The EARN IT Act of the USA—Trust Must Be Earned
Under the pretext of protecting children, the surveillance state is to be expanded in the USA. A new law, the EARN IT Act, forces companies to abolish end-to-end encryption. The means of pressure: Platform providers should henceforth be liable for the content of their users. The law had been put on hold due to the change of government in the United States. Now, the draft has been brought up again.
Table of Contents
What Is the EARN IT Act?
Four senators from the US Senate are leading the bill, which is called the EARN IT Act. The abbreviation stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. To put it bluntly, the official goal of the EARN IT Act is to remove abusive depictions of children on the internet.
The law was heavily criticized for abolishing end-to-end encryption - an effect that was never officially stated but would have been the only way for companies to implement the law's requirements.
Currently, most IT companies use encryption to protect the content and passwords of their users from unauthorized access. Depending on the level of encryption, even the IT company itself can no longer decrypt the information – in other words, make it readable. Senators Graham, Hawley, Blumenthal and Feinstein want to force companies to eliminate strong encryption and/or build backdoors into their software. They are using the liability law as a lever for this.
The corporate disclaimer should only remain in place, if companies make it technically possible to search all uploaded, stored, or sent files. This way, illegal files can be detected. After all – so the four senators argue – searching through all files is the only way to stop pedophiles who share child sexual abuse material (CSAM) online.
An influential lobby of concerned parents and self-proclaimed child welfare activists has thus set about securing broad support for the EARN IT Act, both online and offline.
Opponents of the law, on the other hand, have a hard time: Those who oppose the EARN IT Act automatically side with pedophiles – at least that’s what the supporters of the new law claim.
What Impact Would the EARN IT Act Have?
Section 230 of the Communications Decency Act protects Internet platforms from being sued for content that their users upload. This is a legal peculiarity in the USA on which (among other things) the enormous success of US Internet platforms is based.
The EARN IT Act is now intended to further undermine the Communications Decency Act with the help of leverage. Thus, the continuation of the exclusion of liability is to be made subject to conditions. The plan is that companies must earn protection from lawsuits that relate to CSAM.
However, the bill did not say exactly how they must earn this right. In the original version, a commission was planned to be responsible for further development after the adoption of the law - a very controversial aspect of the EARN IT Act.
Patrick Leahy’s Amendments and the “Moderator’s Dilemma”
After an amendment by Patrick Leahy in the current version of the EARN IT Act, this commission is no longer provided for. Furthermore, the use of end-to-end encryption now explicitly no longer leads to the loss of the disclaimer. Leahy expected to get more support for the law with his proposal.
However, the plan did not work out. Although the amendment was approved by the Justice Committee, there is no reason to feel relieved. The law has now become much more complicated and is causing even more controversy.
On the one hand, the new variant of the EARN IT Act shifts the design of the EARN IT Act from the Disputed Commission to the individual states. And these are known to be very diverse. California, for example, already has very strict data protection regulations with the California Consumer Privacy Act CCPA and thus differs significantly from the other states. The EARN IT Act, for example, reinforces legal diversification in an area which, in practice, knows no borders, since data traffic within the USA has not been regulated to date.
On the other hand, allowing companies to continue using end-to-end encryption without jeopardizing the protection provided by Section 230 could lead to companies encrypting even more than before. This would clearly miss the objective of the law and could lead to even more disagreement amongst members of parliament. However, those who do not encrypt would have to collect much more data on their users to enable prosecution. This would create databases of personal data that would not exist without the EARN IT Act.
The EARN IT Act and the Surveillance State
The EARN IT Act sets the framework for private individuals and law enforcement agencies to sue the platforms directly if crimes against children are prosecuted.
Providers of the Internet platforms understandably want to minimize this risk. Leverage would almost certainly work. It is assumed that the providers will therefore grant the authorities access to user accounts and content.
If this law is passed, it would impact civil rights considerably and would further expand the surveillance state. Various organizations are thus fighting against the EARN IT Act. One well-known group, the Electronic Frontier Foundation (EFF), is focusing on proving that the new law violates the First Amendment: Protect our Speech and Security Online
The First Amendment:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
An example: Searching photo databases for facial recognition is a powerful instrument of mass surveillance. End-to-end encryption can protect us all from this feature. Many Internet providers already search uploaded content for abusive images based on known hashes. However, it is not possible to search end-to-end encrypted content for these patterns without weakening the encryption. This is a known problem. The EARN IT Act now requires operators to actively implement weaker encryption.
Mathew Green, cryptographer and professor at John’s Hopkins University, summarizes the situation in his statement: “It's the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.
The crypto-messenger Signal was recently the subject of much media attention. On April 8th, 2020 the company announced that it would withdraw from the US market if the EARN IT Act came into force. It remains to be seen which other companies will position themselves so clearly in the upcoming months.
What Stage in the Legislative Process Are we at?
State: February 2022
The bill has not been further processed since the presidential election of November 2020. Now, the Senate has retrieved the paper and wants to work on its implementation. Internet activists are alarmed and are organizing opposition. The Electronic Frontier Foundation has launched a new information page: Stop the EARN IT Act to Save Our Privacy
Important: The legislative process and the practice of legal interpretation in the USA is different from the German one. US courts act according to the so-called common law. They can influence legislation with their jurisdiction. As a result, the EARN IT Act may already be in effect, although the law has not yet been passed.
Statement of the Boxcryptor Founders Andrea Pfundmeier and Robert Freudenreich
With Boxcryptor we have dedicated ourselves to the effective protection of information. Protecting private information and trade secrets is what motivates us to work on our encryption software every day. Among our customers are journalists, political parties, companies with various business areas, critical infrastructure companies, research institutes, schools, and many private individuals. The ability to encrypt messages and files of all these people and thus protect them from the prying eyes of third parties is a fundamental prerequisite for a free society. Any attempt to restrict freedom of expression must be firmly opposed.