Depending on who you ask, the EARN IT Act could either destroy the fundamental values of an open internet or protect children from being sexually exploited online. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which requires tech companies to meet safety requirements for children online before obtaining immunity from lawsuits, will have its first public hearing on Wednesday.
A bipartisan group of US lawmakers introduced the bill Thursday, claiming that the legislation would enforce standards to protect children from sexual exploitation online. The announcement came at the same time the Justice Department hosted a press event arguing that end-to-end encryption protects online predators.
While few would question the importance of ensuring child safety, technology experts warn that the bill is really just the government's latest attempt to uproot both free speech and security protections online.
The proposed law has already been met with widespread criticism from security experts, civil liberties advocates and opposing lawmakers. The bill has been considered a veiled attempt to erode end-to-end encryption and also targets Section 230, an important part of the Communications Decency Act of 1996 that protects free speech by granting tech companies immunity from any liabilities associated with content on their platforms.
Here is a breakdown of the policy issues surrounding the EARN IT Act, why lawmakers want it, and why so many security and privacy experts are against the legislation.
What is the EARN IT Act?
The EARN IT Act was introduced by Sen. Lindsey Graham (R-South Carolina) and Sen. Richard Blumenthal (D-Connecticut), along with Rep. Josh Hawley (R-Missouri) and Sen. Dianne Feinstein (D-California) on March 5.
The premise of the bill is that technology companies have to earn Section 230 protections rather than being granted immunity by default, as the Communications Decency Act has provided for over two decades.
The lawmakers proposed the bill as a way to protect children from online predators, after prosecutors told senators that tech companies were not doing enough to prevent sexual exploitation. The Justice Department has argued for years that end-to-end encryption prevents investigators from gathering evidence that would catch online criminals.
At a Senate hearing in December, Sen. Graham and Sen. Blumenthal both warned tech companies, including Apple and Facebook, that they would introduce legislation on encryption if they could not find a compromise.
To "earn" Section 230 protections, as the bill suggests, tech companies would have to meet standards established by a new National Commission on Online Child Sexual Exploitation Prevention.
This commission is made up of the heads of the Justice Department, the Department of Homeland Security and the Federal Trade Commission, as well as members appointed by Congress. No elected officials will serve on the commission.
A draft of the bill first published in January does not specifically mention encryption or what the established standards would be, but the Justice Department and the DHS have long called for "lawful access" to encrypted messages.
"We are also addressing child exploitation in our efforts on retaining lawful access and in analyzing the impact of Section 230 of the Communications Decency Act on incentives for platforms to address these crimes," Attorney General William Barr said at a press event on March 5.
What is Section 230?
Section 230 is an important feature of the Communications Decency Act that has allowed for free speech on tech platforms — but has come under fire since the legislation was first introduced in 1996.
Section 230 states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."
What that legal jargon means is that tech companies like Facebook or YouTube are not responsible for what is posted on their platforms — the liability falls squarely on the user.
Without Section 230, companies could be endlessly sued for every negative review or piece of content posted, curtailing free expression online.
"Our bill would allow individuals to sue tech companies that don't take proper steps to prevent online child exploitation, and it's an important step to protect the most vulnerable among us." Sen. Dianne Feinstein, a Democrat from California
The internet has drastically changed since Section 230 first went into effect, as tech companies find immunity from hate speech and terrorist content posted on their platforms, and lawmakers have considered revisiting the provision on multiple occasions.
In an interview with The New York Times editorial board, Democratic presidential candidate Joe Biden said that Section 230 should be revoked immediately. Sen. Bernie Sanders, who is also running for president, told Vox that he intends to revisit Section 230 if elected president.
The EARN IT Act represents another avenue that lawmakers are taking to revise Section 230, arguing that tech companies that don't meet standards for protecting children online do not deserve immunity from lawsuits.
"Companies must do more to combat this growing problem on their online platforms," Sen. Feinstein said in a statement. "Our bill would allow individuals to sue tech companies that don't take proper steps to prevent online child exploitation, and it's an important step to protect the most vulnerable among us."
Proper steps could include providing lawful access — something cryptography experts consider a threat to end-to-end encryption.
What is end-to-end encryption?
End-to-end encryption is a security protocol that encodes your communications — including phone calls, messages, photos and videos — making it undecipherable to people outside of the conversation.
It's also used for sensitive data, like passwords, financial and health information stored on your devices. Encryption also protects your data from being viewed by employees of the company providing the service, as well as government regimes looking to spy on their citizens.
The Department of Defense has explained that it depends on encryption to protect their employees and its sensitive data.
What is lawful access?
Lawful access is the US government's latest push against end-to-end encryption. It calls for tech companies to create an opening in their own encryption — one that only law enforcement agencies could use for investigations.
The concept has gone by many different names in the past. In 2017, the Justice Department called it "responsible encryption." But the concept remains the same: provide the unbreakable encryption for everyone, but also provide a special key that governments could use to stop criminals with a warrant or court order.
Why is the government against end-to-end encryption?
The Justice Department has called it "warrant-proof encryption" or "unbreakable encryption," arguing that it cannot keep track of criminals or gather evidence because of the security protocol.
The FBI calls it the "Going Dark" problem, pointing out that investigations can reach a dead end because of encryption. Prosecutors have asked for backdoors to encryption to solve cases on terrorism and drugs. With the EARN IT Act, the framing of the issue is now around child abuse.
This new push came after Facebook announced plans in November to encrypt all its messaging services.
This plan worried prosecutors, who point out that Facebook reported about 16.8 million cases to the US National Center for Missing & Exploited Children in 2018. Their concern is that if Facebook encrypted its messages, police could no longer use that as evidence in child exploitation cases.
The Justice Department has said that it understands the value of encryption and what it protects, but does not support how criminals have used it.
"They communicate using virtually unbreakable encryption," Barr said at the March 5 press event. "Predators' supposed privacy interests should not outweigh our privacy and security."
Why can't firms allow 'lawful access' while keeping encryption?
Governments around the world have asked tech companies to provide backdoors to their own encryption. Australia passed laws enforcing it and lawmakers in the UK are considering passing their own legislation.
Each time, tech companies have argued that what the governments are asking for is impossible, and would end up causing more harm. Apple battled the FBI over encryption in 2016 by refusing to unlock a terrorist's iPhone for an investigation.
The problem with lawful access, tech experts noted, is that the backdoor or key created for governments would essentially create an opening for everyone. There's always the potential that this special access can be stolen and abused — as cyberattacks have leaked government tools in the past.
"At this time, we've been unable to identify any way to create a backdoor that would work only for the good guys," Erik Neuenschwander, Apple's manager of user privacy, told senators during a hearing last December. "When we have weaknesses in our system, they're exploited by nefarious entities as well."
"There is no such thing as a backdoor that can only be used by law enforcement." Ted Harrington, executive partner at security company Independent Security Evaluators
That position echoes across the board for tech giants. At the same hearing, Facebook's product management director for privacy and integrity, Jay Sullivan, argued that they could not provide weakened encryption only for investigations.
"We oppose intentionally weakening the security of encrypted systems because doing so would undermine the privacy and security everywhere and leave them vulnerable to hackers, criminals and repressive regimes," Sullivan said.
Security experts have also called out flaws behind "lawful access" for years, arguing that it fundamentally breaks end-to-end encryption.
"There is no such thing as a backdoor that can only be used by law enforcement," said Ted Harrington, an executive partner at security company Independent Security Evaluators. "Attackers will eventually find a way to use it too."
How does the EARN IT Act threaten end-to-end encryption?
The EARN IT Act does not mention encryption directly, though policy experts are concerned that the guidelines established by the proposed legislation would require companies to provide lawful access.
The legislation draft gives the attorney general final approval of the guidelines, and the Justice Department's record against encryption is indicative of what's to come, experts said.
"When you're talking about a bill that is structured for the attorney general to give his opinion and have decisive influence over what the best practices are, it does not take a rocket scientist to concur that this is designed to target encryption," said Lindsey Barrett, a staff attorney at Georgetown Law's Institute for Public Representation Communications and Technology Clinic.
If passed, tech companies would have to make the choice between weakening their own encryption and endangering all its users, or giving up Section 230 protections and facing a potential flood of lawsuits.
"The removal of Section 230 liability essentially makes the 'best practices' a requirement," Kate Ruane, a senior legislative counsel for the American Civil Liberties Union, said. "The cost of doing business without those immunities is too high."
Many tech giants can't afford that risk, and it's unclear how they will act if this legislation is passed. Google and Apple declined to comment on the proposed bill.
In a statement, Facebook said it plans on working with the EARN IT Act's sponsors to help keep children safe, but raised issues about what it means for security and privacy.
"We're concerned the EARN IT Act may be used to roll back encryption, which protects everyone's safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect," the company said.
While the EARN IT Act is specifically tailored to protect against online child exploitation, once a company weakens its own encryption, that access could essentially be used for any purpose.
If you want a more in-depth breakdown, Riana Pfefferkorn, Stanford's Center for Internet and Society's associate director of surveillance and cybersecurity, provides a detailed look on the EARN IT Act and the specific ways the legislation threatens encryption.
Is this bill likely to pass?
Of the many tech-focused laws proposed in Silicon Valley's reckoning, the EARN IT Act appears to have the most momentum, particularly because of its bipartisan backing, as well as its framing around protecting children rather than directly going after encryption.
"For those of us that are privacy advocates, we're very concerned about how quickly this bill could move if we don't make our concerns clear upfront," the ACLU's Ruane said.
When the draft bill first surfaced, there had been two senators attached to it. When it was officially announced, the EARN IT Act grew to 10 lawmakers sponsoring the bill. It has bipartisan support from six Democrats and four Republicans.
The bill's critics understand that online child sexual exploitation is an abhorrent crime and that tech platforms are not doing nearly enough to curb the issue.
"For those of us that are privacy advocates, we're very concerned about how quickly this bill could move if we don't make our concerns clear upfront." ACLU senior legislative counsel Kate Ruane
The concern with the bill is that if it uproots end-to-end encryption, it would likely end up putting children in more danger, as their sensitive information could now be stolen and eavesdropped on by malicious attackers.
The EARN IT Act has not been proposing itself as an anti-encryption bill, however, and rather as an anti-child abuse law, despite the risks that it poses for security and privacy.
"It's framing a problem as impossible to rebut," Barrett said. "Who can be against a child protection, anti-bad guy bill?"
Would the EARN IT Act protect children online?
The EARN IT Act's sponsors believe that the bill will push companies to act more aggressively to stop child predators using their platforms, which could include weakening encryption to follow the established guidelines.
The bill's critics say providing access to encrypted messages would not necessarily mean more children are protected. It would give investigators more tools to work with, but enforcement is an entirely different concern, experts said.
While Facebook provides millions of reports to the National Center for Missing & Exploited Children every year, the amount of action taken is not quite the same, due to a lack of resources and funding from the federal government, according to a New York Times report.
A better way to address the issue would be to give law enforcement more resources, the ACLU's Ruane said.
Sen. Ron Wyden, a Democrat from Oregon who introduced Section 230, argued that the EARN IT Act is a distraction from the Justice Department's lack of funding and resources to handle online child exploitation.
"I'll be offering legislation in the coming days to drastically increase the number of prosecutors and agents hunting down child predators, require a single person in the White House to be personally responsible for these efforts and direct mandatory funding to the people who can actually make a difference in this fight," Wyden said in a statement.
Who supports this bill?
The EARN IT Act is sponsored by:
- Senate Judiciary Committee chairman Lindsey Graham (R-South Carolina)
- Sen. Richard Blumenthal (D-Connecticut)
- Rep. Josh Hawley (R-Missouri)
- Sen. Dianne Feinstein (D-California)
- Sen. Kevin Cramer (R-North Dakota)
- Sen. Doug Jones (D-Alabama)
- Sen. Joni Ernst (R-Iowa)
- Sen. Bob Casey (D-Pennsylvania)
- Sen. Sheldon Whitehouse (D-Rhode Island)
- Sen. Dick Durbin (D-Illinois)
It's also supported by child protection groups like the National Center for Missing & Exploited Children, Rights4Girls, and the National Center on Sexual Exploitation.
Who opposes this bill?
The EARN IT Act faces opposition from several civil rights groups, as well as privacy advocates and lawmakers. They include:
- The Electronic Frontier Foundation
- The American Civil Liberties Union and Americans for Prosperity
- Access Now
- Center for Democracy & Technology
- Fight for the Future
- Wikimedia Foundation
- Surveillance Technology Oversight Project
- Consumer Technology Association
- Internet Association
- Computer & Communications Industry Association
Sen. Wyden also criticized the bill for its impending effects on encryption.
"This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned," Wyden said in a statement.