from the this-is-bad dept

To save the children, we must destroy everything. That’s the reality of the EARN IT Act. I mean, you can get some sort of sense of what you’re in store for just by reading the actual words behind the extremely labored acronym: Eliminating Abuse and Rampant Neglect of Interactive Technologies Act. Whew. It’s a mouthful. And, given the name, it seems like this would be Congress putting funding towards supporting moderation efforts that target abusive content.

But it’s nothing like that. It’s all about punishing tech companies for the acts of their users. Like FOSTA before it, the bill has zero interest in actually targeting the creators and distributors of illegal content, like child sexual abuse material (CSAM). Instead, it’s only interested in allowing prosecutors to go after the easiest entities to locate: sites that rely on or facilitate the distribution of third-party content.

Specifically, the new bill makes a change to Section 230 that looks similar to the change that was made with FOSTA, saying that you don’t get 230 protections if you advertise, promote, present, distribute, or solicit CSAM. But here’s the thing: CSAM is already a federal crime and all federal crimes are already exempted from Section 230. On top of that, it’s not as if there are a bunch of cases anyone can trot out as examples of Section 230 getting in the way of CSAM prosecutions. There’s literally no evidence that this is needed or will help — because it won’t.

As we’ve detailed before, the real scandal in all of this is not that internet companies are facilitating CSAM, but that the DOJ has literally ignored its Congressional mandate to go after those engaged in CSAM production and distribution. Congress tasked the DOJ with tackling CSAM and the DOJ has just not done it. The DOJ was required to compile data and set goals to eliminate CSAM… and has just not done it. That’s why it’s bizarre that EARN IT is getting all of the attention rather than an alternative bill from Senators Wyden, Gillibrand, Casey and Brown that would tell the DOJ to actually get serious about doing its job with regards to CSAM, rather than blaming everyone else.

The bill’s proponents continue to defend the bill, casually ignoring that not only does it encourage social media sites to engage in no moderation (lest they trigger the “knowledge” clauses), but it’s also intended to undermine encryption — not just by portraying it as something that mainly benefits sexual abusers of children but by introducing incentives that discourage the implementation of end-to-end encryption. In fact, any attempts made to moderate and eliminate illegal content could subject companies to fines because the safest route — given the bill’s mandates — is to do nothing.

How this will help limit the spread of CSAM and help track down the producers of this content is left to everyone’s imagination. Those backing the bill simply assume that stripping immunity from hosts of third-party content will do the trick. They also imagine making all internet users less safe is an acceptable trade-off for limited visibility of CSAM distribution, something that’s going to push CSAM producers to sites not under US jurisdiction (making them tougher to find) and make everyone else using the internet and social media services for purely legal reasons less secure.

Plenty has been said about this truly terrible piece of legislation here at Techdirt. There’s plenty more being said elsewhere as well. The Internet Society has released its critique of the EARN IT Act. Guess what? It’s extremely critical. At stake is the privacy and security of millions of internet users. On the other side are opportunistic legislators who feel “doing something” is the same thing as “doing something useful.” The legislators are wrong. EARN IT will fuck up the internet and its users by turning encryption into a liability.

The EARN IT Act threatens a company’s ability to use and offer end-to-end encryption by putting their liability immunity at risk if they do not proactively monitor and filter for illegal user content. In doing so, it threatens the security, privacy, and safety of billions of people in the U.S. and worldwide who rely on encryption as a foundation for security online. End-to-end encryption (E2EE) is the strongest digital security shield to keep communications and information confidential between the sender and intended receivers. When used correctly, no third party – including the service provider– has the keys to access or monitor content. If passed into law, the EARN IT Act will directly threaten online service providers and Internet intermediaries, which are entities who facilitate interactions on the Internet, that supply or support encrypted services. It will also create risks for Internet infrastructure intermediaries – such as Internet Service Providers and others – that have no direct involvement in providing encrypted services.

The bill holds providers liable for user content and communications. To avoid this liability, proactive measures would need to be taken. When it comes to encrypted communications, none of the options are good under EARN IT. The options would range from on-demand encryption-breaking services to facilitate government investigations, removing one end of the end-to-end encryption entirely to monitor content, or just saying the hell with it and refusing to offer encryption. None of these benefit the hundreds of millions of Americans who don’t create or distribute illegal content.

Undermining use of encryption makes people and businesses more vulnerable to criminal activity, and indeed preventing minors from encrypting their communications would make them more at risk of harm, not less. That’s because preventing companies from using E2EE and offering secure services would undermine security and confidentiality online. This would put millions of law-abiding people in the U.S. – including marginalized groups and children – and billions more worldwide, at greater risk of harm from those seeking to exploit private data for harm

The latent threat — to users and platforms — is that the government will decide, post-passage, what “best practices” companies will have to use to detect, report, and remove CSAM. The problem is the government’s intercession, which makes Section 230 immunity reliant on compliance with a set of the rules that will add feature creep to the slippery slope. With entities like the FBI continually agitating for encryption backdoors, it will only be a matter of time before the “best practices” include content scanning of some sort, which means end-to-end encryption will no longer be an option. EARN IT doesn’t explicitly make encryption illegal but its mandates and wording may make the use of encryption close enough to a crime to hold companies liable for the actions of their users.

While offering end-to-end encryption in itself is not a crime, the EARN IT Act makes it possible for a court to use encryption as evidence to find a service provider liable in cases related to CSAM. If a user disseminates CSAM and violates Title 18 sections 2252, 2252a, or 2256(8) using an encrypted service, a court could determine the service provider’s offering of encryption makes it liable for negligently or recklessly distributing CSAM because the encryption prevented the service provider from detecting and then blocking CSAM sent by its users – even if the service provider had no knowledge of particular CSAM being transmitted.

A service provider offering E2EE is not aware of and does not have access to the content or communications shared or published online. As such, a court might consider this use of E2EE to determine whether the provider was in reckless disregard of CSAM distributed on its platform or was negligent in permitting its dissemination. Indeed, under the EARN IT Act, a state law could explicitly say that offering an encrypted service could be viewed as evidence of negligence or willful ignorance of CSAM transmission (without ever running afoul of the asserted “carveout” included in the EARN IT Act).

Encryption is more than a way to secure communications. It’s also a way to provide security and privacy for users interacting with other services that don’t connect them to other human beings. The bill won’t just bring the pain to WhatsApp and its competitors. It will make every intermediary — no matter how disconnected from the production/distribution of criminal content — possibly liable. And it will give prosecutors a long list of entities to punish, none of which actually produced or uploaded the content.

The EARN IT Act hinders the ability of intermediaries to use a critical community-adopted building block for Internet security: encryption. It does so by creating liability risk to the intermediary that cannot monitor content users share, store, or publish online. State laws could seek to impose civil liability on every party involved in the creation, carriage, or storage of communications, including ISPs, web hosting providers, cloud backup services, and encrypted communications services like WhatsApp.

[…]

Furthermore, in the face of civil liability for damages under state laws permitted by the EARN IT Act, network operators could decide to stop carrying encrypted traffic or take other actions to block such traffic to avoid the risk of liability. Doing so would make them less interoperable with networks carrying E2EE traffic. Without interoperability, Internet users may experience slower and less secure web browsing.

This is certainly not the intent of the authors and supporters of the bill. Or, at least, it isn’t an intent any of them would admit to. Chances are, most of the bill’s backers haven’t thought about it long enough to consider the undesirable side effects of hitching immunity to government mandates. Others may simply see this as a good way to discourage use of encryption under the mistaken assumption that it will make it easier for investigators to track down child abusers.

All of these assumptions are wrong. And there is certainly a small percentage of bill supporters who see these negative consequences and like them — people who not only don’t understand the internet and social media platforms, but have converted their ignorance into fear.

The problem is, there’s only a few of them and millions of us. In theory, that means we have the upper hand. Unfortunately, when it comes to government work, it’s top down, which means the few decide what the rest of use have to live with.

Filed Under: csam, earn it, privacy, security

Leave a Reply