Encryption is a hotly debated topic these days. Privacy advocates love it; governments and law enforcement are less enthusiastic. One of the most significant discussions regarding encryption at the moment is the United States’ EARN IT Act. This controversial piece of legislation could have major privacy implications moving forward.
The EARN IT Act’s journey
On March 5, 2020, a bipartisan group of U.S. politicians, including Sen. Lindsey Graham (R-South Carolina), Sen. Richard Blumenthal (D-Connecticut), Sen. Dianne Feinstein (D-California), and Sen. Josh Hawley (R-Missouri) introduced the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act. The legislation aimed to curb online child sexual exploitation through the creation of a national commission.
The act establishes a government commission consisting of 19 appointed individuals from various sectors. It includes high-ranking officials from the Department of Justice, the Department of Homeland Security, the Federal Trade Commission, as well as representatives from top law enforcement agencies, constitutional law experts, survivor groups, and more.
The commission would be responsible for devising a set of “best practices” that online companies would need to follow to maintain immunity from liability regarding third-party content posted on their platform. Congress would review and approve the list of mandated best practices. Once approved, the commission would need to certify companies as compliant with the policies before they received immunity. Simply put, immunity is not guaranteed. Online organizations would have to “earn it” (see what they did there?)
Businesses that do not follow the standard set of best practices would need to prove they have reasonable alternative methods to prevent child exploitation on their platform. As deemed by the commission, those who do not meet the minimum standards would be liable for lawsuits from sexual exploitation victims.
Amendments to the bill
This summer, while making its way throughout the Senate Judiciary Committee, lawmakers altered the bill to empower the states to form their own rules. The commission would still be retained along with its guidelines for best practices. However, it is now up to the states to bring civil and criminal lawsuits against content platforms that don’t do enough to prevent child exploitation.
In either form, the EARN IT Act, at its core, attempts to erode the legal protections stipulated by Section 230 of the Communications Decency Act of 1996. And It could create obstacles for the use of encryption technologies.
The Communications Decency Act of 1996 is a component of the more comprehensive Telecommunications Act of 1996. This was the first law that incorporated the Internet into broadcast regulations. Section 230 of the CDA states:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
This means that content platforms aren’t liable for the content people post on them. It protects them from all sorts of nasty legal situations.
The most current form of the EARN IT Act affords states more leeway to decide whether a content platform is culpable for sexual crimes committed against minors.
The effect on encryption
So, how does this relate to encryption? If passed, the EARN IT Act significantly weakens the utility of it. The first iteration never specifically mentioned encryption, although the implications to the technology were evident. If, for instance, the government held social media websites liable for facilitating child exploitation via encrypted messages, why would the platform ever allow encrypted messages in the first place?
The whole point of encryption is that the centralized platform doesn’t have the keys to decrypt messages between two private parties. This ensures privacy and that Big Brother isn’t watching over your shoulder. Section 230 prevented roadblocks to encrypted communications. But, if the government can hold the content of encrypted messages against a business in civil or criminal cases, the organization has a massive incentive not to offer encryption services.
The amended EARN IT Act that passed through the Senate Judiciary Committee does mention encryption. In fact, it stipulates that end-to-end encryption by itself is not a reason to remove the Section 230 protections for a company. On the surface, this looks like a more reasonable bill. However, it suggests that organizations scan messages before being encrypted to check for suspicious exploitative content. If any is present, they would have to forward them to the proper government authority for closer scrutiny. The practice is called “client-side scanning.”
So, would this really allow for end-to-end encryption? It appears to undermine its usefulness when companies scan every message before transmission.
AXEL is a data custody and privacy advocate. Our file sharing and storage platform, AXEL Go prioritizes privacy and security. We provide the option to use encrypted password protection for all shared files.
We understand that this is a complex issue, and we want to prevent the exploitation of minors. However, this legislation could have a chilling effect on privacy and the future of encryption.
Encryption is a tool. It isn’t only useful for criminals. Privacy is a right for everyone, and this technology helps facilitate it. It doesn’t just hide your data from governments and corporations, but also malicious agents. Data breaches happen on a daily basis. If the hackers only score encrypted data, the haul ends up being useless. It helps prevent identity theft, as well as stolen credentials and payment information. Encryption is a part of the solution, not the problem. We can usher in a better online experience. One that isn’t fraught with invasions of privacy and data collection. Client-side scanning of all messages is not on the path toward this future.
If you’d like a secure, private file sharing and storage platform, download AXEL Go. It’s an easy-to-use program available on Windows, Mac, iOS, and Android devices. It uses secure technologies such as blockchain, the InterPlanetary File System (IPFS), and the aforementioned password encryption to ensure your data stays safe and confidential. Sign up for one of our free, Basic accounts and you will receive 2GB of free online storage, along with enough of our AXEL Tokens to fuel thousands of shares across our decentralized network.