be intellectually honest about this legislation, preferring to engage in appeals to emotion in hopes of talking people into agreeing that the number of lights/fingers is closer to five than the four their own eyes see.

On top of all of that, hoping that a regime change will finally dead-end this destructive legislation is just wishful thinking. The wrong is all over the place.

If legislators don’t understand what they’re regulating, they probably shouldn’t be trying to regulate it. There are truths in play here one would think would be undeniable. But denial is apparently an essential part of the legislative tool set. CJR spells it out in terms so simple a congressional rep could understand it.

EARN IT is yet another case of politicians not understanding or ignoring the technical realities behind encryption. You can’t be a little bit pregnant, you can’t be kind of dead, and encryption can’t be halfway broken.

All true. And even if EARN IT’s supporters don’t actually believe what they’re saying, they expect the rest of us to treat it as the truth. That’s just insulting and it’s being piled on top of the long list of proposed injuries.

Filed Under: earn it, earn it act, encryption

