The Government plans to scan every single message online
Imagine an Internet where the law require every message sent to be read by government-approved scanning software.
Before the novel coronavirus arrived on its shores, the United States had spent decades becoming a heavily digitized society. Now, the pandemic is deepening that dependence on digital technology, converting millions of in-person interactions into online communications. That dependence means good cybersecurity, including strong encryption, has become more crucial than ever.
With millions of Americans banking, working, and living online, there is no worse time to weaken encryption and disincentivize improvements in cybersecurity. And yet that’s precisely what the Senate Judiciary Committee is trying to do right now, with a bill called the EARN IT Act that would deal a disastrous blow to online privacy and security.
The pandemic response is creating ever more electronic information that needs protection. This includes financial information, such as stimulus checks, small business loans, and unemployment claims. More and more health information is now online, as “telehealth” care proliferates. Information about individual health was already private and subject to strict protections, but moving forward, who is and isn’t positive for COVID-19 represents one of the most sensitive pieces of information about a person. Schools have been forced to move classes online. And with the economic crisis prompting layoffs, insurance claims, lawsuits, and bankruptcies, a huge amount of confidential legal information and attorney-client communications is now being generated.
The right to privacy does not end when life moves online. We still have confidential business matters to discuss, financial affairs to conduct, health, friendships, and relationships to care for, religious services to attend. We have always been free to have private, ephemeral interactions with only those whom we wish to take into our confidence, while excluding everybody else.
Encryption is not a panacea for privacy and data security, but it is a key tool to staying safe online and keeping eavesdroppers out of our personal and business lives. Disturbingly, it is a technology that is now under threat in Washington.
The EARN IT Act is a sneak ban on encryption
Introduced on March 5, the EARN IT Act would amend Section 230 of the Communications Decency Act of 1996. Section 230 largely immunizes online service providers (websites, social media platforms, apps, etc.) from liability for the actions of their users. That immunity blocks most civil lawsuits and criminal charges under state law (with the exception, since 2018, of sex trafficking), but does not bar enforcement of federal criminal law.
Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate. That’s what the Senate Judiciary Committee has proposed and hopes to pass into law.
The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-GA) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The only guaranteed way to retain immunity would be for the provider to certify that it complies with the set of “best practices” for fighting online child sexual exploitation.
The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message. In other words, those “best practices” would be developed behind closed doors by an unelected, unaccountable 19-member commission headed by the attorney general, who would have the authority to approve or reject them. Upon AG approval, the bill would, in a highly unusual move, bypass normal deliberative processes so that the best practices could be rapidly rubber-stamped by Congress.
The EARN IT bill had its first hearing on March 5th, and its supporters’ strategy was clear. Because they didn’t put the word “encryption” in the bill, they’re going to insist it doesn’t affect encryption.
“This bill says nothing about encryption,” co-sponsor Sen. Blumenthal said at that hearing. “Have you found a word in this bill about encryption?” he asked one witness.
It’s true that the bill’s authors avoided using that word. But they did propose legislation that enables an all-out assault on encryption. It would create a 19-person commission that’s completely controlled by the Attorney General and law enforcement agencies.
And, at the hearing, a Vice-President at the National Center for Missing and Exploited Children (NCMEC) made it clear what he wants the best practices to be.
NCMEC believes online services should be made to screen their messages for material that NCMEC considers abusive; use screening technology approved by NCMEC and law enforcement; report what they find in the messages to NCMEC; and be held legally responsible for the content of messages sent by others.
You can’t have an Internet where messages are screened en masse, and also have end-to-end encryption any more than you can create backdoors that can only be used by the good guys.
The two are mutually exclusive. Concepts like “client-side scanning” aren’t a clever route around this; such scanning is just another way to break end-to-end encryption. Either the message remains private to everyone but its recipients, or it’s available to others.
The 19-person draft commission isn’t any better than the 15-person commission envisioned in an early draft of the bill. It’s completely dominated by law enforcement and allied groups like NCMEC.
Not only will those groups have a majority of votes on the commission, but the bill gives Attorney General Barr the power to veto or approve the list of best practices.
Even if other commission members do disagree with law enforcement, Barr’s veto power will put him in a position to strong-arm them.
The Commission won’t be a body that seriously considers policy; it will be a vehicle for creating a law enforcement wish list. Barr has made clear, over and over again, that breaking encryption is at the top of that wish list.
Attorney General William Barr is notoriously hostile to encryption, and he has illegally spied on Americans’ communications before. It’s expected that Barr would not OK any “best practices” unless they condemned end-to-end encryption, and potentially other privacy and security measures too if they might impede law enforcement surveillance.
Once it’s broken, authoritarian regimes around the world will rejoice, as they have the ability to add their own types of mandatory scanning, not just for child sexual abuse material but for self-expression that those governments want to suppress.
The privacy and security of all users will suffer if U.S. law enforcement is able to achieve its dream of breaking encryption. Senators should reject the EARN IT bill.
The idea behind the bill is that tech companies are turning a blind eye to child sexual exploitation on their platforms, and the best way to incentivize them to do more is to threaten their Section 230 immunity. This rationale is dubious. Child sex abuse material is already illegal under federal law, and providers are federally required to report it (which they do, millions of times a year). Since Section 230 does not bar federal criminal law enforcement, the Department of Justice is already free to go after providers if they’re falling short of their obligations. (That’s something the DOJ conveniently leaves out when criticizing Section 230.)
The EARN IT Act is widely regarded as a Trojan horse for the DOJ’s longstanding anti-encryption agenda, which Congress has shown no appetite for enacting directly. You might hope that, after weeks on the front lines battling COVID-19-related cybercrime, the DOJ would finally recognize how badly Americans need stronger security. Sadly, the government shows no sign of backing down from its years-old war against encryption.
July 7, 2020