of the this is bad dept
To save the children, we must destroy everything. That is the reality of the EARN IT Act. I mean, you can get an idea of what to expect just by reading the actual words behind the extremely cumbersome acronym: Eliminating Abuse and Rampant Neglect of Interactive Technologies Act. Furious. It’s a sip. And given the name, it seems Congress will provide the funding opposite to Supporting moderation efforts targeting abusive content.
But it’s nothing like that. It’s about punishing tech companies for the actions of their users. Like FOSTA before it, the bill has no interest in actually targeting the creators and distributors of illegal content such as child sexual abuse material (CSAM). Instead, it’s only interested in allowing prosecutors to track the easiest entities to locate: websites that rely on or facilitate the distribution of third-party content.
In particular, the new bill makes an amendment to Section 230 looks similar to the change made to FOSTA which states that if you advertise, promote, present, distribute or solicit CSAM, you will not receive 230 protection. But here’s the thing: CSAM is already a federal crime, and all federal crimes are already exempt from Section 230. Additionally, it’s not like there are a number of cases that anyone can cite as examples of Section 230 getting in the way of CSAM law enforcement. There is literally no evidence that this is required or will help – because it won’t.
As we have pointed out, the real scandal in all of this is not that internet companies are enabling CSAM, but that the DOJ has literally ignored its congressional mandate to prosecute those involved in CSAM production and distribution. Congress mandated the DOJ to address CSAM, and the DOJ simply didn’t do it. The DOJ had to compile data and set goals to eliminate CSAM… and just didn’t do it. For that reason, it’s bizarre that EARN IT is getting all the attention and not an alternate bill by Senators Wyden, Gillibrand, Casey and Brown that would tell the DOJ to actually take its work on CSAM seriously, rather than everyone to blame others.
Proponents of the bill continue to defend the bill, casually ignoring that it doesn’t just encourage social media sites to get involved no moderation (lest they trigger the “know” clauses), but it is also intended to undermine encryption – not only by portraying it as something that primarily benefits child sexual abuse, but by introducing incentives that encourage the implementation of a Prevent end-to-end encryption. In fact, any attempts to moderate and take down illegal content could result in fines for companies, as the safest course – given the bill’s mandates – is to do nothing.
How this will help limit the spread of CSAM and track down the producers of this content is anyone’s guess. Proponents of the bill simply assume that removing the immunity of hosts with third-party content will be enough. They also envision that making all internet users less secure is an acceptable compromise for the limited visibility of the CSAM distribution, something that will push CSAM producers onto websites that are not under US jurisdiction (making them harder to can be found) and will make everyone else use the internet and social media services less safe for purely legal reasons.
A lot has been said here at Techdirt about this truly terrible law. Much more is said elsewhere. The Internet Society has published its criticism of the EARN IT Act. Guess what? It’s extremely critical. At stake is the privacy and security of millions of internet users. On the other hand, there are opportunistic lawmakers who think “doing something” is the same as “doing something useful.” The legislature is wrong. EARN IT will ruin the internet and its users by turning encryption into a liability.
The EARN IT Act threatens a company’s ability to use and offer end-to-end encryption by jeopardizing its immunity from liability if it does not proactively monitor and filter illegal user content. By doing so, it threatens the safety, privacy and security of billions of people in the US and around the world who rely on encryption as the basis for online security. End-to-End Encryption (E2EE) is the strongest digital security shield to keep communications and information between the sender and intended recipients private. When used correctly, no third party – including the service provider – has the keys to access or monitor content. If the EARN-IT Act comes into force, it will directly threaten online service providers and Internet intermediaries, which are entities that facilitate interactions on the Internet that offer or support encrypted services. It will also create risks for internet infrastructure intermediaries – such as internet service providers and others – who are not directly involved in the delivery of encrypted services.
The bill makes providers liable for user content and communications. To avoid this liability, proactive measures would have to be taken. When it comes to encrypted communication, none of the options under EARN IT are good. Options range from on-demand encryption services to ease regulatory investigations, to removing one end of end-to-end encryption entirely to monitor content, to just shit and refusing to offer encryption. None of this benefits the hundreds of millions of Americans who don’t create or distribute illegal content.
Undermining encryption makes people and businesses more vulnerable to criminal activity, and preventing minors from encrypting their communications would put them more at risk of harm, not less. Because preventing companies from using E2EE and offering secure services would undermine security and confidentiality on the Internet. This would put millions of law-abiding people in the US – including marginalized groups and children – and billions more worldwide at greater risk of harm from those trying to use private data for harm.
The latent threat – to users and platforms – is that once enacted, the government will decide what “best practices” companies need to follow to detect, report, and remove CSAM. The problem is government intervention, which makes Section 230 immunity contingent on compliance with a set of rules that give the slippery slope additional feature creep. With organizations like the FBI constantly pushing for encryption backdoors, it will only be a matter of time before “best practices” include content scanning, meaning end-to-end encryption is no longer an option becomes. EARN IT doesn’t explicitly make encryption illegal, but its mandates and language can make the use of encryption close enough to a crime to make companies liable for the actions of their users.
While offering end-to-end encryption is not in itself a crime, the EARN IT Act allows a court to use encryption as evidence to hold a service provider liable in CSAM-related cases. If a user distributes CSAM and violates Title 18, Sections 2252, 2252a, or 2256(8) with an encrypted service, a court could find that the service provider’s encryption offering makes them liable for negligent or reckless distribution of CSAM because the encryption prevented the service provider from detecting and then blocking CSAMs sent by its users – even if the service provider was unaware of the transmission of certain CSAMs.
A service provider offering E2EE is not aware of and does not have access to the content or communications shared or published online. Therefore, a court could take into account this use of E2EE to determine whether the provider ruthlessly disregarded the CSAMs distributed on its platform or negligently allowed their distribution. In fact, a state statute under the EARN IT Act could specifically state that offering an encrypted service could be considered evidence of negligence or willful ignorance of the CSAM transmission (without ever violating the alleged “spin-off” in the EARN IT Act). .
Encryption is more than just a way to secure communications. It’s also a way of providing security and privacy to users who interact with other services that don’t connect them to other people. The bill will not only cause pain for WhatsApp and its competitors. It will make any intermediary – no matter how remote they are from the production/distribution of criminal content – potentially liable. And it will give prosecutors a long list of entities to punish, none of which actually produced or uploaded the content.
The EARN IT Act impedes the ability of intermediaries to use a critical, community-accepted building block for internet security: encryption. It does this by creating a risk of liability for the intermediary who cannot monitor content that users share, store or post online. State laws could aim to impose civil liability on any party involved in the creation, transmission, or storage of communications, including ISPs, web hosting providers, cloud backup services, and encrypted communications services such as WhatsApp.
In addition, given the civil liability for damages under state laws permitted by the EARN IT Act, carriers could choose to stop transmitting encrypted traffic or take other measures to block such traffic to avoid exposure to liability. This would make them less interoperable with networks carrying E2EE traffic. Without interoperability, Internet users can surf the Internet more slowly and less securely.
This is certainly not the intention of the draft law’s authors and supporters. Or at least it’s not an intention that either of them would admit to. Chances are that most backers of the bill haven’t thought about it long enough to consider the undesirable side effects of hitchhiking immunity from government mandates. Others may simply see this as a good way to discourage the use of encryption under the mistaken belief that it would make it easier for investigators to track down child abusers.
All of these assumptions are wrong. And there is certainly a small percentage of law advocates who see these negative consequences and how them – people who not only don’t understand the internet and social media platforms, but have turned their ignorance into fear.
The problem is, there are only a few of them and there are millions of us. In theory, that means we have the upper hand. Unfortunately, government work is top-down, meaning the select few decide what the rest of the usage has to live with.
Filed under: csam, deserve it, privacy, security