On March 5th 2020, A bill cited as Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 or EARN IT Act of 2020 was introduced in the Senate of United States to form a commission with members from US government/administration and industry experts in order to establish ‘best practices’ for the detection and reporting of child abuse related content or material. Its primary role is oversee compliance of advisory [or established best practices] by Internet services.
EARN IT Act of 2020, codifies the establishment of the commission defined as National commission on Online Child Sexual Exploitation Prevention in Section 2 of the Act.
Section 3(b) of the Act, talks about the real purpose. “The purpose of the Commission is to develop recommended best practices that providers of interactive computer services may choose to implement to prevent, reduce, and respond to the online sexual exploitation of children…”.
I am of the opinion that it has very little to do with prevention and eradication of child sexual abuse material (CSAM, aka. child pornography) and very much to do with regulation of interactive computer services, operation or management of their platforms and user-generated content respectively. This Act aims to hold a interactive computer service liable for CSAM claims by revoking their protection under Section 230 of CDA of 1996. Section 230 says that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”
On 2nd July 2020, Senate Judiciary Committee unanimously approved the New EARN IT Act of 2020 (S. 3398) by a vote of 22-0. One of the main feature of the new Earn IT Act is that it allows individuals via private lawyers to sue tech companies that don’t follow “best practices” to prevent online child exploitation or CSAM. Section 230 is amended to remove blanket immunity from any CSAM related laws entirely.
In a blog post, The Center for Internet and Society at Stanford Law School said, ‘EARN IT is among a bumper crop of bills introduced in this Congress that would amend Section 230 of the Communications Decency Act of 1996, which largely immunizes the providers of online services (think: email, social media, websites, apps including messaging apps, you name it) from liability for the actions of their users on their services… The primary thing that the manager’s amendment or New Earn IT Act does is that it cuts off providers’ Section 230 immunity for CSAM, full stop.’
In an objection letter dated 1st July 2020 to U.S. Senate Judiciary Committee, ACLU states, the Amended Earn IT Act of 2020 more dangerous than SESTA/FOSTA, harmful to our Privacy and Security, a Tool for Censorship. It had urged to U.S. Senate Judiciary Committee to Vote “NO” for the same and other reasons.
New America’s Open Technology Institute along with 12 other popular public interest organizations, sent a letter to Senate Judiciary Committee Members to oppose the new or amended EARN IT Act of 2020.
OTI Says, The EARN IT Act is an ineffective and problematic approach to combating child sexual exploitation.’ Suggests, ‘To more meaningfully respond to the problem of child sexual exploitation, Congress should ensure that law enforcement resources are reallocated accordingly.
Lauren Sarkesian, senior policy counsel at New America’s Open Technology Institute goes on to say, “The Senate should abandon the EARN IT Act, which has essentially been rewritten the night before markup, and in a way that does not cure its many ills. Even with the manager’s amendment, EARN IT still poses profound threats to encryption and free expression online. The EARN IT Act should really be renamed the “LOSE IT” Act.”
Pretext, direct threat to encryption and free speech
In a blog post, Mr Lund, developer, Signal Foundation, non-profit behind popular US based secure IM messenger service/app called Signal has rightly pointed out the gist of Earn IT Act. It is Section 230 of CDA of 1996 and its immunity for online platforms in the United States from legal liability for the behavior of their users. Mr Lund, says in absence of such protection many of the apps and services including Signal could not have been created in America. He writes, revoking Section 230 protection from organizations that implement end-to-end encryption is both troubling and confusing.
Signal is recommended by the United States military. It is routinely used by senators and their staff. American allies in the EU Commission are Signal users too. End-to-end encryption is fundamental to the safety, security, and privacy of conversations worldwide.
Signal developer rightly wrote in April about possibility of new law suits that only a web giant like Google or social-media giant like Facebook can handle. And gives a hint on moving abroad as such compliance and/or legal battle for years compounded with fines is not tenable for a small company or non-profit like Signal and many others.
Section 230 makes surveillance tiresome
It is a threat to free speech, expression online and strong encryption. End-to-end encryption or any strong encryption technology could soon be a rare specification in US based products owing to expanded liability of US companies and corporations in case of CSAM claims. In order to maintain legal protection or immunity under Section 230, an interactive computer service will have to give up any end-to-end encryption and conduct thorough scans of user data frequently to detect and report CSAM, if any. This is how an online service becomes compliant.
In a letter dated 1st July to Senate Judiciary Committee opposing the amended EARN IT bill and a post dated 2nd July 2020, EFF focuses on Significance of protection of Section 230, potential backdoor, confusing legal landscape in over 50 jurisdictions. On new Earn IT Act or amended version, EFF said, it gives the power to regulate the Internet to state legislatures. EFF writes, instead of protecting Internet websites and platforms under Section 230 who comply with the “best practices” established by the commission. Now State lawmakers can now make laws to prosecute Internet websites and platforms to hold them liable for their user’s content as long as the purpose is to stop crimes against children. EFF like Signal also talks about Section 230’s protection and how it enabled the Internet as we use it today. EFF says, Section 230 works for both big and small companies, netizens equally and is not broken. It works for all people whether you self-host, use managed hosting or use a popular platform to express yourself.
It protects small messages and email services, every blog’s comments section.
Without the protection of Section 230, free speech will cease to exist on the US Internet. EFF says, forums will be shut down, comment sections might be turned off. There would be a series of false claims for harassment of innocent users.
We’ve seen false accusations succeed in silencing users time and again in the copyright space, and even used to harass innocent users. If EARN IT passes, the range of possibilities for false accusations and censorship will expand.
The new EARN IT Act still is a big threat to encryption. One of the National commission’s agency head, i.e. Attorney General has himself been vocal against use of strong encryption along with FBI, the foremost law enforcement agency in the country. So are state and local police. With power to regulate the Internet in hands of state lawmakers. One of the 50, might spark the battle against online services motivated by their local law enforcement’s demands and power in hand to allow to sue an internet company and hold them responsible for their user’s content. The only outcome in case a non-profit like Signal or a small company like Lavabit chooses to still function in States is to drop any good encryption and frequently scan their user data in fear to prevent distribution of CSAM via their service. Earn IT Act of 2020 as it is, will break encryption, violate user privacy, promote censorship and potentially introduces a robust tool of surveillance at the disposal of any state government.
Private searches – a gold mine for law enforcement
According to EFF, courts rules these scans as “private searches” that are not subject to and hence do not require Fourth Amendment’s warrant at all. Under this doctrine, NCMEC and law enforcement agencies also do not need a warrant to view users’ account content already searched by the companies. It is further stated that EARN IT Act’s “best practices” might result in coercive scans that risk violating all users’ privacy and security, companies would arguably become government agents subject to the Fourth Amendment.
The composition of the above said National commission includes 3 government agency heads and mostly law enforcement officers with only 4 members out of the 19 members who actually have expertise in addressing online child sexual exploitation and promoting child safety at interactive computer services like Twitter, Facebook, Google etc as per the Section 3(c)(2)(D) sub-clause (i) and (ii). Out of the 4, 2 members should be from an interactive computer services unrelated to each other with a minimum of 30,000,000 or 30 million monthly users in the United States. So, it reverses these two seats for two big corporations or tech/web/Internet giants. Section 3(c)(2)(C)(ii) talks about 2 more members of the National commission with current experience in computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a non-governmental capacity. So, basically, we have 2 out of 19 to think what’s best to practice for the rest. I wonder whether a competent individual as PGP’s creator Phil Zimmermann will qualify at all versus someone who understands FBI’s current needs. What if both are? How do you rule out what’s best in case of a tie?
It is just a pretext and lame excuse. Even simple apps like TikTok or LinkedIn have powers to steal information from your iPhone’s clipboard data. Now, if NSA or a US government or the President really wanted to identify people on Internet doing child sexual abuse in the States, it is not going to be difficult for them with help of the community reporting and support. Not like you can buy anonymous Internet connection or get a SIM without giving any identification whatsoever in States. Every big and small Digital or Internet company in US is already keep logs of user activities. There exists no company or corporation in US that don’t keep data on you for a plethora of reasons. Google and Facebook loves your personal critical data. They fully corporate and share it with NSA or other US government agencies already. Even if an Internet service is pro-privacy for real and only keeps minimal meta-data on a user, it should be good enough. Is not it? It is a well established fact that meta-data has significant actionable information, good enough to kill people. What more than killing Pedophiles would you like to expunge child sexual abuse? What does this act gain for children of US?
To conclude, timing of this Act is unjust and favorable to the government’s motives. It does very tittle or nothing to actually prevent and eradicate CSAM. The whole world is busy dealing with a pandemic, people of US are sadly dying and are top victims if you go by the fatalities. People are distracted, economically hurt, forced to be home to protect others and kill the virus. Is this the best time to introduce a Bill with such drastic repercussions? If passed by the Congress, it is going to change the future of online companies in US. Most small companies might have to shut down owing to the cost of compliance. Encryption and privacy companies might have to take their business elsewhere. It is bluntly an over-smart move by all means.
Hole is a hole! Back-doors do not even protect adults citizens let alone our beloved children
Backdoor is something that the new Earn IT Act of 2020 is indirectly proposing by weakening the Encryption. Law enforcement might want to convince you with a limited edition key to backdoor entry. But, remember one thing, a hole is a hole. With leaks, hacks of user data, it is only strongly implemented end-to-end encryption that give a good level of protection to US citizen’s data. By weakening the technical encryption with planting legal loopholes against online services, government is making a criminal or hostile government’s job much easier.
Even former director of NSA Michael Hayden agrees.
UN promotes encryption as fundamental and protected right.
Multiple former national security and intelligence leaders from Department of Homeland Security, FBI, Commander of U.S. Cyber Command etc are all favoring strong encryption to protection US citizen’s data and privacy according to a blog post by New America’s OTI.
Edward Snowden, a US surveillance whistle-blower has recently talked about significance of encryption for privacy.
Wish Twitter had encrypted DMs and Internet is not the root cause of evil
Had Twitter encrypted their DMs starting 2018 with end-to-end encryption, I would be least worried about sensitive and critical nature of conversations going on in DMs of Twitter and whether the hackers had access to it or not.
Blaming Internet and encryption for everything like terrorism or CSAM is an old trick to bring more surveillance tools, control and censorship by governments for reasons best known to them. Child sexual abuse has happened without Internet and encryption. Internet and encryption has not shielded anyone. It has happened in holy places of worship like Church since centuries. As suggested by many public interest organizations in above linked letters, it is only the institutions and communities along with proper funding for related enforcement agencies that can help prevent and eventually expunge CSAM from the face of the Earth. To me this new Act technically, legally and unethically hurts fundamental things or rights like free expression online, encryption and right to privacy. It promotes censorship and generates more tools of surveillance for the government.