This post was originally published on July 21, 2020.
The EARN IT bill, which would make tech companies liable for the behavior of its users, was unanimously approved by a U.S. Senate committee on July 2 and will be presented for a vote on the Senate floor.
As we highlighted earlier, the bill could eventually force tech companies to abandon end-to-end encryption. And it’s looking likely to pass into law: The bill is backed by senators from across the political divide—namely Republicans Lindsey Graham and Josh Hawley as well as Democrats Richard Blumenthal and Dianne Feinstein, among others.
[Interested in more data privacy news? Sign up for the ExpressVPN blog newsletter.]
The version of the EARN IT Act approved by the committee differs significantly from the text first brought forward in March. It’s now almost double in length of the original version and does away with many of the earlier confusing elements. But its intentions for the future of encryption are far clearer.
Encryption is definitely a target
Senator Blumenthal, one of the main sponsors of the Bill, was visibly agitated when questioned about the effects the legislation might have on end-to-end encryption.
Back in March, when the Bill was first introduced, he tried his best to deflect such inferences.
“This bill says nothing about encryption,” he said. “Have you found a word in this bill about encryption?”
That might have been true of the original draft, but the new version of the EARN IT bill makes it clear that end-to-end encryption will be one of the targets. The original draft called for two “experts in computer science” to sit on the committee that would help develop the best practices that tech companies would have to abide by.
The new version, however, updates this description to experts in “computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a non-governmental capacity.”
The specific mention of cryptography suggests that the sponsors of the bill realize that their demands will affect encryption or, at the very least, require building a backdoor.
Another part of the proposed act has to do with the type of tech companies that would be affected. How they will be affected will depend on whether they are “primarily responsible for hosting, storage, display, and retrieval of information on behalf of third parties,” and the extent to which they facilitate communication between two entities.
The act is confusing, using vague terminologies, which is also what makes it dangerous. The recommended best practices could apply to cloud storage companies, instant messaging services of all kinds, even blogs that allow comments and user-generated content. It’s possible that they would all be liable under the EARN IT Act.
Remember, the EARN IT act is only the latest attack in the government's very long war on encryption. Switzerland's most sensitive communications-security company was secretly run by the CIA. There is nothing these people won't do to stamp out the idea of a private conversation. https://t.co/v4MOAhqQjP
— Edward Snowden (@Snowden) March 11, 2020
The EARN IT Act will significantly alter Section 230
Section 230 of the U.S. code was adopted to support the diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity. It is widely credited for helping free speech flourish on the internet, as well as allowing blogging and social media platforms to reach the size and ubiquity that they enjoy today.
In a nutshell, Section 230 separates online platforms from the behavior of registered users. Such platforms, like Facebook, Twitter, and Instagram cannot be held accountable for content posted. Users can sue each other for defamation or libel, but the platform itself is a neutral, third-party which cannot be hauled into court.
However, if the “best practices” under the bill become hardcoded into legislation, many of the immunities that the platforms enjoy today will vanish. According to the EFF, the act will require platforms to proactively scan user accounts and vet content before it is published. Not only does that significantly undermine the principles of end-to-end encryption, it also effectively turns the platforms into agents of the federal government as they’re forced to ensure that users abide by the guidelines of what can be transmitted or published.
Free speech, in essence, will die a slow death. The government will be able to determine what can or cannot be published. And once this precedence is established, it’s hard to say that it won’t take on a life of its own.
The spirit of the EARN IT Act may apply to online platforms right now but it’s a slippery slope to future administrations taking its principles and applying them in other ways. For example, what if the government decides that video calls should no longer be encrypted? Or if it white lists a few companies that comply with its directives and bars others from serving the general public? The EARN IT Act gives governments an extremely broad stroke to regulate as they see fit which doesn’t bode well for the future.
The American Civil Liberties Union said in a statement that the proposed act will “encourage platforms to undermine strong encryption methods and place our online privacy at risk.” It adds that the legislation will do “far more harm than good.”
“It will jeopardize the privacy of every American, fundamentally alter the freedom of our online communications, disproportionately harm LGBTQ people, sexworkers, and those with marginalized or minority views,” continued the ACLU.
Expect a flurry of changes if Section 230 is phased out. Some blogging sites might just shut down completely to avoid lawsuits. Others will probably disable comments permanently, since anything published on the platform can be held liable. Encryption backdoors will become a reality, and it’s highly likely that foreign governments will follow suit.
After all, if the U.S. administration can enact changes, then what’s stopping other countries from enacting their own rules and forcing tech companies to comply if they wish to continue serving their citizens?
The new version of the EARN IT Act suggests that tech companies can engage in what’s referred to as “client-side scanning,” where messages are scanned on a local device before transmitted over a secure, encrypted channel. Not only is that fraught with problems, it’s wholly against the principles of encryption.
If you’re worried about the possible ramification of the EARN IT Act, now is the time to speak up. Contact your local representative and tell them about your opposition. Spread the message on social media. Do what you can to get others involved.
Here’s the text of the updated EARN IT Act in its entirety if you wish to decide for yourself.