Return of the EARN IT Act rekindles encryption debate at critical moment for privacy-protecting apps
Lawmakers will markup legislation next week that would hold tech companies accountable for child sexual abuse materials and images distributed on their platforms, part of a growing push in Washington, across the U.S. and abroad to crack down on activity online related to harming minors.
This marks the third time Sens. Lindsey Graham, R-S.C., and Richard Blumenthal, D-Conn., have put the bill — the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act — forward. The bill previously failed to see a floor vote, instead drawing backlash from security experts and privacy advocates over its potential to weaken the availability of end-to-end encryption.
Those concerns are even more heightened today amid growing concerns about the privacy of people seeking abortions after the Supreme Court overturned Row v. Wade and state laws eroding LGBTQ+ civil rights. Additionally, the FBI and Interpol both recently spoke out against encrypted chat apps and lawmakers in the U.K. and European Union are considering laws like the EARN IT Act that could also decrease the availability of encryption.
All these developments could open the next front in the war over encryption that has flared up over the past decade, often pitting law enforcement against civil liberties groups in the U.S. and abroad.
What’s different this time is a growing public awareness about the benefits of encryption. In the wake of the Supreme Court’s abortion ruling, for instance, California, New York and D.C. attorneys generals all issued warnings to residents to avoid unencrypted messaging technology when discussing sensitive information. And the return of the EARN IT Act is already sparking public pushback. An online petition from the group Fight for The Future asking Congress to oppose the bill has more than 500,000 signatures.
The EARN IT Act “is probably one of our biggest encryption-threatening bills worldwide,” said Natalie Campbell, senior director of North American government and regulatory affairs for the Internet Society, a founding member of the Global Encryption Coalition.
The bill would make two significant changes to current laws. First, the legislation strips companies of liability protections outlined in Section 230 of the Communications Decency Act in cases involving child exploitation, opening the door for more state and private plaintiff cases. Second, it removes the federal knowledge standard for child sexual abuse materials, making it easier for courts to make the argument that a tech company was negligent in offering encryption because it knew it could be used to transmit child sexual abuse materials.
“They are opening the courthouse door and lowering the threshold to get through that door and successfully bring a claim,” said Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory. “And so all of that will operate to disincentivize providers or allow the punishment of providers of offering encryption.”
Furthermore, privacy advocates say, the EARN IT Act would make it easier for law enforcement to claim that a company acted negligently or recklessly by offering encryption, bolstering a years-long argument law enforcement has made against encrypted services. While in previous years those complaints have centered around terrorism and drug trafficking, increasingly law enforcement has pointed to child abuse in its concerns about end-to-end encryption.
Earlier this month, the FBI joined with Interpol and the U.K. National Crime Agency to blast Meta’s expansion of encryption, saying it “blindfolds” them to abuse and is a “purposeful design choice that degrades safety systems.” Former Attorney General William Barr used concerns about child exploitation when sparring with Meta over its plans to roll out full end-to-end encryption across its messaging products in 2019, arguing that “going dark” impeded the Justice Department from investigating child predators.
The EARN IT Act, introduced the same year Meta announced its encryption plans, got its name from an original plan to allow companies to “earn” liability protections by following guidance from a law enforcement-led national commission, has become synonymous with concerns that weakening encryption hurts everyone, not just criminals. So much so that lawmakers tried to address encryption concerns in 2020 by clarifying in the bill’s text that the use of full end-to-end encryption cannot serve as an “independent basis for liability.” Experts criticized the fix, which does not prohibit encryption from being used as evidence of negligence, as insufficient.
Now, critics say that the Supreme Court’s Dobbs decision and the rise of laws targeting LGBQT+ rights make the stakes of the bill even higher than during previous reintroductions. “You can’t be pro-choice and anti-encryption,” said Pfefferkorn.
Moreover, experts worry that the broad definitions in the EARN IT Act could give states the ability to pressure service providers to not just weaken encryption, but to remove lawful content entirely under the pretext of concerns about child exploitation.
Emma Llansó, director of the Center for Democracy and Technology’s Free Expression Project, said the EARN IT Act would be a “gift to those state prosecutors” seeking to “censor large parts of the web” and criminalize information about reproductive health care and LGBTQ+ content.
Llansó pointed to the purge of content related to sex and nudity after the passage of FOSTA-SESTA, a bill aimed at eliminating sex trafficking, as an example of what tech companies do when their liability protections are threatened.
Some advocates expressed surprise to CyberScoop that lawmakers reintroduced the EARN IT Act with virtually no changes, given previous opposition. In fact, one of the only notable changes to the bill is the removal of the term “grooming,” according to a copy of the bill. Blumenthal’s office told CyberScoop the term was removed to more precisely reflect the conduct in the U.S. criminal code that the bill covers.
Technology companies are already legally required to report known child sexual abuse materials to the National Center for Missing and Exploited Children, which then forwards those reports to law enforcement. Many have taken an additional voluntary step by using “hash matching,” a technology that allows systems to flag abusive images that has already been reported and assigned a digital signature.
Proponents of EARN IT and other online safety bills say that this kind of voluntary system leads to underreporting and that not enough firms are using hashing. “When you start looking at the reports coming in from these companies, they’re often missing a lot of information or are just unhelpful,” said Alexander Delgado, director of public affairs for ECPAT-USA, an anti-trafficking policy organization.
Because hashing is based on known material, it has limitations in what it can detect. Other automated tools may produce false results or incorrectly flag child abuse. For instance, The New York Times reported two instances in which parents were accused by Google of uploading child sexual abuse materials after taking sensitive images of their children to share with doctors. In both cases, the men were investigated and cleared by law enforcement, but Google permanently suspended their accounts.
Despite these limitations, some lawmakers in the U.S. and abroad have pressured companies to go a step further by scanning users’ messages for abusive material before they are sent, using a process called client-side scanning. Efforts to do so, like a ditched attempt by Apple in 2021, have been met with swift criticism by encryption experts.
Electronic Frontier Foundation senior analyst Joe Mullin compared the technology to having someone read your messages over your shoulder. Even if the technology doesn’t technically break the encryption, it breaks “the values of what end-to-end encryption promises,” he said. “There’s no way to look at all the messages for this one bad crime and also have end-to-end encryption,” said Mullin. “It’s actually incompatible.”
Since the EARN IT Act’s initial introduction in 2020 children’s online safety has taken center stage in Congress. Other proposals include the recently introduced STOP CSAM Act, which includes measures such as enforcing new child exploitation reporting obligations for tech companies. There is also the Kids Online Safety Act, which would require platforms used by kids 16 and under to prevent the promotion of content encouraging harmful behaviors. A boom in state-level children’s safety laws also add pressure on federal lawmakers to act.
“There’s definitely a lot of momentum for some of these bills, which kind of heightens our concerned that something is gonna pass through,” said Campbell of the Internet Society.
The EARN IT Act isn’t the only sign of a new front in the war on encryption worrying encryption experts. The European Union has introduced its own CSAM regulations and the United Kingdom’s Online Safety Act, which would promote client-side scanning, is making its way through parliament much to the protest of global tech firms.
“It’s like this kind of global onslaught,” said Mullin.
Every expert CyberScoop spoke with agreed that tech companies need to do more to protect children online. However, critics of EARN IT say that there are less controversial changes that wouldn’t interfere with encryption that Congress could explore first. For instance, Congress could extend CyberTip hotline preservation times, Pfefferkorn suggested.
“If we could have more of a thoughtful and sustained discussion about that and put these civil liberties violating ideas off the table that could be a really positive approach,” CDT’s Llansó said. “I’m not sure EARN IT can do that.”
Proponents of the legislation say, however, that time is of the essence. “I think we need to at least do something instead of just trying to find the perfect answer,” said Delgado, whose organization supports both EARN IT and STOP CSAM. “So, if we see something that doesn’t work that’s when we should be making changes.”
Delgado acknowledged that there are “valid critiques” of the bills but said that “there are costs and benefits to all legislation.”
Encryption experts worry those costs could hurt the very children the legislation is trying to prevent. “Absolutely nobody wants to prevent efforts to fight child abuse online,” said Campbell, who is a parent. “But you cannot undermine encryption without introducing a significant threat to every single internet user.”
Corrected April 26, 2024: An earlier version of this article misstated that the EARN IT Act had not been formally reintroduced.