The Senate's sneak attack on encryption

A revived EARN IT Act highlights the growing pressure on private messaging

Feb 02, 2022

Sen. Richard Blumenthal (D-CT) talks to reporters Tuesday in Washington, DC. (Chip Somodevilla / Getty Images)

Today, let’s talk about the latest effort to roll back speech protections on the internet.

It’s conventional wisdom around here that most congressional efforts to regulate Big Tech are destined to go nowhere: Congress is too polarized, and has such different ideas about what the problems with platforms even are, to give most bills any reasonable chance of passing.

But there are areas where many Democrats and Republicans agree, including skepticism of end-to-end encryption; fears of child exploitation; and hostility toward Section 230 of the Communications Decency Act, which exempts platforms from legal liability in most cases for what their users post.

The EARN IT Act of 2022, which revives a controversial bill first introduced two years ago, combines all three of those issues into a single piece of legislation. For that reason, it poses a greater-than-usual risk of becoming law. And advocates of an open internet, along with various industry trade groups, are sounding the alarm.

We’ll get to their concerns in a minute. But first, here’s Issie Lapowsky at Protocol explaining the convoluted nature of the bill, which pairs new legal liabilities with the creation of a national commission of top law enforcement officers and others, “voluntary” best practices, and more. She writes:

Currently, Sec. 230 allows platforms to be liable for violations only under federal criminal law, effectively shielding them from a range of other lawsuits that could potentially be brought at the state level. The latest version of the EARN It Act would remove Sec. 230 immunity from state and federal civil laws, as well as state criminal laws, regarding child sexual abuse material. The EARN It Act would also create a new National Commission on Online Child Sexual Exploitation Prevention, comprising the heads of the DOJ, DHS and FTC, as well as more than a dozen other members appointed by Congress.
This commission would develop a set of "best practices" for companies to abide by related to online child sexual exploitation. The earliest drafts of EARN It would have required companies to adhere to those best practices in order to receive Sec. 230 immunity. That proposal sent fear through the hearts of the tech industry and civil liberties community alike, as some worried that the commission, stacked with law-enforcement officials, would use its newfound power to require tech platforms to weaken encryption in the name of protecting kids.

Sen. Richard Blumenthal (D-CT) is one of the bill’s primary co-sponsors — and one of the only people I found today with anything positive to say about it. Blumenthal said:

“The modern internet is infested with stomach-churning images of children who have been brutally assaulted and exploited, and who are haunted by a lifetime of pain after these photographs and videos are circulated online. Tech companies have long had ready access to low-cost, or even free tools to combat the scourge of child sexual abuse material but have failed to act."

It’s simply not true that tech platforms don’t act to remove child sexual abuse, or CSAM. At TechDirt, Mike Masnick notes that in 2019 platforms reported 70 million images to the National Center for Missing and Exploited Children.

More to the point, if some platform is found to be illegally distributing CSAM, it can already be prosecuted under federal laws. The EARN IT Act would allow new forms of prosecution under state laws as well. But why wait for states to sue? As the Stanford researcher Riana Pfefferkorn has written, lawmakers could arguably get much more accomplished here by amending federal laws to tell platforms what they should do about CSAM. It’s already illegal to possess or distribute; the platforms that look for it already report what they find.

So what’s the real problem with CSAM? For one, small-time platforms generally do not even look for, much less report it. Ideally, the government would work to give them incentives to look. But the EARN IT Act arguably does the opposite. In that, it mimics FOSTA-SESTA, the last act of Congress to create a carve-out for Section 230. That one covered sex trafficking, and it has been terribly ineffective at doing anything other than diminishing free expression.

Masnick puts it this way:

EARN IT gets the problem exactly backwards. It disincentivizes action by companies, because the vast majority of actions will actually increase rather than decrease liability. As Eric Goldman wrote two years ago, this version of EARN IT doesn't penalize companies for CSAM, it penalizes them for (1) not magically making all CSAM disappear, for (2) knowing too much about CSAM (i.e., telling them to stop looking for it and taking it down) or (3) not exiting the industry altogether (as we saw a bunch of dating sites do post FOSTA).
EARN IT is based on the extremely faulty assumption that internet companies don't care about CSAM and need more incentive to do so, rather than the real problem, which is that CSAM has always been a huge problem and stopping it requires actual law enforcement work focused on the producers of that content. But by threatening internet websites with massive liability if they make a mistake, it actually makes law enforcement's job harder, because they will be less able to actually work with law enforcement. This is not theoretical. We already saw exactly this problem with FOSTA, in which multiple law enforcement agencies have said that FOSTA made their job harder because they can no longer find the information they need to stop sex traffickers. EARN IT creates the exact same problem for CSAM.

The new EARN IT act appears so wrongheaded on its face that we are all left to wonder what the real point is. And it’s here that open internet advocates return to their concern about the original bill. It its early forms, the commission created by the act would have been able to force tech platforms to accept its recommendations in order to “earn” Section 230 protections, and one of those recommendations could have been to eliminate end-to-end encryption.

In the 2022 version of the law, the commission’s recommendations no longer carry the force of law. (As a result, the bill’s acronym no longer means anything; there is nothing for platforms to actually “earn” here.) But advocates are still concerned about language in the bill that suggests platforms could be sued if encryption is found to help facilitate the distribution of CSAM. That could dissuade platforms from offering encrypted messaging services in the first place — and that, many critics suspect, is the real purpose of pursuing the act this year.

“Without encryption, activists planning a march, journalists communicating with sources, patients sending messages to health professionals, and even children talking with their parents would face increased risk that their private and sensitive communications will be exposed,” said Alexandra Reeve Givens, president of the Center for Democracy and Technology, in a statement. “By creating a massive disincentive for providers to offer encrypted services, the EARN IT Act will make us all less safe.”

The Senate plans to mark the bill up on Thursday, a sign it may come to a floor vote. Meanwhile, Politico reports that Reps. Ann Wagner (R-Mo.) and Sylvia Garcia (D-Texas) will introduce a companion bill in the House of Representatives.

Ultimately it’s still more likely than not that the EARN IT Act — like any other piece of tech regulation — falls victim to the inertia that paralyzes Congress in so many areas of modern life. But the bill’s sudden and somewhat unexpected reappearance this week illustrates the degree to which encrypted messaging remains very much under threat, in this democracy and so many others. For Americans who value their privacy, the time to get loud is now.

Governing

⭐ The United States is lobbying the European Union to change the Digital Services Act to make it less hostile to American companies. It’s one of the first and most high-profile actions the Biden administration has taken in support of the US tech industry. Here’s Samuel Stolton at Politico:

"We think it is important that regulatory efforts on either side of the Atlantic do not create unintended adverse consequences, such as inadvertent cybersecurity risks or harms to technological innovation," the paper states. "We have also been clear that we oppose efforts specifically designed to target only U.S. companies where similarly situated non-U.S. companies would not be covered."
Late last week Washington circulated the eight-point policy document to "select" MEPs and member countries, in the middle of key negotiations between EU institutions on the bloc’s draft gatekeeper rules.

Microsoft’s purchase of Activision Blizzard will be reviewed by the Federal Trade Commission. Gulp! (David McLaughlin / Bloomberg)

NSO Group tried to give cash to an American mobile security firm in exchange for access to global cellular networks, according to a whistleblower. Well that seems … totally consistent with everything we know about NSO Group. (Craig Timberg / Washington Post)

Big tech companies are increasing their donations to foreign policy think tanks. They’re now spending millions to advance the argument that stricter regulations will only serve to benefit China. (Kiran Stacey and Caitlin Gilbert / Financial Times)

One of India’s most prominent opposition politicians alleged that Twitter had restricted his follower growth after he was suspended for eight days in August. Rahul Ghandi did not specify how he believed Twitter was doing this; the company denies the allegations. (Shan Li and Salvador Rodriguez / Wall Street Journal)

India plans to tax the sale of cryptocurrencies and NFTs at 30 percent. The country also intends to introduce a digital currency by next year. (Manish Singh / TechCrunch)

Industry

⭐ Google had another monster quarter. It also broke $200 billion in annual revenue for the first time. Here’s Kim Lyons at The Verge:

Google had advertising revenue of $61.24 billion for the quarter. Apple made privacy changes in iOS last year, requiring users to opt in if they wanted to allow apps to track them across other apps and on websites. Its App Tracking Transparency affected many advertisers’ ability to target ads to users, and in October, the Financial Times reported that Facebook (now Meta), Twitter, Snapchat and YouTube lost nearly $10 billion in revenue in the second half of 2021 as a result of the new iOS settings.
But Google collects its own data via its search traffic and YouTube, so it has been less affected by the iOS change. The company brought in $8.63 billion in revenue from YouTube ads in the fourth quarter of 2021 alone.

Google Messages is starting to roll out iMessage reactions. It sure would be nice if Apple embraced the RCS standard. (Abner Li / 9to5Google)

The Spotify-owned podcast “Science Vs.” said it would stop making new episodes — except to rebut false claims made on Joe Rogan’s show. Can’t say I saw that particular wrinkle coming. (Lucas Shaw / Bloomberg)

Tumblr CEO Jeff D’Onofrio quit. He leaves a legacy of banning porn on the platform; D’Onofrio said he had no choice if he wanted Tumblr to remain in the App Store. (Kaitlyn Tiffany / The Atlantic)

Meta joined the Crypto Open Patent Alliance, promising not to use any of its patents to enforce patents except in defense against litigation. The group was created by the company then known as Square in 2020. (Ryan Weeks / The Block)

Diem confirmed it is shutting down and selling its assets to Silvergate. “A senior regulator informed us that Diem was the best-designed stablecoin project the U.S. government had seen,” its CEO said. (Nikhilesh De / CoinDesk)

Pinterest will now let you use augmented reality to preview furniture from West Elm, Walmart, and others. Its Lens camera will let you virtually place more than 80,000 items in your house. (Mitchell Clark / The Verge)

The cryptocurrency-based fan engagement platform Iqoniq has gone into liquidation. It had partnerships with several prominent European soccer franchises; tokens purchased by fans are now nearly worthless. (SportsPro)

Troy Baker, one of the most beloved voice actors in video games, bowed out of an NFT collection after his fans revolted. Gamers continue to protest any connection between their favorite pastime and the blockchain. (Jay Peters / The Verge)

Here’s another person getting scammed out of their Bored Apes collection. There is now more than enough material for “All My Apes Gone” to be a narrative docu-series on Hulu. (Lorenzo Franceschi-Bicchierai / Vice)

Discord will now let you link your PlayStation account to show friends what you’re playing. The rollout comes nearly a year after the feature was announced. (Mitchell Clark / The Verge)

A look at the injuries people sustain while using virtual reality. A Reddit community devoted to the subject, VRtoER, has 80,000 members. (Sarah E. Needleman and Salvador Rodriguez / Wall Street Journal)