EARN IT is a dangerous law that could be used to break encryption

An illustration of content scanning that could happen under EARN IT.

We recently wrote about a proposed law in the United States known as the Lawful Access to Encrypted Data Act (LAED Act), which would basically ban encryption by requiring companies to build a backdoor. But this is not the only effort underway in the US Congress that attempts to destroy privacy as we know it.

On July 2, the Senate Judiciary Committee voted to approve the EARN IT Act (an acronym that stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020). Now that it is out of committee, EARN IT is scheduled to be debated on the Senate floor. This bill, if passed, would require social media companies to monitor all of the content shared on their platforms, including private messages, ostensibly to prevent the spread of child sexual abuse material. 

But the bill is loosely worded and gives extraordinary power to individual states to create their own rules. Advocates for online freedom say the legislation is ill-fitted for its stated purpose and may instead force Internet companies to monitor all their users’ activity, even if that means breaking encryption.

In other words, EARN IT can be used as a trojan horse to attack encryption, or as critics have put it, a “backdoor to a backdoor.” Despite the bill’s authors claiming it has nothing to do with encryption, it opens the door to states requiring measures that would undermine end-to-end encryption, such as scanning messages before they are encrypted. 

While we recognize the scourge of child sexual abuse material online — and the role that Big Tech has played in its proliferation — EARN IT is a nonsensical approach to solving the problem. There are many proposed solutions, such as removing videos of children from the YouTube recommendation system, which has been used by pedophiles to create repositories of content. EARN IT instead would address the problem by making YouTube remove almost all the videos of children, period, as YouTube would not want to risk the increased liability it will face under the new law.

EARN IT only tangentially addresses the problem of abusive material online. It’s primary effects would be to require companies to monitor their users, enforce the censorship of legal information, and create a framework to break encryption.

How EARN IT works 

Under US law, tech platforms are generally not legally liable for the content that users post on their platforms. This is the legal premise that has enabled Facebook and Twitter to become clearinghouses for fake news, slander, and extremist content. It is codified under Section 230 of the Communications Decency Act.

The original premise of EARN IT is that online and social media companies would have to “earn” their Section 230 protections by following specific best practices, which were going to be created by a 19-member federal commission. 

Now, after all the amendments that were added in committee, the bill instead makes companies liable if child sexual abuse appears on their platform, full stop. In other words, abusive material would not be protected by Section 230. 

The federal commission’s power has also been reduced, and its best practice list will be voluntary. However, that same amendment will allow all 50 states to write their own rules and regulations to prevent abusive material. If an Internet company does not comply with these laws, it opens itself up to potential state-level criminal charges.

This would result in a patchwork legal system where every state has its own set of rules, which would likely lead Internet companies to simply adopt the most restrictive state code as its standard. It only takes one state to require Internet companies to scan content before it is encrypted to undo end-to-end encryption.

How EARN IT attacks encryption and free speech

EARN IT would turn Internet companies into censors, and gives states the power to undermine end-to-end encryption. 

By attacking Section 230, this bill guarantees that a large swath of legal free speech would be suppressed. To avoid liability, online companies will delete anything that is even tangentially related to the targeted topic.

We know this because we’ve witnessed it before. The Fight Online Sex Trafficking Act, which this bill now resembles, was meant to only target sex trafficking. However, in practice, it led to Craigslist deleting its entire “Personals” section and Microsoft monitoring Skype for vulgarity and nudity. 

It could also be the bill that breaks encryption. Instead of a direct attack on encryption like the LAED Act, EARN IT would give the US states the power to undo end-to-end encryption. States could require Internet companies to scan messages before they are encrypted or create new ways to access end-to-end encrypted messages without touching the encryption. Australia’s Assistance and Access law plays this same semantic game by requiring Internet companies to help law enforcement develop malware that can access information after it has been decrypted on your device, thereby technically leaving the encryption intact. 

Defenders of the bill say it has nothing to do with encryption. In fact, an amendment was introduced that protects Internet companies from these state and private lawsuits if they use encryption. But, as Riana Pfefferkorn explains in the Center for the Internet and Society blog, this protection only applies if a company’s liability is “because of” its use of encryption. If prosecutors can present other feasible grounds for their charges, even if it’s just a pretext, the case likely would have to go to court. 

While the amendment protecting encryption is better than nothing, any American company that offers end-to-end encryption would have to be prepared to fight several long, costly court battles to see if it would hold up against state laws. Many companies and organizations cannot afford that type of litigation. The end-to-end messaging service Signal has already stated they would likely have to move their headquarters outside the US if EARN IT passes. 

How would EARN IT affect you?

If you are a Proton user, you would avoid the most harmful effects of EARN IT. We are a Swiss company, and the data centers ProtonMail uses are all in Switzerland. Therefore, we are not subject to US laws. Any request from foreign law enforcement needs to be approved by Swiss authorities. 

EARN IT would lead to a massive overreaction by Internet companies, as they will remove completely legal user content to avoid even the hint of liability. Or, as the ACLU said in its letter to the Senate Judiciary Committee, “Even if the speech covered by the law could be restricted without raising constitutional concern, the content moderation practices the companies will deploy to avoid liability risk will sweep far more broadly than the illegal content.”

If a state takes up the invitation of this law and passes regulations against end-to-end encryption, it will place many American companies, like WhatsApp or Signal in a tough place. Do they fight numerous costly court cases, break their encryption, or leave the US?

We cannot allow Congress to pass EARN IT

EARN IT chips away at one of the legal foundations for free speech on the Internet and jeopardizes the encryption that keeps the Internet secure in the name of preventing abusive material from appearing online. However, posting child sexual abusive material is already a federal crime, which means it is exempt from Section 230 to begin with. There are many more effective ways to prevent the proliferation of this type of material, like supporting the Invest in Child Safety bill, which would direct mandatory funding into the investigation and prosecution of pedophiles and abusers.

Furthermore, if this bill was not intended to target encryption, the lawmakers could have included strong explicit protections for encryption from the beginning. Instead, lawmakers added an amendment as a fig leaf, and it’s not even clear that it would defend encryption if it was tested out in court.

In short, EARN IT is vague, unnecessary, and unlikely to solve the problem it claims to be addressing. Instead, it would expand government surveillance and censorship and possibly force companies to create backdoors in their encryption. 

What you can do

EARN IT has left committee, but it has not yet faced a floor vote in either the Senate or the House of Representatives. You can monitor its progress here

We strongly encourage all Americans to write to their representatives in Congress and tell them to vote against EARN IT. This is your chance to remind Congress that you value your security and freedom of speech. The Electronic Frontier Foundation’s Action Center will help you get in touch with your representatives.

You can also protect your personal messages by signing up for a free email account with ProtonMail. This account will also give you access to the free version of ProtonVPN, which you can use to encrypt your online browsing.

EARN IT threatens everyone’s right to an Internet that protects people’s privacy and freedom. Help us stop it.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

6 comments on “EARN IT is a dangerous law that could be used to break encryption

  • To the entire Proton team,

    Hi guys, I think you ALL are doing a tremendous job with Proton and the services you offer. Keep up the good work. The world needs more people like you !

    Reply
  • Estado totalitario y de extrema vigilancia. Bien, se veía venir tarde que temprano.
    ¿Cuál es el pretexto?: Lo mismo de siempre.
    Hablan de extremismo, pedofilia, etc.
    Apelan a estos y muchos más pretextos cuando muchas veces son ellos los causantes de tales aberraciones.
    Típico.
    No estoy negando que esta clase de cosas – ajeno a ellos – no sucedan; claro que suceden.
    Pero, pensemos en lo que sucedió después del 2001, en el 11-S y la ley Patriota.
    Más de lo mismo, pero ahora a una escala mucho mayor.

    Reply
  • The fact that this bill is sponsored by members of both parties should tell any American where both parties ultimately stand on Internet privacy.

    Reply
  • How far are the Swiss authorities going to resist pressions from the US judiciary or the US government
    in case they demand cooperation in forcing Protonmail, and/or ProtonVPN to “cooperate” in breaking their encryption ?

    The question poses itself in light of past successful moves by the authorities of the USA in breaking the secret of Swiss banks ;=)

    Reply
    • Hi Czerno, thanks for the question. There will always be risks, because it is impossible to operate outside of any jurisdiction. However, privacy is a core value in Switzerland, and Swiss laws offer a high level of protection for users. We have also challenged orders in court that we do not agree with. You can find more details about this in our Transparency Report: https://protonmail.com/blog/transparency-report/

      Reply