Security news that informs and inspires

New EARN IT Act Has Old Issues

By

The latest version of the highly controversial EARN IT Act that is in committee in the Senate right now may be a more serious threat to strong encryption than the previous versions and could force platform providers into the decision not to even offer encrypted services, lawmakers, civil liberties and technology policy advocates say.

The current iteration of the EARN IT Act is the third one and like the others, its main focus is on identifying and eliminating child exploitation material online. But as in the other versions, the current bill has language that would increase the liability for platform operators that use end-to-end encryption on their services. The bill currently is in the Senate Judiciary Committee, and experts worry that if it passes it will have a severe impact on the security of the services platform owners such as Google, Meta, and others can offer.

The crux of the issue is whether platform operators should know and be responsible for all of the content that passes through their systems.

“As introduced, EARN IT dramatically increases the risk of liability for any service that offers end-to-end encryption. Under EARN IT, the use of encryption (or the failure to weaken that encryption) cannot serve as an independent basis for liability. But EARN IT expressly permits courts to consider the use of encryption as evidence to support other claims— including under state laws with a lower mens rea requirement,” TechFreedom officials said in a letter to Judiciary Committee leaders.

In other words, under the terms of the proposed bill, platform owners would almost certainly have to know what’s on the platforms, which would essentially eliminate the use of strong encryption. A separate bill called the STOP CSAM Act has similar language,

“Current law does not immunize platforms for criminal conduct. The new bills would drastically drop that requirement so that they’re liable for negligence in civil suits. Platforms would likely have to know what’s on the platforms, so they might set up automated content analysis, which is bad, and undermine encryption,” said Cody Venzke, senior policy counsel at the ACLU.

Wyden, one of the strongest advocates for encryption and privacy on Capitol Hill, said he’s concerned that lawmakers are putting their efforts in the wrong place.

“CSAM is a problem and this bill is not the answer. The focus ought to be to help prevent kids from becoming victims in the first place, not on undermining security and privacy,” said Sen. Ron Wyden (D-Ore.), during an online event Wednesday.

“We need to pass comprehensive privacy legislation in this country. This fight has been the longest running battle since the Trojan War. The root cause of so much bad corporate behavior really is the privacy issue. Tech companies hoover up so much private data and then they misuse it.”

Other organizations worry that the EARN IT Act’s language could lead to the use of client-side scanning, which allows services to scan users’ devices for illegal material rather than doing so on the platform side.

“Notably, the bill leaves room to impose forms of ‘client- side scanning,’ which violates user privacy by sending data to law enforcement straight from user devices, before a message is encrypted. EFF has long held that client-side scanning violates the privacy promise of end-to-end encryption, even though it allows the encryption process to proceed in a narrow, limited sense,” the Electronic Frontier Foundation said in a letter to the Judiciary Committee leaders.