At the last minute, EARN IT got completely re-written and voted on. EFF is saying that EARN IT is still a threat to encryption.
Earlier this month, everyone in the security and privacy community was watching in horror as EARN IT came closer and closer to being law. The encryption ban law was essentially becoming a moment of impending doom for anything technology related in the US. In this day and age, that is basically a vast majority of everything in the country. Legislators geared up for a critical vote on the legislation and it seemed that nothing was going to stop this massive disaster on the country.
It was only at the last minute that the whole bill was re-written to eliminate parts of the legislation that has to do with the encryption ban. This, of course, left no room for reassessment of what the bill had become before the vote. Indeed, this last minute change had muddied the waters of what the legislation actually still means.
Now that the dust is settling, assessments of the legislation are pouring in. The assessment about EARN IT and encryption is still not good. The Electronic Frontier Foundation (EFF) says that state level lawmakers can still prod around the laws for loopholes such as demanding client-side scanning prior to the messages being encrypted. From the EFF:
this isn’t a theoretical problem. The idea of using “client-side scanning” to allow certain messages to be selected and sent to the government, circumventing the protections of end-to-end encryption, is one we’ve heard a lot of talk about in the past year. Despite the testimonials of certain experts who have sided with law enforcement, the fact is, client-side scanning breaks the protections of encryption. The EARN IT Act doesn’t stop client-side scanning, which is the most likely strategy for state lawmakers who want to use this bill to expand police powers in order to read our messages.
And it will only take one state to inspire a wave of prosecutions and lawsuits against online platforms. And just as some federal law enforcement agencies have declared they’re opposed to encryption, so have some state and local police.
The previous version of the bill suggested that if online platforms want to keep their Section 230 immunity, they would need to “earn it,” by following the dictates of an unelected government commission. But the new text doesn’t even give them a chance. The bill’s sponsors simply dropped the “earn” from EARN IT. Website owners—especially those that enable encryption—just can’t “earn” their immunity from liability for user content under the new bill. They’ll just have to defend themselves in court, as soon as a single state prosecutor, or even just a lawyer in private practice, decides that offering end-to-end encryption was a sign of indifference towards crimes against children.
Offering users real privacy, in the form of end-to-end encrypted messaging, and robust platforms for free speech shouldn’t produce lawsuits and prosecutions. The new EARN IT bill will do just that, and should be opposed.
So, technically speaking, EARN IT is no longer an outright ban on encryption, but it does open encryption up to vulnerabilities in the legal side of things.
Another thing to point out is the fact that November is less than 5 months away. So, this means that the clock is ticking for this bill to be passed. In theory, with enough opposition, this bill can be defeated simply by running out the clock. As a result, there is still hope that this bill can be defeated with enough opposition. Time will tell if such efforts will ultimately become successful.
Drew Wilson on Twitter: @icecube85 and Facebook.
