EARN IT Act: Savior of Children or Privacy Assassin?
In early March of 2020, the US Senate introduced the draft of the notorious EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act.
EARN IT is a bipartisan effort. On the surface, the bill’s goal is to create tools to effectively combat the sexual exploitation of children on the internet, including child pornography and child trafficking ads. But many believe the bill violates the freedom of speech and could be weaponized by Trump in his recent spat with certain social media platforms that actively work to undermine him. Even the Human Rights Watch urged the Senate to reject the bill.
While these rules only apply in the United States, it is the United States where the most popular online platforms are incorporated, and the U.S. market is key to most social media platforms and instant messengers. Changes in U.S. law can have a real and lasting impact on the situation in the industry and on users around the world.
In this article, we explore the connection between the anti-CP law and allegations of censorship and an attack on data encryption.
EARN IT Act in a Nutshell
The current version of the 1997 Communications Decency Act states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
This means that online social media platforms, like Twitter, Facebook, or YouTube, are not responsible for content published by users, provided that the platform itself was not directly involved in the creation or publication of such content.
Yet there are exceptions when the above exemption does not apply—when it comes to gross violations of user privacy, intellectual property laws, human trafficking, and some other criminal acts. This means that would a platform, for example, be used by a third party to promote/facilitate prostitution, the platform’s owner may still be liable.
The EARN IT Act emphasizes another exception when online platforms can be held liable for user-posted content—sexual exploitation and abuse of children.
The Act also introduces the so-called “safe harbor”, which allows the platform to get an exemption from liability if it has complied with “best practices.” Best practices are a yet-hypothetical set of rules designed to combat the distribution of CP content that has not been developed so far.
In an obvious play on words, this means that platforms will have to “earn” immunity from liability. To do this, the platform will have to fulfill all the requirements described in the best practices, which will likely entail being audited by the Attorney General’s office.
Does It Really Mean More Censorship?
Not really. No additional bans on any type of content are being introduced, as child pornography is already very much illegal.
That being said, it is a clear power move by the state which has long tried to establish more control over corporate social media giants even before Trump’s media wars. Censorship is already flourishing on those platforms. And current “best practices” already exist and are devised by the corporate elite and often are much more stringent than what the actual U.S. laws require.
The Communication Decency Act protections were the obvious line of attack here as these protections are a privilege rather than a right and it is easier to justify their revocation if the recipient is no longer deemed eligible to enjoy them.
Yet public concerns are definitely justified as this law is seen by many as a slippery slope that might lead to the adoption of more stringent restrictions in the future.
It’s Encryption That Is Actually Under Attack
The text of the act contains section 9, which states that “nothing in this Act or the amendments made by this Act shall be construed to require a provider of an interactive computer service to search, screen, or scan for instances of online child sexual exploitation.” But even so, some experts believe that best practices can actually force platforms to find ways to provide such screening to avoid liability.
“Though it seems wholly focused on reducing child exploitation, the EARN IT Act has definite implications for encryption. If it became law, companies might not be able to earn their liability exemption while offering end-to-end encrypted services. This would put them in the position of either having to accept liability, undermine the protection of end-to-end encryption by adding a backdoor for law enforcement access, or avoid end-to-end encryption altogether,” Lily Hay Newman wrote for Wired.
Although the bill itself does not actually mention backdoors and encryption, the best practices that will be approved after its adoption may require online platforms to provide backdoors and other mechanisms to allow on-demand access to user correspondence as well as tools to decrypt encrypted data.
This poses a real risk that the best practices may enable government agencies to force platforms to relent access to all kinds of users’ private and encrypted data on the premise of protecting children against exploitation.
“Provisions of the EARN IT Act threaten access to encryption, which is a secure technology that keeps people safe and protects rights in the digital age. Once one government enjoys special access, so too will rights-abusing governments and criminal hackers,” noted Human Rights Watch in their open letter to the Senate.
On top of that, the associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society Riana Pfefferkorn claimed that the bill is “potentially unconstitutional under the First, Fourth, and Fifth Amendments.”
Meanwhile, tech giants have intensified their lobbying activities and are taking decisive action against the adoption of the act. For example, the popular Signal messenger, whose reputation and market position is largely based on the protection of user data and privacy has threatened to flee the U.S. if the law passes.
How Do Similar Laws in Other Countries Work?
In Putin’s Russia, regulation of the internet is usually connected with fighting extremism, rather than human rights abuse. Such was the so-called “Yarovaya’s law” introduced in 2018 as an anti-terrorist measure. Among the many provisions of the law, the entities who were involved in “dissemination of information online”—messengers, social networks, email clients, even websites—were legally forced to provide the FSB (former KGB) with means to decrypt any message that the security agency requires. Failure to comply incurs monetary penalties but may later escalate to jailtime.
Many may remember Russia’s stand-off with Telegram which eventually fizzled out. As Russian-born Telegram CEO refused to comply with the new law and provide the state with the means to intercept and decrypt instant messages, Telegram was branded a messenger that facilitates terrorism and banned in Russia, to no avail, though.
Last year, the Chinese government also introduced a new cybersecurity law. The law basically gives the government unlimited access to all data within the country, regardless of whether it is stored on Chinese servers or transmitted through Chinese networks.
This means that there will be no anonymous online accounts and VPNs, no private or encrypted messages. Cryptographic systems not verified and authenticated by the government effectively were made illegal. The penalties may be quite serious and include fines, the shutdown of company networks/websites, or revocation of business licenses.
In other words, using cryptography to hide information from the government in these countries can and will get you in trouble with the law.
A Surprising Conclusion: EARN IT Might Be Even Worse Than Trump’s Initiative
A surprising realization here is that the EARN IT Act is potentially much more dangerous than Trump’s recent executive order.
Trump would remove social network’s protections under CDA 230 if they choose to engage in editorial activities, i.e. hiding messages behind warnings or editorializing users’ posts. Some deem that unconstitutional.
EARN IT Act goes a little bit further, putting the onus on the platforms to comply with the rules to retain their immunities. But most importantly it will provide the government with the means to access private information and even force service providers to create backdoors for their encryption mechanisms. And when there is a backdoor, it means that not only the government but also the criminals may be able to employ it, which is another perfect recipe for a disaster.
While EARN IT will likely bring no additional firepower to the fight with child exploitation, it may potentially jeopardize encryption as a perfectly legal tool that citizens may use to protect their privacy and defend their business and personal space from cyber-criminals. If anything, in the increasingly digitized world where online fraud and hacker attacks are becoming more and more widespread and dangerous we need more encryption, not less.
Subscribe to our Newsletter<
- ‘TikTok Spies On You and Transfers Data to Chinese Authorities.’ But Is It All That Bad?
- Secure Identity Expert Explains How Cryptography Gives Us Power Over Personal Data
- Eastern European Hacker Group Stole $200m From Crypto Exchanges via Supply-Chain Attack
- Telegram User Data From Earlier Leaks Found on Dark Web, Contact Import Feature Is to Blame
- Are RSA and Cryptocurrencies Safe Despite Quantum Computing Progress?
- How to Defend Yourself Against Scammers, Corporations, and Government: Hacker’s Perspective
- Google Chrome Extensions With 32M Downloads Have Malicious Add-Ons that Steal Data, Report
- Eastern Europe Hit by Massive Russia and China-backed Cyberattacks, Including Strong Propaganda on Social Networks, Analysis Suggests