With the world distracted by COVID-19 pandemic, the US government is taking the opportunity to continue its war on digital privacy. The first public hearing of the EARN IT Act took place weeks ago, a bill which is nominally designed to require tech companies to meet certain “best practice” requirements when it comes to the safety of children online. If they do so, and as the title of the bill indicates, they will be judged to have “earned” the right to be protected from lawsuits arising from user-generated content.
You may be forgiven for not being aware of the act or its implications. Even leaving aside the pandemic, a first glance at the bill would make it appear entirely reasonable. Look a little deeper at the discussion draft of the bill, however, and you begin to see its true purpose: to make unbreakable encryption, and therefore data privacy, impossible.
That’s a bold claim, and also one that has been raised each time lawmakers attempt to intrude on digital privacy: some have claimed that consumers have already lost the online privacy war, or have pointed out that data privacy has been threatened many times before. That might be true, but the EARN IT act is nonetheless an unprecedented piece of legislation, because it seeks to undermine a fundamental element of existing privacy rights law.
In order to understand why the EARN IT act is so problematic, it is worthwhile reminding ourselves how the right to free speech is protected online. Back in 1996, Section 230 of the Communications Decency Act spelled out the responsibilities of online platforms when it came to user-generated content. Section 230 says, in essence, that users are legally responsible for the content they upload, and not the platforms that they use to do this. If you are defamed on Twitter, in other words, you can sue the user who defamed you, but you can’t sue Twitter for letting them do so.
Section 230 is regarded as the most important guarantee of free speech online, and the Electronic Frontier Foundation regards it as a fundamental part of the legal framework that guarantees digital privacy in the US. Not only does this section allow tech companies to offer genuinely free forums for the discussion of contentious issues, but it also ensures that users are given protection from internet censorship. At the moment, all online platforms are automatically afforded Section 230 protection. The EARN IT act seeks to change that.
For those watching developments in the ongoing fight for digital privacy rights, this will come as little surprise. Back in 2019, senators threatened Facebook and Apple after their refusal to hand over unencrypted user data. If tech firms were not willing to share this information with the federal government, they were warned, then legislation would be passed that required them to build “back doors” into their systems that would allow this extraction.
The EARN IT bill is the latest attempt to do just that. The bill is nominally focused on the protection of children online, and claims to provide a way for the government, under the auspices of a newly founded “National Commission on Online Child Sexual Exploitation Prevention”, to prevent the online exploitation of children.
Unfortunately, the bill does no such thing. As the Electronic Frontier Foundation has pointed out, the bill “doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies with resources to investigate claims of child exploitation or training in how to use online platforms to catch perpetrators. Rather, the bill’s authors have shrewdly used defending children as the pretense for an attack on our free speech and security online.”
The critical and problematic part of the bill, when it comes to digital privacy, is that it will require tech platforms to adhere to a set of “best practices” in order to “earn” Section 230 protection from legislation. While “best practices” sounds quite benign, in reality this would require tech companies to build backdoors into their encryption schemes. If they do not, they are likely to be accused of not allowing “lawful access” to their systems and will have their Section 230 protection removed.
If the bill passes, tech companies will be confronted with a choice: weaken their encryption schemes, or face lawsuits based on the content uploaded by their users. In practice, they will have to weaken encryption, because the flood of litigation stemming from user content will make running such platforms impossibly costly.
Perhaps the most troubling aspect of the bill is that, where normally data privacy baffles lawmakers, this attack on data privacy is cleverly hidden in terms of "child protection" and "best practices". In fact, some lawmakers seem to be using their naivety when it comes to the technical aspects of online privacy to deflect criticism. When the Washington Post interviewed one of the bill’s sponsors, Sen. Richard Blumenthal, he claimed that he couldn’t protect users’ rights to encryption because he doesn’t understand it.
“I doubt I am the best qualified person to decide what best practices should be,” he said. “Better-qualified people to make these decisions will be represented on the commission. So, to ban or require one best practice or another [beforehand] I just think leads us down a very perilous road.”
The bill is, of course, not the only attack on digital privacy in the US, the UK, or Australia. However, it does represent a more intelligent, nuanced, and fundamental approach to digital rights on the part of lawmakers. By using the cover of child protection, and by going right back to rights enshrined in law in 1996, EARN IT goes much further in undermining Section 230 than previous attempts at this.
It’s also worth noting that an attack on encryption could not come at a worse time. There are growing concerns that spyware in the IoT is being used by companies and governments alike to surveil citizens, and that the growing popularity of cloud computing is also a threat to privacy. Even if one accepts the right of the federal government to access user data, they have an incredibly poor record in keeping these data safe.
Perhaps the most glaring issue with the EARN IT act, though, is that it will not even achieve what it sets out to: the protection of children online. Analysis by the Center for Internet and Society at Stanford Law School has found that the bill would actually make it harder to prosecute pedophiles because it removes the responsibility of tech companies to check their own content.
At the moment, both Facebook and Apple use advanced systems to scan uploaded content because they don’t want to be the subject of extremely negative headlines.
Passing the responsibility to monitor content to Congress is therefore a bad idea for at least five separate reasons. First, tech companies will do the minimum possible to detect and remove abusive material, because (they will say) this is the job of Congress.
Second, lawmakers will be charged with monitoring tech platforms, and a less well-qualified body for this task is hard to conceive of. Third, the bill will essentially make effective encryption impossible, exposing the data of users, companies, journalists, human rights activists, and everyone else to theft.
Fourth, the bill will not achieve what it claims to. Oh, and fifth: it will fundamentally undermine the constitutional right to a private life.
And these are just the beginning of the potential issues the bill will cause. Legal scholars are already pointing out that, if EARN IT passes, it will have knock-on effects across other areas of law, including the security of the intellectual property rights that our economy (and society) is based on.
The crisis caused by the COVID-19 pandemic will, of course, continue to dominate the headlines for months yet. However, we should recognize that this crisis is also being used to further undermine our right to online privacy, and not allow the government to escape scrutiny under the auspices of dealing with an emergency.