America’s Encryption Ban Law, EARN IT, Is Back

It seems that the US is going to have another round of debating the merits of online security thanks to the return of EARN IT.

At the start of the month, we reported on Canada’s war on the open Internet. Not only was it crazy and ill-advised, but at this stage, it seems all by inevitable that these laws were going to pass, wrecking the Internet in Canada and destroying parts of the countries economy. Some American’s looking on are probably seeing all those events unfold with a mixture of “what the heck is going on up there?” and “well, at least the US isn’t doing something outrageously stupid.”

Well, now America is now coming face to face with their own governments complete and utter insanity. That comes in the form of the return of EARN IT. Cue the expletives. For those who either had no idea what happened or were lucky enough to have finally erased that terrible thought from their memories, EARN IT died on January of 2021 – just a little more than a year ago. The legislation was effectively the governments way of trying to bring back the debate about encryption by pushing forward a law that basically banned any of it that they couldn’t put a back door in. Ergo, they wanted to ban effective encryption.

While there were other laws that tried to accomplish this same goal, the efforts, understandably, got substantial backlash from digital rights and security experts alike. Still, the government wanted to move forward with it anyway and invented, well, flat out lies about how the bad guys are going dark because encryption was completely impervious to their detection capabilities. The reality was that the government wanted to have a rematch with the public after the 1996 Clipper Chip debate and attempts to classify encryption as a munition ended with the consumers winning anyway.

Of course, things are drastically different between the mid-90’s and now. Encryption is a huge part of people’s every day lives. Whether it’s websites with HTTPS, security protocols for online banking, general online commerce, trading digital currency or the buying and selling of one of the most cringeworthy Internet acronyms, NFT’s, or added layers of security through VPN solutions, more and more people are using some form of encryption somewhere along the way. As a result, it became easier to explain that when you start seeing governments demand backdoor access, that reliability of different kinds of services would become compromised. If a weakness is deliberately set, it inherently compromises that security as a whole.

Want to buy something on Amazon? Well, that’s now a rather risky prospect. Thinking of purchasing a subscription to Netflix? Probably not the safest thing to do. Online banking? You’re much better off walking to the bank in person. Wanting to start a private chat server with friends? You might as well have invited an FBI agent to make the whole scene feel downright creepy. The bottom line is, what you can reliably do online suddenly becomes much more limited. The list of things that would become more difficult or impossible just keeps growing. As such, the list of people who were less than thrilled with this prospect just kept growing.

So, it isn’t a huge surprise that American’s were sending notes or ringing up their congress critter and asking them if they went completely crazy with the idea of banning effective encryption. The fallout for moving for this law anyway didn’t even have to be theoretical. All American’s really needed to do was look at what happened in Australia and, well, let’s just say, it ended really really really badly.

Of course, after the abomination that was EARN IT finally died, memories started to fade about it. Crazy idea’s like banning encryption seemed like a world away and the focus can be more centred around ousting the biggest disgrace to ever take the seat of the American Presidency – of which that campaign was mercifully successful.

Sure, the Biden Administration wasn’t exactly the greatest after taking office, but it sure beat the stock market crashing every other week because of a stupid Twitter comment or word of yet another agency getting gutted simply because some of the ideas might have had a hint of Democrat influence. The simple truth was that Biden had an incredibly low bar to slide over and the nightmare of the Trump administration being over was good enough for a number of American’s. At the very least, there wasn’t going to be something completely off the wall crazy going to happen, right?

So, it’s with all that you can hardly blame American’s for being unsure of they can emotionally handle the insanity that was the EARN IT debate all over again. Sadly, this debate is about to have a redux whether American’s like it or not. From NextGov:

The Eliminating Abusive and Rampant Neglect of Interactive Technologies, or EARN IT Act, was reintroduced into the U.S. Senate on Monday, reopening the potential for Congress to impose stricter penalties related to online content featuring child sex abuse material.

A key pillar of the proposed legislation is augmenting the provisions outlined in Section 230 of the Communications Decency Act, which protects online platforms from being liable for third party content hosted on their domains.

Should the EARN IT Act pass, it would limit the blanket protections established in Section 230 given to web hosts such as Facebook, Twitter, and YouTube, leaving them vulnerable to potential prosecution.

“There are tens of millions of photos and videos circulating throughout the internet, showing the most heinous acts of sexual abuse and torture of children,” said Sen. Lindsey Graham, R-SC, one of the bill’s sponsors. “The EARN IT Act removes Section 230 blanket liability protection from service providers in the area of child sexual abuse material on their sites. The days of children being exploited on the internet and their families being unable to do anything about it are coming to an end.”

Yeah, let’s just say the acronym of FML is a very understandable reaction to that. Can’t these crazy ideas just continue to be hashed out by other countries and give American’s a break for a while?

Section 230, of course, is a critical component of the ability for the modern Internet to operate. It basically is a law that says that the platforms or websites are not automatically liable for the activities of their users. There have been some carve outs such as the overzealous efforts to take down content in the name of copyright, but at least some sectors of the Internet could still benefit this completely sane and logical law. Eliminate Section 230 and the American Internet with so much free and open conversation and user generated content is basically finished. So, sure, let’s throw in the ability to have freedom of expression thrown into the debate while you are at it.

Understandably, supporters of security and freedom of expression were less than amused by these developments. They were already hard at work knocking down some of these tired arguments. From TechDirt:

If you want to know just how bad the bill is, I found out about the re-introduction of the bill — before it was announced anywhere else — via a press release sent to me by NCOSE, formerly “morality in media,” the busybody organization of prudes who believe that all pornography should be banned. NCOSE was also a driving force behind FOSTA — the dangerous law with many similarities to EARN IT that (as we predicted) did nothing to stop sex trafficking, and plenty of things to increase the problem of sex trafficking, while putting women in danger and making it more difficult for the police to actually stop trafficking.

Amusingly (?!?) NCOSE’s press release tells me both that without EARN IT tech platforms “have no incentive to prevent” CSAM, and that in 2019 tech platforms reported 70 million CSAM images to NCMEC. They use the former to insist that the law is needed, and the latter to suggest that the problem is obviously out of control — apparently missing the fact that the latter actually shows how the platforms are doing everything they can to stop CSAM on their platforms (and others!) by following existing laws and reporting it to NCMEC where it can be put into a hash database and shared and blocked elsewhere.

But facts are not what’s important here. Emotions, headlines, and votes in November are.

At least in the FOSTA case, supporters could (incorrectly and misleadingly, as it turned out) point to Backpage as an example of a site that had been sued for trafficking and used Section 230 to block the lawsuit. But here… there’s nothing. There really aren’t examples of websites using Section 230 to try to block claims of child sexual abuse material. So it’s not even clear what problem these Senators think they’re solving (unless the problem is “not enough headlines during an election year about how I’m protecting the children.”)

The best they can say is that companies need the threat of law to report and takedown CSAM. Except, again, pretty much every major website that hosts user content already does this. This is why groups like NCOSE can trumpet “70 million CSAM images” being reported to NCMEC. Because all of the major internet companies actually do what they’re supposed to do.

And here’s where we get into one of the many reasons this bill is so dangerous. It totally misunderstands how Section 230 works, and in doing so (as with FOSTA) it is likely to make the very real problem of CSAM worse, not better. Section 230 gives companies the flexibility to try different approaches to dealing with various content moderation challenges. It allows for greater and greater experimentation and adjustments as they learn what works — without fear of liability for any “failure.” Removing Section 230 protections does the opposite. It says if you do anything, you may face crippling legal liability. This actually makes companies less willing to do anything that involves trying to seek out, take down, and report CSAM because of the greatly increased liability that comes with admitting that there is CSAM on your platform to search for and deal with.

EARN IT supporters claim they “fixed” the threat to encryption in the original bill by using text similar to Senator Leahy’s amendment to say that using encryption cannot “serve as an independent basis for liability.” But, the language still puts encryption very much at risk. As we’ve seen, the law enforcement/political class is very quick to want to (falsely) blame encryption for CSAM. And by saying that encryption cannot serve as “an independent basis” for liability, that still leaves open the door to using it as one piece of evidence in a case under EARN IT.

Indeed, one of the changes to the bill from the one in 2020 is that immediately after saying encryption can’t be an independent basis for liability it adds a new section that wasn’t there before that effectively walks back the encryption-protecting stuff. The new section says: “Nothing in [the part that says encryption isn’t a basis for liability] shall be construed to prohibit a court from considering evidence of actions or circumstances described in that subparagraph if the evidence is otherwise admissable.” In other words, as long as anyone bringing a case under EARN IT can point to something that is not related to encryption, it can point to the use of encryption as additional evidence of liability for CSAM on the platform.

Again, the end result is drastically increasing liability for the use of encryption. While no one will be able to use the encryption alone as evidence, as long as they point to one other thing — such as a failure to find a single piece of CSAM — then they can bring the encryption evidence back in and suggest (incorrectly) some sort of pattern or willful blindness.

And this doesn’t even touch on what will come out of the “committee” and its best practices recommendations, which very well might include an attack on end-to-end encryption.

So, if you were unsure if this legislation is an attack on Section 230 or an attack on encryption, the simple answer is that it is both.

What’s more is that this push to “protect the children” has been a cover for plenty of awful surveillance and anti-security laws around the world for well over a decade now. The effectiveness of this cover story has been quite hit and miss, but it does show that politicians still seem to think that this is a viable tactic to push such awful laws in the first place.

If there is a silver lining in all of this, it’s that American’s have one advantage over EARN IT that Canadians do not have with the Liberals War on Encryption: time. In Canada, the Liberals war on the open Internet started less than a week after the session resumed in the new year. For American’s this started rather late in the first two years of office. That means it has until November before midterms hit which is about 10 months away. That really isn’t the worlds longest runway to make EARN IT take off into the law books. If anything, EARN IT could still just crash and burn like last time and leave American’s relieved yet again that the US couldn’t pass a law that incredibly stupid in the first place.

Of course, a lot can happen in the interim and this development does show that the US hasn’t necessarily given up on the idea of banning effective encryption. Sadly, for American’s, the fight is now on to, once again, try to defend the free and open Internet.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: