Is the EARN IT Act the end of encryption?

While the world has been consumed with the COVID-19 pandemic, recent legislation has been introduced in the Senate that would greatly expand the power of the federal government to monitor communications and threaten end-to-end encryption.

If passed, the Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act could result in a backdoor being added to end-to-end encryption, allowing governments to monitor encrypted discussions – including phone calls, messages, photos and videos – and sensitive data.

What is the EARN IT Act?

As Alfred Ng explains on CNET:

“The EARN IT Act was introduced by Sen. Lindsey Graham (R – SC) and Sen. Richard Blumenthal (D – CT), along with Sen. Josh Hawley (R – MO) and Sen. Dianne Feinstein (D – CA) on March 5.

The premise of the bill is that technology companies have to earn Section 230 protections rather than being granted immunity by default, as the Communications Decency Act has provided for over two decades.”

The EARN IT Act has been proposed as a way to protect children from online predators and sexual exploitation. However the bill establishes a dangerous precedent by forcing companies to install a backdoor to their encrypted data, essentially creating an opening that could be stolen or abused by anyone.

What’s at stake

The bill’s intention is to make tech platforms liable for activity and content posted on their servers that is related to child sexual exploitation and abuse.

Companies that voluntarily adhere to recommended safeguards would earn a “liability exemption,” giving them the same protections currently provided under Section 230 of the Communications Decency Act (1996) to freely publish content on their platforms without being held liable for what’s posted.

The EARN IT Act revises Section 230, basically saying that companies that don’t actively monitor and protect children online do not deserve immunity from lawsuits. If passed, tech companies could be sued for failing to take proper steps to prevent online child exploitation.

“Proper steps” would be determined by a government committee headed by Attorney General William Barr and would likely include actively monitoring content to identify abusive photos and videos, as well as communications surveillance to watch for predators who could be “grooming” children for exploitation.

It would also threaten E2E encryption. If the EARN IT Act becomes law, major tech companies like Facebook, Microsoft, Apple, and Google would have few options: either provide backdoor access to law enforcement to monitor encrypted communication, undermining privacy and security, or risk losing long-standing legal protections for content posted by their users if they provide end-to-end encrypted services.

“There is no such thing as a backdoor that can only be used by law enforcement" – Ted Harrington, Independent Security Evaluators

Why is this a big deal?

In a word, hackers. If backdoor access is created for law enforcement, it threatens the privacy and security of all users. Once a company like Facebook, Apple or Google weakens its encryption, its systems are vulnerable to attack from hackers and criminals.

E2E encryption – which is used to secure communications in messaging apps and protect sensitive data such as medical records – would be impossible.

The fact is, any kind of encryption backdoor that can be accessed by law enforcement can also be exploited by hackers or used for any purpose. Either a message remains private, or it is open to anyone. 

As a cybersecurity company, we understand the deep ramifications this would have on confidential communications.

Without secure E2E encryption, businesses would be unable to share confidential information or protect sensitive data in compliance with government mandates (HIPA, PCI, etc.). Private phone calls and messages could be eavesdropped on by malicious attackers. Sensitive information could be stolen. Governments could spy on their people.

Is this the end of encryption?

A growing number of tech companies, including Facebook, have pledged to follow the established guidelines to fight child exploitation by moderating their users. They draw the line, however, at creating a backdoor for encryption.

“We share the EARN IT Act sponsors’ commitment to child safety and have made keeping children safe online a top priority by developing and deploying technology to thwart the sharing of child abuse material," Thomas Richards, a Facebook spokesperson, said in a statement. “We’re concerned the EARN IT Act may be used to roll back encryption, which protects everyone’s safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect."

And while the final bill has bi-partisan support, some Senators are raising the alarm. Sen. Ron Wyden (D – OR) has called the EARN IT Act “a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned.”

The American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) have also spoken out against the EARN IT Act, with the ACLU arguing that it “threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day.”

So why does the government want this?

The EARN IT Act will give the acting Attorney General William Barr unchecked power to decide what “best practices” providers must implement if they want to retain immunity for content posted by their users. 

Right now, encryption is legal, and the US government cannot snoop on Americans’ private communications. This bill would strip away the ability for tech companies to protect your privacy and data security.

Whether (or not) there should be a backdoor for encryption that enables law enforcement and corporations access to our encrypted discussions should be part of a larger national discussion, not part of a bill that is being pushed through while people are distracted by a pandemic.