EARN IT Act & the Crusade Against Encryption

By: Jon Avidor, Jason Gershenson and Maria Samson

In the midst of a global pandemic, a contentious bill attacking encryption and heightening censorship seeks congressional approval. On March 5, 2020, several US. Senators sponsored the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (“EARN IT”), which claims to combat child sex abuse material (“CSAM”) online. The bill’s rhetoric depicts the internet as a 21st century wild west: a space full of criminals in need of policing. Ending CSAM is an utmost priority, and it deserves a solution much more pragmatic than EARN IT. This is the case of a federal official against warrant-proof encryption creating a slippery slope that overwhelmingly invades privacy and jeopardizes free speech by incentivizing social media platforms to censor their users on an unprecedented and alarming scale.

Encryption, the use of cryptographic techniques to safeguard privacy, ensures that digital exchanges of information remain secure from unintended third parties. In a world of cyberattacks and criminal hacking, strengthening encryption — not impairing it — is almost universally considered to be the path to protect individual privacy.  Like many decisions that weigh both public safety and individual security, the Government is charged with striking a balance between patrolling CSAM with surveillance and respecting privacy in communication. However, EARN IT’s slant toward oversight raises fundamental questions: Has the internet grown into a perversion of free speech to justify mass surveillance? If these platforms can censor conversations to detect crime, should they? If so, at what cost? Ultimately, the answers reveal EARN IT to be a potential ‘scorched-earth’ policy that avoidably dismantles the essential right of private communications.

EARN IT requires companies to “earn” immunity. 

While the bill does not outright ban the use of encryption, it has the effect of doing so. EARN IT proposes to create a commission called the National Commission on Online Child Exploitation Prevention (“the Commission”). United States Attorney General William Barr would lead the Commission alongside government officials and experts to draft a set of best practices. The heads of the Department of Homeland Security and the Federal Trade Commission, along with Attorney General Barr would later approve of best practices and make them official. The Commission’s constraints are not yet defined in the bill, which affords the Commission (and particularly Attorney General Barr) a concerning degree of latitude to unilaterally create rules that all social media platforms must comply with. Failure to comply would mean losing immunity under Section 230 of the Communications Decency Act (“Section 230”). Such loss of immunity would trigger numerous lawsuits, and incentivize platforms to excessively scan and monitor posted content. The content of the bill sounds ideal in theory because CSAM is abhorred without exception, but it unnecessarily comes at a great cost to social media user privacy rights.

Section 230 is a liability shield. 

Section 230, a product of the mid-90s Dot-Com Boom, is a liability shield that protects any interactive computer service. An interactive computer service (“ICS“) is essentially any digital platform where its users communicate with others. This Section 230 legislation significantly advanced the evolution of social media because it granted companies immunity from the consequences of illegal content posted by their users. Without such immunity, social media sites probably would not have evolved to be the interactive juggernauts they are today.

Nonetheless, social media platforms like Facebook or Reddit do provide reporting methods for removing illegal content.  They’re simply not held accountable by law if they fail to do so. One could say this was the best of both worlds. For instance, if you were to tweet illegal content, others could surely sue you — but they couldn’t sue Twitter for the content of your tweet. Section 230’s separation of the  ICS from the publisher was a decisive factor in the rise of social media platforms and websites that featured comments sections or messaging functions. EARN IT fundamentally modifies Section 230 because it requires platforms to earn their immunity by complying with yet-to-be-determined best practices. 

The rise of digital communications necessitated strong encryption. 

Within the last two decades, the rise of digital communications begot the advancement of strong encryption. Strong encryption is the fundamental type of privacy that fosters trust and encourages platform usage. In an increasingly insecure digital space, the EARN IT bill undermines the value of trust between platforms and their users by threatening privacy. The bill doesn’t define or specify best practices, giving the Commission an enormous amount of discretion. It also urges platforms to surveil and censor the content of its users, by burdensome manual review or over-invasive algorithm, to detect any criminal activity. Finally, EARN IT gives law enforcement backdoor access to encrypted communications, shattering our existing expectations of privacy in communications. Rather than create a method that determines whether a type of product, business model, or product design, or other factors related to the provision of an ICS would make a social media platform susceptible to the use and facilitation of CSAM, EARN IT  provides for a sweeping curtailment of encryption.

EARN IT could have a chilling effect on free speech.

EARN IT threatens not only privacy but also free speech. To comply, social media platforms may decide to remove any content they think is either “obscene” or that may otherwise get them in legal trouble. Due to the “I know it when I see It” nature of determining “obscenity” in the context of free speech, makes it excessively difficult to adequately train people or generate algorithms to scan user content. Likewise, if people know that platforms will watch their posts, they will be less likely to use such platforms. A moderator could silence dissenting opinions because they find them distasteful. For this reason, EARN IT could have a chilling effect on free speech.

While best practices are yet to be decided, law enforcement should engage in this risk. It appears that EARN IT only seeks to expand the scope of liability to indirectly harm privacy rights and free speech, leaving CSAM prevention as the scapegoat. Like a trojan horse, EARN IT infiltrates in disguise and under the radar.