Why your privacy could be threatened by a bill to protect children

Depending on who you ask, the EARN IT Act could either destroy the fundamental values of an open internet or protect children from being sexually exploited online. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which requires tech companies to meet safety requirements for children online before obtaining immunity from lawsuits, had its first public hearing on March 11.

A bipartisan group of US lawmakers introduced the bill on March 5, saying that the legislation would enforce standards to protect children from sexual exploitation online. The announcement came at the same time the Justice Department hosted a press event to argue that end-to-end encryption protects online predators. 

While few would question the importance of ensuring child safety, technology experts warn that the bill is really just the government's latest attempt to uproot both free speech and security protections online. 

The proposed law has already been met with widespread criticism from security experts, civil liberties advocates and opposing lawmakers. They see the bill as a veiled attempt to erode end-to-end encryption and as a way to target Section 230, an important part of the Communications Decency Act of 1996 that protects free speech by granting tech companies immunity from any liabilities associated with content on their platforms. 

The Senate Judiciary Committee voted to approve the EARN IT Act for a floor vote on July 2.

Here's a breakdown of the policy issues surrounding the EARN IT Act, why lawmakers want it and why so many security and privacy experts are against the legislation. 

What is the EARN IT Act? 

The EARN IT Act was introduced by Sen. Lindsey Graham (Republican of South Carolina) and Sen. Richard Blumenthal (Democrat of Connecticut), along with Sen. Josh Hawley (Republican of Missouri) and Sen. Dianne Feinstein (Democrat of California) on March 5. 

The premise of the bill is that technology companies have to earn Section 230 protections rather than being granted immunity by default, as the Communications Decency Act has provided for over two decades. 

The lawmakers proposed the bill as a way to protect children from online predators, after prosecutors told senators that tech companies weren't doing enough to prevent sexual exploitation. The Justice Department has argued for years that end-to-end encryption prevents investigators from gathering evidence that would help police catch online criminals. 

At a Senate hearing in December, Graham and Blumenthal warned tech companies, including Apple and Facebook , that they would introduce legislation on encryption if they couldn't find a compromise. 

To earn Section 230 protections, as the bill suggests, tech companies would have to meet standards established by a new National Commission on Online Child Sexual Exploitation Prevention. Graham introduced a manager's amendment on June 30, a day before the bill went up for markups, to change it after backlash against the bill. 

Those standards aren't requirements anymore, but instead voluntary recommendations, according to Graham's amendment filed on Tuesday. 

"My goal is not to end encryption. My goal s to begin challenging child sexual exploitation and pornography on the internet by making those who own these platforms do better," Graham said at a meeting on July 2.

The changed bill would still allow states to sue tech platforms if child sexual abuse material is distributed on their platforms, and still poses a threat to Section 230 protections and encryption, critics said. 

If child sexual abuse material is sent through an encrypted messaging platform, like WhatsApp, for example, states will be able to sue them and hold the company responsible for being unable to moderate those messages. 

An amendment from Sen. Patrick Leahy looks to protect encryption from state actions, and passed unanimously at Thursday's vote.

"If the committee wants to change the rules on encryption, we should do that in a separate bill," Leahy said at the July 2 meeting.

Policy advocates point out that encryption doesn't need to be directly targeted by the EARN IT Act to be affected by the bill. 

Different states have different standards for how a platform is liable for child sexual exploitation material. Some have "reckless" or "knowing" standards, meaning if a platform like Facebook were reckless or knowingly negligent with how it protects against child exploitation, they could be held responsible. There's concerns that having encryption on their platforms could be considered reckless.  

With the risk of being sued by 50 state attorney generals, tech platforms would be discouraged from having encrypted messages that they can't moderate, experts said. 

"In short, the Manager's Amendment to the EARN IT Act changes some aspects of the bill, but the rotten core of it remains," the Center for Democracy and Technology said on Wednesday. "Threatening intermediaries with vague and expansive liability for user-generated content is not the right way to fight the sexual exploitation of children, and is a surefire way to discourage encryption and censor an incredible amount of constitutionally protected speech."   

The commission drafting the guidelines is made up of the heads of the Justice Department, the Department of Homeland Security and the Federal Trade Commission, as well as members appointed by Congress. No elected officials will serve on the commission. 

A draft of the bill first published in January doesn't specifically mention encryption or what the established standards would be, but the Justice Department and the DHS have long called for "lawful access" to encrypted messages. 

"We are also addressing child exploitation in our efforts on retaining lawful access and in analyzing the impact of Section 230 of the Communications Decency Act on incentives for platforms to address these crimes," Attorney General William Barr said at a press event on March 5. 

What is Section 230? 

Section 230 is an important feature of the Communications Decency Act that has allowed for free speech on tech platforms -- but it's come under fire since the legislation was introduced in 1996. 

Section 230 states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." That means tech companies like Facebook or YouTube aren't responsible for what's posted on their platforms. The liability falls squarely on the user. 

Without that provision, companies could be endlessly sued for every negative review or piece of content posted, curtailing free expression online. 

The internet has drastically changed since Section 230 first went into effect, with tech companies enjoying immunity from hate speech and terrorist content posted on their platforms, and lawmakers have considered revisiting the provision on multiple occasions. 

In an interview with The New York Times editorial board, Democratic presidential candidate Joe Biden said that Section 230 should be revoked immediately. Sen. Bernie Sanders, who was also running for president, told Vox that he intended to revisit Section 230 if elected president. 

The EARN IT Act represents another avenue that lawmakers are taking to revise Section 230, arguing that tech companies that don't meet standards for protecting children online don't deserve immunity from lawsuits. 

"Companies must do more to combat this growing problem on their online platforms," Feinstein said in a statement. "Our bill would allow individuals to sue tech companies that don't take proper steps to prevent online child exploitation, and it's an important step to protect the most vulnerable among us." 

Proper steps could include providing lawful access -- something cryptography experts consider a threat to end-to-end encryption. 

What is end-to-end encryption?

End-to-end encryption is security technology that encodes your communications -- including phone calls, messages, photos and videos -- making it undecipherable to people outside of the conversation.

It's also used for sensitive data, like passwords and financial and health information stored on your devices. Encryption protects your data from being viewed by employees of the company providing the service, as well as government regimes looking to spy on their citizens. 

The Department of Defense has explained that it depends on encryption to protect its employees and sensitive data. 

What is lawful access?

Lawful access is the US government's latest push against end-to-end encryption. It calls for tech companies to create an opening in their own encryption -- one that only law enforcement agencies could use for investigations. 

It's gone by different names in the past. In 2017, the Justice Department called it "responsible encryption." But the concept remains the same: provide the unbreakable encryption for everyone, but also hand over a special key that governments could use with a warrant or court order to stop criminals.   

Why is the government against end-to-end encryption?

The Justice Department has called it "warrant-proof encryption" or "unbreakable encryption," arguing that it hinders law enforcement from keeping track of criminals or gathering evidence. 

The FBI calls it the "Going Dark" problem, saying investigations can hit a dead end because of encryption. Prosecutors have asked for backdoors to encryption to solve cases on terrorism and drugs. With the EARN IT Act, the framing of the issue is now around child abuse. 

This new push came after Facebook in November announced plans to encrypt all its messaging services. 

That worried prosecutors, who point out that Facebook reported about 16.8 million cases to the US National Center for Missing and Exploited Children in 2018. Their concern is that if Facebook encrypts its messages, police could no longer use them as evidence in child exploitation cases. 

The Justice Department has said that it understands the value of encryption and what it protects, but doesn't support how criminals have used it. 

"They communicate using virtually unbreakable encryption," Barr said at the March 5 press event. "Predators' supposed privacy interests should not outweigh our privacy and security."

Why can't firms allow 'lawful access' while keeping encryption? 

Governments around the world have asked tech companies to provide backdoors to their own encryption. Australia passed laws to that effect, and lawmakers in the UK are considering passing their own legislation. 

Each time, tech companies have argued that what the governments are asking for is impossible, and would end up causing more harm. Apple battled the FBI over encryption in 2016 by refusing to unlock a terrorist's iPhone for an investigation. 

The problem with lawful access, tech experts noted, is that the backdoor or key created for governments would essentially create an opening for everyone. There's always the potential that this special access can be stolen and abused -- as cyberattacks have leaked government tools in the past. 

"At this time, we've been unable to identify any way to create a backdoor that would work only for the good guys," Erik Neuenschwander, Apple's manager of user privacy, told senators during a hearing last December. "When we have weaknesses in our system, they're exploited by nefarious entities as well." 

That position echoes across the board for tech giants. At the same hearing, Facebook's product management director for privacy and integrity, Jay Sullivan, argued that the company couldn't provide weakened encryption only for investigations. 

"We oppose intentionally weakening the security of encrypted systems because doing so would undermine the privacy and security everywhere and leave them vulnerable to hackers, criminals and repressive regimes," Sullivan said. 

Security experts have also called out flaws behind "lawful access" for years, arguing that it fundamentally breaks end-to-end encryption. 

"There is no such thing as a backdoor that can only be used by law enforcement," said Ted Harrington, an executive partner at security company Independent Security Evaluators. "Attackers will eventually find a way to use it too." 

How does the EARN IT Act threaten end-to-end encryption?

The EARN IT Act doesn't mention encryption directly, though policy experts are concerned that the guidelines established by the proposed legislation would make companies provide lawful access. 

The legislation draft gives the attorney general final approval of the guidelines, and the Justice Department's record on encryption is indicative of what's to come, experts said.

"When you're talking about a bill that is structured for the attorney general to give his opinion and have decisive influence over what the best practices are, it does not take a rocket scientist to concur that this is designed to target encryption," said Lindsey Barrett, a staff attorney at Georgetown Law's Institute for Public Representation Communications and Technology Clinic.

If the law is passed, tech companies would have to make the choice between weakening their own encryption and endangering all their users, or giving up Section 230 protections and facing a potential flood of lawsuits. 

"The removal of Section 230 liability essentially makes the 'best practices' a requirement," Kate Ruane, a senior legislative counsel for the American Civil Liberties Union, said. "The cost of doing business without those immunities is too high." 

The revised version from June 30 still allows states to sue companies if they're not following these guidelines, meaning that while the risk of lawsuits is lowered, it still threatens encryption.

"By allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online," said Sen. Ron Wyden, a Democrat from Oregon who introduced Section 230 in 1996.

Many tech giants can't afford that risk, and it's unclear how they'll act if this legislation is passed. Google and Apple declined to comment on the proposed bill. 

In a statement, Facebook said it plans on working with the EARN IT Act's sponsors to help keep children safe, but raised issues about what it means for security and privacy. 

"We're concerned the EARN IT Act may be used to roll back encryption, which protects everyone's safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect," the company said. 

While the EARN IT Act is specifically tailored to protect against online child exploitation, once a company weakens its own encryption, that access could essentially be used for any purpose.

If you want a more in-depth breakdown, Riana Pfefferkorn, Stanford's Center for Internet and Society's associate director of surveillance and cybersecurity, provides a detailed look on the EARN IT Act and the specific ways the legislation threatens encryption.  

Is this bill likely to pass? 

Of the many tech-focused laws proposed in Silicon Valley's reckoning, the EARN IT Act appears to have the most momentum, particularly because of its bipartisan backing, as well as its framing around protecting children rather than being a direct assault on encryption. 

"For those of us that are privacy advocates, we're very concerned about how quickly this bill could move if we don't make our concerns clear up front," the ACLU's Ruane said. 

When the draft bill first surfaced, there had been two senators attached to it. When it was officially announced, the EARN IT Act grew to 10 lawmakers sponsoring the bill. It has bipartisan support from six Democrats and four Republicans.

The bill's critics understand that online child sexual exploitation is an abhorrent crime and that tech platforms aren't doing nearly enough to curb the issue. 

The concern with the bill is that if it uproots end-to-end encryption, it could well end up putting children in more danger, as their sensitive information could be stolen and eavesdropped on by malicious attackers. But that message may not get through, given the way the EARN IT Act is being pitched.

"It's framing a problem as impossible to rebut," Barrett said. "Who can be against a child protection, anti-bad guy bill?" 

Would the EARN IT Act protect children online? 

The EARN IT Act's sponsors believe that the bill will push companies to act more aggressively to stop child predators using their platforms, which could include weakening encryption to follow the established guidelines. 

The bill's critics say providing access to encrypted messages wouldn't necessarily mean more children are protected. It would give investigators more tools to work with, but enforcement is an entirely different concern, experts said. 

While Facebook provides millions of reports to the National Center for Missing & Exploited Children every year, the amount of action taken isn't quite the same, due to a lack of resources and funding from the federal government, according to a New York Times report.

A better way to address the issue would be to give law enforcement more resources, the ACLU's Ruane said. 

Wyden argues that the EARN IT Act is a distraction from the Justice Department's lack of funding and resources to handle online child exploitation. 

In May, he introduced the Invest in Child Safety Act as a counter to the EARN IT Act. It would invest $5 billion in funding for investigations against child sexual abuse, and create a White House office to coordinate those efforts across government agencies. 

"Our bill will finally provide agencies with enough investigators and prosecutors to confront this menace, fund the organizations who help protect at-risk kids from becoming victims, and provide aid to survivors," Wyden said in a statement when he introduced the bill. 

Who supports this bill?

The EARN IT Act is sponsored by: 

• Senate Judiciary Committee chairman Lindsey Graham (Republican, South Carolina) 
• Sen. Richard Blumenthal (Democrat, Connecticut)
• Sen. Josh Hawley (Republican, Missouri) 
• Sen. Dianne Feinstein (Democrat, California) 
• Sen. Kevin Cramer (Republican, North Dakota)
• Sen. Doug Jones (Democrat, Alabama)
• Sen. Joni Ernst (Republican, Iowa)
• Sen. Bob Casey (Democrat, Pennsylvania) 
• Sen. Sheldon Whitehouse (Democrat, Rhode Island) 
• Sen. Dick Durbin (Democrat, Illinois) 

It's also supported by child protection groups like the National Center for Missing & Exploited Children, Rights4Girls and the National Center on Sexual Exploitation. 

Who opposes this bill? 

The EARN IT Act faces opposition from several civil rights groups, as well as privacy advocates and lawmakers. They include: 

• The Electronic Frontier Foundation
• The American Civil Liberties Union and Americans for Prosperity 
• Access Now
• Mozilla
• Center for Democracy & Technology 
• Fight for the Future
• Wikimedia Foundation
• Surveillance Technology Oversight Project
• Consumer Technology Association
• Internet Association
• Computer & Communications Industry Association

Wyden also criticized the bill for its potential effects on encryption. 

"This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned," Wyden said in a statement.

On March 11, NSA whistleblower Edward Snowden also criticized the EARN IT Act, arguing that the US government was exploiting frustrations with the tech industry to pass a law that "undermines digital security and censors speech."