Earn IT Act affect privacy

The EARN IT act is the latest piece of U.S. legislation, that at face value, aims to thwart child sexual exploitation. But that, many suspect, is yet another underhanded attempt by the U.S. government to undermine widespread use of encryption, in what is sometimes referred to as the Crypto Wars.

The Crypto Wars is the “friendly” name given to the U.S. government and its allies’ attempts to limit the access of foreign nations as well as the general public to strong encryption. The Crypto Wars started during the Cold War, with export regulations on military technology, which included encryption products. Back then, it was pretty much only the military that was interested in encryption.

Then, when PCs became commonplace, the U.S. government targeted web browsers’ implementations of SSL, coercing Netscape (remember them?) into providing two versions of its web browser. There was the U.S. edition, which had 128-bit encryption, and then there was the International version, which had deliberately weaker encryption, i.e., 40-bits. Obtaining the U.S. version turned out to be such a hassle that the overwhelming majority of users, even in the United States, were using the International version, with weak encryption that could be broken in a matter of days. Legal challenges brought forth by privacy advocates and the fact that encryption products were widely available outside of the United States eventually led the U.S. to back down and relax its export controls on encryption. But that wasn’t the end of the Crypto Wars.

Then came mobile phones and the clipper chip – probably the most notorious proposal to emerge from the Crypto Wars. So what was the clipper chip? It was a chip, designed by the NSA, no less, which all manufacturers that wanted to sell mobile phones in the U.S. would be required by law to implement in their products. The clipper chip would provide encryption to voice and data messages.

Sounds good, right?

No.

The whole point of the clipper chip was to undermine its own encryption by having a built-in backdoor to be used by law enforcement (the good guys) to decrypt the communications of the bad guys, whoever they may be: fraudsters, terrorists, pedophiles, you name it. That was the rationale for a backdoor.

See also: Encryption backdoors

A backdoor was required, the U.S. government argued, because without it all the bad guys would be able to commit their crimes with impunity. But detractors of the clipper chip quickly pointed out that you simply cannot create a backdoor that will only be used by the “good guys”. As soon as you implement the backdoor, it’s just a matter of time before the “bad guys” figure out how to use it. Then everyone’s security and privacy are undermined – not just the bad guys’. There is no such thing as a golden key.

Plans for the clipper chip were first publicly discussed in 1993. And with the backlash the proposal created, it was abandoned by 1996.

After that, the Crypto Wars appear to have fizzled out. But they weren’t extinguished, of course. Undermining strong encryption seems to be a long term goal of the U.S. government. U.S. law enforcement agencies have been demonizing encryption while putting the spotlight on horrible criminal acts in an attempt to scare elected officials into supporting backdoors ever since.

So the attacks on encryption never stopped, and they all follow the same playbook as the clipper chip example: Claiming it’s absolutely vital to bypass encryption in order to thwart our current least favorite bad guys. Its latest attempt, the EARN IT Act, is no exception. And that’s what we’re going to look at in this post.

What is the EARN IT Act?

The EARN IT Act is a piece of legislation currently being examined by the U.S. Senate. EARN IT stands for the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020. The bill has bipartisan sponsors in Sen. Lindsey Graham (R – South Carolina) and Sen. Richard Blumenthal (D – Connecticut). And the stated goal of the bill is to fight child sexual exploitation online – a laudable goal if I ever saw one.

The bill would create the National Commission on Online Child Sexual Exploitation Prevention. That commission would be formed by three agency heads: the chairman of the Federal Trade Commission, the secretary of Homeland Security, and the Attorney General. They would be joined by 16 other members, selected by the leaders of the Senate and the House of Representatives.

The commission’s mandate would be to come up with a set of “best practices” to be followed by internet companies in order to stop the proliferation of child sexual abuse content online.

Initially, the bill made adherence to these “best practices” a prerequisite to obtaining the protections of Section 230 of the Federal Communications Act. Section 230 is a critical piece of legislation that shields internet companies from liability for the content posted by their users on their platforms. Without the protections guaranteed under Section 230, internet companies, like Facebook, would bear legal responsibility for any infringing posts made by its users. Under Section 230, you are responsible for your own posts, not the platform on which you posted them. It’s one of the main pillars for free speech on the internet.

So in the bill’s first draft, internet companies needed to “earn” the protections of Section 230. But the bill was amended to remove the prerequisite. Now, adherence to the “best practices” is no longer compulsory. Nonetheless, companies can still have criminal or civil charges brought against them if any unlawful material is distributed over their platform and they don’t comply with the “best practices” laid out by the EARN IT Act.

Face value?

In this bill, the bad guys are pedophiles. Fighting pedophiles – who could be opposed to that? Nobody. And that’s the point. But is that really what the bill does?

Proponents of the bill claim, as usual, that it represents a crucial tool in stopping really really bad stuff nobody could possibly oppose – in this case, child sexual abuse. But there are many critics of the EARN IT Act who claim the bill does little to protect children, undermines free speech and privacy, and that it’s a backdoor attempt at undermining end-to-end encryption (no pun intended).

Let’s unpack that a little and see what’s behind those claims.

Over-censorship of online speech

One of the main grievances against the EARN IT Act is that it weakens the protection internet companies get from Section 230 of the Federal Communications Act. And because of that, platforms would very likely over-censor their users for fear of liability. This would mean deleting innocent posts and/or kicking off innocent users from the platform.

EARN IT also violates the First Amendment, according to the Electronic Frontier Foundation (EFF). In a letter the EFF sent to congress, they explain that the EARN IT Act would effectively regulate how platforms handle online speech. But the editorial activities of internet platforms are protected by the First Amendment, and online commentary, such as a Facebook post, counts as “editorial activities” – a direct contradiction.

And aside from the constitutional issue it raises, just the fact that the bill aims to regulate how internet platforms manage the speech posted by their users, rather than targeting unlawful content directly, would further incentivize platforms to over-censor.

Additionally, they raise the fact that any law that regulates the content of speech needs to be as narrowly and precisely worded as possible (strict scrutiny), to avoid a chilling effect on legitimate speech. But EARN IT is so broadly worded that we don’t even know what the “best practices” are… yet. And once we do find out, they “are likely to be vague and be both over- and under-inclusive”. This means that the “best practices” would be lacking the necessary level of detail for their proper implementation, leading to a situation where some of the targeted unlawful content would remain online while other lawful content would be taken down.

Another attack on encryption

Remember a few paragraphs up, we wrote that the National Commission on Online Child Sexual Exploitation Prevention would be composed of three agency heads, one of which is the Attorney General and 16 other members chosen by the leaders of Congress and the Senate? Well, as it turns out the Attorney General is William Barr, and he’s made several claims blaming encryption for the sexual exploitation of children. So many detractors of the EARN IT Act believe it to be another attempt at undermining end-to-end encryption – a modern-day clipper chip, without the chip.

End-to-end encryption is a communication system in which only the communicating parties are able to gain access to their messages. If a message is ever intercepted in transit, it is unreadable, because it’s encrypted and the intercepting party does not hold the decryption key. In an end-to-end encryption scheme, the message contents are encrypted, locally on your device, before being sent to its recipient, who is the only person who can decrypt the message. Even the tech company that facilitates these messages cannot decrypt them.

But how could a bill designed to protect children from sexual exploitation be used to undermine encryption?

When the commission comes up with its “best practices”, the commission members will vote on them. These “best practices” pass this first vote if approved by 14 of the 19 members. After the vote, however, the three agency heads could unanimously approve the “best practices” to be presented to Congress for a vote. Or scrap them. The three agency heads have veto power that can be used to coerce the rest of the commission to include the “best practices” they want to see implemented. A structure that would pretty much guarantee that anti-encryption practices are presented to Congress for a vote.

And those “best practices” themselves could, even without mentioning the word encryption, compel online service providers to weaken their encryption or even stop providing encryption altogether, for fear of not adhering to the standards defined by the “best practices” and exposing themselves to litigation.

The ACLU also argues in that direction. In a letter it sent to the U.S. Senate Judiciary Committee, it wrote:

These legal standards could force platforms to undermine or weaken their own encryption and privacy practices in order to avoid legal liability because plaintiffs could argue that end-to-end encryption, itself, is reckless or negligent conduct. […] Such liability claims could be bolstered if the advisory committee’s best practices recommend that platforms create encryption backdoors or otherwise take steps to weaken the encryption of their services. Given that Attorney General Barr has identified end-to-end encryption as one of the primary obstacles to combating CSAM [child sexual abuse material] and other crimes, and the fact that he or his designee will head the commission, there remains a significant risk that the commission’s best practices may recommend against strong encryption practices.

In an attempt to assuage those fears, Sen. Patrick Leahy (D – Vermont) introduced an amendment to the bill that would specifically “protect” encryption. The amendment states that the EARN IT Act wouldn’t be used to “require a provider to search, screen, or scan” private messages for unlawful content.

Such scanning has been discussed before as a way to circumvent encryption without technically breaking it. The scan occurs prior to the contents of the message being encrypted – effectively breaking encryption by rendering it useless. If I can read your messages before they’re encrypted, what do I care if you encrypt them or not? And, as the opponents to EARN IT argue, even if the bill includes language to prevent it from implanting searching, screening, or scanning directives, it would be trivial for the Commission to propose “best practices” that don’t require scanning the messages and uploads in themselves, but that are impossible to implement without scanning them.

Another reason for the amendment’s inclusion may have been to not fly in the face of the Fourth Amendment. The “best practices” approach in the EARN IT Act could be interpreted as coercing online service providers into becoming government agents that search users’ communications without a warrant or probable cause—something the Fourth Amendment expressly prohibits.

In general, courts have rejected arguments claiming online service providers become government agents when they assist the government by searching for and providing user data. They rejected those arguments in favor of the government’s argument that companies regularly and voluntarily scan their networks for their own purposes. And that whether they assist the government or not, these should be considered “private searches”.

It’s unclear how the courts would consider the “best practices” in this context – we don’t even know what they are yet. But without that amendment, the EARN IT Act’s “best practices” could be more easily construed as coercing internet companies into becoming government agents. And that would enable defendants to make a much stronger case in claiming that EARN IT violates their Fourth Amendment protections.

End-to-end encryption is privacy, online

From here, it’s easy to see how breaking or sidestepping end-to-end encryption affects your online privacy. Whether you break encryption by introducing a backdoor or by mandating the scanning of messages prior to encryption, or by simply not offering encryption at all, the bottom line is that you break online privacy.

Without encryption, it becomes impossible to communicate privately online. All of your communications could be swept up by any of the many intermediaries through which your communications transit between you and your intended recipient. Apps and operating systems could scan messages before being sent and after they’re received.

There are essentially three kinds of encryption: encryption in transit, encryption at rest and end-to-end encryption.

Encryption in transit

You probably use encryption in-transit on a daily basis. Whenever you log into your online banking website, you’re using Secure Socket Layer encryption (SSL) to encrypt your communications in-transit. You’ll notice the “https” in the URL. And it’s not just banks; pretty much any service you log into on the internet today uses SSL to encrypt data sent between users and servers.

Encryption at rest

Encryption at rest is applied to the contents of your communications while they’re not in transit. In practical terms, this usually means as they sit on a service provider’s servers.

Say I have a picture on my iCloud – Apple’s cloud storage service. That picture was encrypted in-transit, using SSL as I uploaded it to Apple’s servers. And then it was encrypted by Apple once it reached its servers. That last part, where Apple encrypts my photo on their servers, is encryption at rest.

But there’s an issue with the example I just outlined: Apple is the one who encrypted my file. And so Apple holds the key to decrypt it. That means Apple can access my unencrypted file. That’s an issue with encryption at-rest when it isn’t implemented with end-to-end encryption, such as with iCloud.

Had my file been end-to-end encrypted, I would have benefited from encryption at rest that could not even be decrypted by Tim Cook himself. And that’s because end-to-end encryption incorporates both encryption at-rest and encryption in-transit and hands the key over to the user.

End-to-end encryption

So with end-to-end encryption, the contents of the communications are encrypted locally, on your device, before being sent out to your intended recipient. And only you and your recipient have access to the key to decrypt it. Once the message is encrypted, it’s sent over the internet. Then, once it’s received by your recipient, only they can decrypt it.

But what if your recipient isn’t immediately available and your message has to sit on a service provider’s server for a few hours? Because you encrypted the message locally before sending it, it remains encrypted at rest, and your service provider doesn’t have the key to decrypt it.

That’s how end-to-end encryption earns its name. Your messages are encrypted end-to-end, in-transit, and at-rest. That’s the only way to guarantee the integrity and privacy of your online communications. And that’s why Attorney General Barr finds it so unpalatable.

The more things change, the more they stay the same…

So that, in a nutshell, is the EARN IT Act and the risks it poses. It’s the latest iteration of a long term U.S. government goal: undermining strong encryption. And we saw that the EARN IT Act does a good job at that. But what does it do to protect children?

The EARN IT Act actually does little to protect children or to help the various organizations that work with victims of child sexual exploitation. Nor does it help the law enforcement agencies tasked with these cases, who are sorely lacking in personnel and technical resources to prosecute all of the child exploitation cases that are referred to them by the National Center for Missing and Exploited Children (NCMEC).

It is already the case now, that if an online platform knowingly distributes child exploitation material, the DoJ can and must go after them. And it is already the case now, that if an online platform finds this type of material on its platform, it is compelled to report it to the NCMEC, who will in turn report it to law enforcement.

Yet, only a tiny subset of the child exploitation cases referred to law enforcement by the NCMEC are prosecuted, because of lack of resources and stretched budgets. The way forward would be to give these agencies the resources they need to properly do their jobs. And providing further support to the organizations that work with the victims of these horrible crimes and their families.

History tends to repeat itself. But in 2020, we don’t get a clipper chip, we get the EARN IT Act. Same goal, different bad guys. And we can doubt, as many do, that undermining encryption, privacy, and free speech will do much to thwart the bad guys or to protect their victims. But hey, welcome to the Crypto Wars.

See also: