The EARN IT Act Is a Sneak Attack on Encryption

The crypto wars are back in full swing. 
Senator Lindsey Graham walking
Senator Lindsey Graham is a cosponser of a bill that could force companies to choose between strong encryption and basic legal protections.Photograph: Al Drago/Getty Images

A bipartisan pair of US senators today introduced long-rumored legislation known as the EARN IT Act. Meant to combat child sexual exploitation online, the bill threatens to erode established protections against holding tech companies responsible for what people do and say on their platforms. It also poses the most serious threat in years to strong end-to-end encryption.

As the final text of the bill circulated, the Department of Justice held a press conference about its own effort to curb online child predation: a set of 11 "voluntary principles" that a growing number of tech companies—including Facebook, Google, Microsoft, Roblox, Snap, and Twitter—have pledged to follow. Though the principles the companies are pledging to adopt don't specifically impact encryption themselves, the event had an explicit anti-encryption message. The cumulative effect of this morning's announcements could define the geography of the next crypto wars.

Child predators "communicate using virtually unbreakable encryption," US attorney general William Barr said during the press conference. "The department for one is prioritizing combatting child sexual exploitation and abuse in our prosecution efforts. And we are also addressing child exploitation in our efforts on retaining lawful access and in analyzing the impact of Section 230 of the Communications Decency Act on incentives for platforms to address these crimes."

EARN IT focuses specifically on Section 230, which has historically given tech companies freedom to expand with minimal liability for how people use their platforms. Under EARN IT, those companies wouldn't automatically have a liability exemption for activity and content related to child sexual exploitation. Instead, companies would have to "earn" the protection by showing that they are following recommendations for combatting child sexual exploitation laid out by a 16-person commission.

The bill, written by South Carolina Republican senator Lindsey Graham and Connecticut Democrat Richard Blumenthal, would create a way for law enforcement officials, attorneys general, online child sexual exploitation survivors and advocates, constitutional law scholars, consumer protection and privacy specialists, cryptographers, and other tech experts to collectively decide what digital companies should do to identify and reduce child predation on their platforms—and then require companies to actually do it. The safeguards the committee might recommend would likely include things like proactive, dynamic content scanning to identify abusive photos and videos, but also communication surveillance to watch for predators who could be forming relationships with potential victims and "grooming" them for exploitation.

Though it seems wholly focused on reducing child exploitation, the EARN IT Act has definite implications for encryption. If it became law, companies might not be able to earn their liability exemption while offering end-to-end encrypted services. This would put them in the position of either having to accept liability, undermine the protection of end-to-end encryption by adding a backdoor for law enforcement access, or avoid end-to-end encryption altogether.

Facebook has most prominently made the argument in recent months that it can adequately identify child predation threats without eliminating or undermining user data protections like end-to-end encryption. The safeguard only makes data readable on the sender's and receiver's devices, boxing companies out of accessing user data directly.

Law enforcement officials and members of Congress have countered, though, that tech companies can't do enough to stop child predation and distribution of illegal content on their platforms if they can't access their users' data.

"We share the EARN IT Act sponsors’ commitment to child safety and have made keeping children safe online a top priority by developing and deploying technology to thwart the sharing of child abuse material," Thomas Richards, a Facebook spokesperson, said in a statement. "We’re concerned the EARN IT Act may be used to roll back encryption, which protects everyone’s safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect."

Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society, outlined fears about the privacy and security implications of an earlier leaked draft of the EARN IT Act in January. After a preliminary assessment of the version of the bill introduced on Thursday, she told WIRED that she sees well-meaning revisions aimed at reducing concerns that EARN IT could violate First, Fourth, and Fifth Amendment rights related to speech, privacy, and lawful search. But she says the bill remains fundamentally problematic.

"I see this as being an attempt to cure procedural problems while throwing a bone somewhat to civil liberty, privacy, and security concerns," she told WIRED. "But looking at the additional language it’s clear to me that this is still going to be a vehicle for the attorney general to wage his war on encryption. And it's kind of a black box. One of my fears is if this were implemented, what’s to stop China from saying 'in addition to monitoring for child sex abuse images, turn this on for Uighur freedom activists too.'"

Child exploitation has already been the focus of a recent, ongoing campaign by the Department of Justice to break encryption. In October, for example, Attorney General Barr sent an open letter to Facebook, cosigned by British and Australian officials, directly asking the company not to deploy end-to-end encryption protections across its messaging services. That month DOJ also hosted a Lawful Access Summit focused on child exploitation investigations and how tech companies can help. In the 2016 Apple versus FBI showdown over whether Apple could be compelled to build a tool to unlock one of the San Bernardino shooters' iPhones, DOJ tried to use the threat of terrorism as a lever to undermine encryption. All of this serves as important context for the EARN IT Act.

"This is a profoundly awful proposal on multiple levels," says Julian Sanchez, a senior fellow at the Cato Institute, of the EARN IT Act. "It uses the laudable aim of fighting child exploitation to cynically launder law enforcement’s unsuccessful, decades-long effort to undermine strong end-to-end encryption. And it codifies the idea of using Section 230 immunity—without which no online platform could realistically risk hosting user-generated content at scale—as a cudgel to force private businesses to adopt government-approved content moderation practices."

Meanwhile, though the Department of Justice's Thursday announcements represent voluntary steps to combat digital child sexual exploitation, the specter of the encryption debate looms large there as well. In addition to the DOJ, representatives from all of the Five Eyes intelligence alliance countries attended the launch and are involved in the initiative. The United Kingdom in particular pushed anti-encryption laws in recent months, and Australia passed lawful access legislation at the end of 2018 with major potential implications for the protection as well.

"Encryption remains the elephant in the room," James Brokenshire, the United Kingdom's security minister, said during the DOJ press conference. "I’ve got to say that putting our children at risk for what I believe are marginal privacy gains is something I really struggle to believe any of us want."

Privacy and security experts unanimously disagree with Brokenshire's assessment. The argument they have made for decades in defense of encryption is that any measure that undermines or eliminates it would expose millions of vulnerable people to invasive surveillance by both governments and criminals, like abusers. Meanwhile, in a world without strong encryption protections for regular people, governments and criminals would be the two main groups that would inevitably maintain exempt or illegal access to strongly encrypted tools.

"The EARN It Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day," Kate Ruane, senior legislative counsel of the American Civil Liberties Union, said in a statement. "Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor. This bill is not the solution to the real and serious harms it claims to address."

DOJ's initiative is less controversial, because it's voluntary. But the EARN IT Act's potential to become law and serve as a binding counterpart concerns researchers on all parts of the political spectrum.


More Great WIRED Stories