Is the EARN-IT Act a backdoor attempt to get encryption backdoors?

Last week a pair of US senators on the Senate Judiciary Committee, Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), introduced a flashpoint piece of legislation called The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT). The law, ostensibly designed to dampen the rampant child exploitation activities online, has drawn criticism from civil rights groups, free speech advocates, and cybersecurity professionals during draft discussions. Most observers said it is a sneak attack on end-to-end encryption. The release of the formal version of the bill only solidified this fear.

What’s in the EARN-IT bill?

The 65-page piece of legislation promises to eliminate so-called Section 230 legal liability protection tech and internet companies that don’t meet recommendations about how to eradicate child exploitation material. Those recommendations would be made by a 19-member National Commission on Online Child Sexual Exploitation Prevention. Companies can “earn” their liability exemptions granted under Section 230 of the Communications Decency Act, essential protection that enabled the growth of online platforms such as Facebook, Twitter and Google, if they meet the commission’s recommendations on how to combat child sexual abuse material (CSAM).

The bill says that the commission should include the attorney general, the heads of the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC), two members with “current experience in matters related to constitutional law, consumer protection, or privacy,” and two members with expertise in “computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a nongovernmental capacity.” The bill says the commission should also include four members who have “experience in providing victims services for victims of child exploitation” or who are survivors of online child sexual exploitation.”

The commission will be charged with developing practices on how to combat child sexual exploitation online, with only 14 votes needed to adopt a best practice. The attorney general, along with the heads of DHS and FTC, will approve each best practice. The practices can consist of such things as scanning media content for abusive images or monitoring communications between suspected child abusers and potential victims.

EARN-IT doesn’t specifically bar encryption, a goal unsuccessfully pursued by US law enforcement since the Clinton Administration and now sought in earnest by US Attorney General William Barr. Yet, many public interest organizations and security experts have come out and condemned the bill because it’s a hidden means to ban end-to-end encryption.

In a statement, the ACLU’s Senior Legislative Counsel Kate Ruane said, “The EARN It Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor.”

Source link