EARN IT Act gets no changes to encryption language in Senate committee
The Senate Judiciary Committee approved legislation Thursday that is designed to crack down on child sexual abuse materials online, despite warnings from privacy advocates that the bill could pose a major threat to encrypted technologies.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), introduced for the first time in 2020 by Sens. Lindsey Graham, R-S.C., and Richard Blumenthal, D-Conn., would remove legal liability immunity from tech platforms found in violation of federal or state laws regarding child sexual abuse materials (CSAM). In 2020 the EARN IT Act sailed out of committee but failed to see a floor vote before the end of the 116th Congress.
The committee made no changes that would address the concerns from civil society groups. Blumenthal said during Thursday’s markup that critiques about the potential effects on encryption are a “giant red herring” by big tech lobbyists.
The bill “gives these victims and survivors as well as state attorneys general, a day in court, access to our justice system, so they can create an incentive for these companies to do the right thing,” Blumenthal said.
Other committee members echoed reservations from privacy advocates that the legislation could, as written, open the door to attacks on encrypted services, especially by states.
“I’m a little concerned that the current language inadvertently mandates interactive computer services to do, for the government, what the government itself is prohibited from doing — which is in engaging in open-ended policing, the accessing and then reporting of private and protected data without the protections of the law,” said Sen. Mike Lee, R-Utah.
Other lawmakers, including Sen. Cory Booker, D-N.J., encouraged the bill’s sponsors to work with civil liberties advocates to address their concerns before a full Senate floor vote. It’s unclear when Senate leaders might make time to consider the bill.
Advocates speak out
“Everyone who communicates with others on the internet should be able to do so privately,” a diverse group of advocacy organizations wrote in a letter Wednesday to the committee’s leaders. “But by opening the door to sweeping liability under state laws, the EARN IT Act would strongly disincentivize providers from providing strong encryption.”
The newest version of the bill, critics say, poses an even greater danger to those applications — including some messaging platforms — than a version the committee approved in 2020. The latest version lacks any language specifically protecting internet platforms from being held liable for offering encryption. Instead, it opens the door for courts to cite encrypted technologies alongside other factors in complaints.
“Any proposal requiring or incentivizing online platforms to provide law enforcement with the ability to circumvent any type of encrypted communication undermines human rights,” said Willmary Escoto, U.S. policy analyst at Access Now, a digital rights nonprofit that signed onto the letter. “And that’s essentially kind of what the EARN IT Act does. Companies shouldn’t be in a position where they’re forced to choose between protecting security and privacy or facing lawsuits.”
The new legislation also opens up liability under a patchwork of 50 state laws. That means state lawmakers could pass any number of statutes limiting tech companies so long as it was in the name of protecting children from sexual abuse.
The EARN IT Act’s cosponsors include Judiciary Chairman Dick Durbin, D-Ill., and ranking member Chuck Grassley, R-Iowa, as well as 16 other senators. A companion version was introduced in the House by Reps. Ann Wagner, R-Mo. and Sylvia Garcia, D-Texas. Supporters lining up in favor of the bill include the National Center for Missing and Exploited Children, National District Attorneys Association, and the Rape, Abuse & Incest National Network.
Concerns about ‘client-side scanning’
Privacy dvocates warn that not only could the bill deter platforms from offering encrypted technology, but it also could pressure them to ramp up what is known as “client side-scanning.” The controversial technique attracted scrutiny last summer when Apple announced it would begin to scan users’ iPhones for CSAM before photos were uploaded to iCloud. Apple backed off after pressure from privacy advocates, but EARN IT could give tech companies an incentive to deploy the technology.
The federal government can’t currently compel companies to do client-side scanning due to Fourth Amendment protections, but Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, says the pressures proposed under the new bill come dangerously close, potentially jeopardizing evidence against the very criminals the bill’s sponsors are hoping to catch.
“It’s really playing with fire because the whole edifice comes crashing down if we go from voluntary scanning to scanning that has only been initiated because this bill gets passed and companies want to avoid potential mass liability exposure under 50 or more state-level laws,” said Pfefferkorn.
This isn’t the first time that lawmakers have attempted to wield Internet liability laws as a tool in fighting online sex crimes.
Critics including Pfefferkorn point to the outcomes of 2018’s Fight Online Sex Trafficking Act (FOSTA), which the EARN IT act is modeled off of, as an example of the unintended consequences the legislation could have in censoring tech companies and hurting victims rather than helping them. The 2018 law has only resulted in one prosecution since it passed and has been criticized as making the sex work industry less safe for practitioners by forcing more trusted platforms to shutter their services in fear of losing their legal liability shields.
“The same thing is foreseeable here, where if law-abiding sites that don’t want to expose themselves to liability in response to EARN IT will take down large swathes of perfectly legal speech,” said Pfefferkorn. “Simultaneously, we can foresee that it will become harder to track down the victims and perpetrators of child abuse by driving them off of law-abiding platforms that already do a lot to remove this material and into the dark web.”