A disaster in the making has been averted at the last minute. EARN IT has passed with the encryption ban elements removed. Critics still point out problems in it.
It seemed that America was on the lead up to another massive digital rights disaster. Yesterday, we reported on America’s encryption ban bill heading to a vote today. The bill, as of yesterday, would compel platforms to conform to a “best practices” as dictated by the Attorney General when it comes to encryption. That would mandate backdoors as the appointee saw fit with almost no accountability. If platforms fail to comply, then they would see their Section 230 elements stripped.
Now, it seems that today saw good news and bad news. The bad news is that EARN IT has passed. The good news is that the encryption ban element have been removed. From The Verge:
But throughout Thursday’s hearing, lawmakers suggested that the EARN IT Act was not a sneaky attempt to weaken encryption on platforms. “This bill is not about encryption and it never will be,” Blumenthal, a co-sponsor, said Thursday. Graham also said that his “goal here is not to outlaw encryption … that will be a debate for another day.” The new version of the bill voted on Thursday weakens language that could force companies to create encryption backdoors for law enforcement. Sen. Patrick Leahy (D-VT) filed an amendment to the bill that would “exclude encryption” as something that could heighten liability for platforms. It was approved and incorporated into the measure that now faces a floor vote.
The new version of the “EARN IT Act replaces one set of problems with another by opening the door to an unpredictable and inconsistent set of standards under state laws that pose many of the same risks to strong encryption,” Mike Lemon, senior director and federal government affairs counsel for the Internet Association, said in a statement Thursday.
With the massive re-write at the last minute, critics barely had any time to assess the new legislation before passage. While the removal of the encryption ban elements, no doubt, comes to a massive relief to digital rights advocates and security observers, critics still see major problems in the legislation. From TechDirt:
That said, there are still massive problems with this bill, and that includes significant constitutional concerns. First off, it remains unclear why the government needs to set up this commission. The companies have spent years working with various stakeholders to build out a set of voluntary best practices that have been implemented and have been effective in finding and stopping a huge amount of CSAM. Of course, there remains a lot more out there, and users get ever sneakier in trying to produce and share such content — but a big part of the problem seems to be that the government is so focused on blaming tech platforms for CSAM that they do little to nothing to stop the people who are actually creating and sharing the material. That’s why Senator Wyden tried to call law enforcement’s bluff over all of this by putting out a competing bill that basically pushes law enforcement to do its job, which it has mostly been ignoring.
On the encryption front: much of the early concern was that this commission (with Attorney General Bill Barr’s hand heavily leaning on the scales) would say that offering end-to-end encryption was not a “best practice” and thus could lead to sites that offered such communication tools losing 230 protections for other parts of their site. This version of EARN IT removes that specific concern… but it’s still a threat to encryption, though in a roundabout way. Specifically, in that FOSTA-like carve out, the bill would allow states to enforce federal criminal laws regarding CSAM, and would allow states to set their own laws for what standard counts as the standard necessary to show that a site “knowingly” aided in the “advertisement, promotion, presentation, distribution or solicitation” of CSAM.
And… you could certainly see some states move (perhaps with a nudge from Bill Barr or some other law enforcement) to say that offering end-to-end encryption trips the knowledge standard on something like “distribution.” It’s roundabout, but it remains a threat to encryption.
Then there are the constitutional concerns. A bunch of people had raised significant 4th Amendment concerns in that if the government was determining the standards for fighting CSAM, that would turn the platforms into “state actors” for the purpose of fighting CSAM — meaning that 4th Amendment standards would apply to what the companies themselves could do to hunt down and stop those passing around CSAM. That would make it significantly harder to actually track down the stuff. With the rewritten bill, this again is not as clear, and there remain concerns about the interaction with state law. Under this law, a site can be held liable for CSAM if it was “reckless” and there are reasons to believe that state laws might suggest that it’s reckless not to do monitoring for CSAM — which could put us right back into that state actor 4th Amendment issue.
So, while threats still remain, the size of the threat has been reduced. At this stage, opposition will have to re-orientate themselves to point out the remaining flaws of the legislation. If anything, there is still time to fight this. Still, at the very least, digital rights can celebrate a small victory that progress has been made in defeating this legislation.
Drew Wilson on Twitter: @icecube85 and Facebook.
