What EARN IT and LAED mean for encryption
Is encryption the biggest impediment to law enforcement’s ability to stop sexual predators of children? For the advocates of the EARN IT Act, which would loosen the rules protecting Internet services’ use of encryption, it most certainly is.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act would create an online commission to prevent the sexual exploitation of children tasked with developing “best practices” that Internet services would be required to adhere to in order to retain the protections of Section 230 of the Communications Decency Act of 1996. Section 230 protects Internet services such as Facebook and Twitter from lawsuits over content published on their sites by their users.
Following the addition of a manager’s amendment by co-sponsor Sen. Lindsey Graham (R-S.C.) that weakens some parts of the bill and leaves the impact of other sections unclear, the Senate Judiciary Committee voted to approve the EARN IT Act on Thursday. The next step for the bill is to be voted on by the full Senate.
READ MORE ON ENCRYPTION AND THE CRYPTO WARS
The EARN IT Act, originally introduced by Sens. Richard Blumenthal (D-Ct.) and Graham, doesn’t actually use the word “encryption,” and both senators denied on Thursday that the bill is intended to interfere with how tech companies use encryption to protect their users’ data and communications. The bill creates a 19-member commission to determine what the “best practices” should be, with three mandatory commission members: the U.S. Attorney General, the secretary of Homeland Security, and the chair of the Federal Trade Commission. Any one of these three would be empowered by the guidelines set out in the EARN IT Act to veto recommended “best practices.”
Given that many U.S. government leaders have a decades-long history of opposition to private use of digital encryption, cybersecurity and privacy advocates fear that the EARN IT Act commission is a wolf in sheep’s clothing. Their concern is that EARN IT is an attempt to hide an attack on the use of encryption among the legitimate concerns of the proliferation of child sexual abuse material (CSAM) online, says Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.
“There is a sense that tech companies are too big for their britches, and someone should stick it to them,” Pfefferkorn says, thanks to the online spread of hate speech, misinformation, and disinformation. “EARN IT will hurt all of us, but it won’t financially hurt the companies, and it won’t help catch the bad guys. It’s the wrong tool to indulge that understandable impulse in the year of our lord 2020.”
A second bill: the LAED Act
The EARN IT bill is not the only attempt by lawmakers to restrict the use of encryption, which has become increasingly more commonplace in the aftermath of the whistleblower disclosures taken by Edward Snowden, especially as used in messaging apps such as iMessage, Signal, and WhatsApp to prevent malicious hackers and government snoops from spying on message content. A second bill, the Lawful Access To Encrypted Data (LAED) Act, would force tech companies with more than 1 million users to create government-accessible backdoors in encryption they’ve deployed to aid search warrants of devices used by government targets.
This story was originally commissioned by Dark Reading. Read the full story here.