Implications of the CLOUD Act for the users of a cloud service
Lisa Figas. Marketing Manager at Boxcryptor
Lisa Figas | Marketing Manager
Friday, December 4, 2020

The EARN IT Act of the USA - Trust Must Be Earned

Abstract: Under the pretext of protecting children, the surveillance state is to be expanded in the USA. A new law, the EARN IT Act, is intended to force companies to abolish end-to-end encryption. The means of pressure: Platform providers should henceforth be liable for the content of their users. This law is now available in a recent version. But there is no reason to sound the all-clear.

Table of Contents

What Is the EARN IT Act?

Four senators from the US Senate are leading the bill, which is called the EARN IT Act. The abbreviation stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. To put it bluntly, the official goal of the EARN IT Act is to remove abusive depictions of children on the net.

The law was heavily criticized for abolishing end-to-end encryption - an effect that was never officially stated but would have been the only way for companies to implement the law's requirements. The passage in question was amended shortly before it was passed in the Senate.

Currently, most IT companies use encryption to protect the content and passwords of their users from unauthorized access. Depending on the level of encryption, even the IT company itself can no longer decrypt the information – in other words, make it readable. Senators Graham, Hawley, Blumenthal and Feinstein want to force companies to eliminate strong encryption and/or build backdoors into their software. They are using the lever of liability law to do this. According to the original version of the EARN IT Act, the corporate disclaimer should only remain in place if companies make it technically possible to search all uploaded, stored, or sent files. This way, illegal files can be detected. After all – so the four senators argue – searching through all files is the only way to stop pedophiles who share child sexual abuse material (CSAM) online.

An influential lobby of concerned parents and self-proclaimed child welfare activists has thus set about securing broad support for the EARN IT Act, both online and offline. Opponents of the new law, on the other hand, have a hard time: Those who oppose the EARN IT Act automatically side with pedophiles – at least that’s what the supporters of the new law claim.

What Impact Would the EARN IT Act Have?

Section 230 of the Communications Decency Act protects Internet platforms from being sued for content that their users upload. This is a legal peculiarity in the USA on which (among other things) the enormous success of US Internet platforms is based.

The EARN IT Act is now intended to further undermine the Communications Decency Act with the help of leverage. Thus, the continuation of the exclusion of liability is to be made subject to conditions. The plan is that companies must earn protection from lawsuits that relate to CSAM. However, the bill did not say exactly how they must earn this right. In the original version, a commission was planned to be responsible for further development after the adoption of the law - a very controversial aspect of the EARN IT Act.

Patrick Leahy’s Amendments and the “Moderator’s Dilemma”

After an amendment by Patrick Leahy in the current version of the EARN IT Act, this commission is no longer provided for. Furthermore, the use of end-to-end encryption now explicitly no longer leads to the loss of the disclaimer. Leahy expected to get more support for the law with his proposal. However, the plan did not work out. Although the amendment was approved by the Justice Committee, there is no reason to feel relieved. The law has now become much more complicated and is causing even more controversy. On the one hand, the new variant of the EARN IT Act shifts the design of the EARN IT Act from the Disputed Commission to the individual states. And these are known to be very diverse. California, for example, already has very strict data protection regulations with the California Consumer Privacy Act CCPA and thus differs significantly from the other states. The EARN IT Act, for example, reinforces legal diversification in an area which, in practice, knows no borders, since data traffic within the USA has not been regulated to date. On the other hand, allowing companies to continue using end-to-end encryption without jeopardizing the protection provided by Section 230 could lead to companies encrypting even more than before. This would clearly miss the objective of the law and could lead to even more disagreement among members of parliament. However, those who do not encrypt would have to collect much more data about their users to enable prosecution. This would create databases of personal data that would not exist without the EARN IT Act.

The EARN IT Act and the Surveillance State

The EARN IT Act sets the framework for private individuals and law enforcement agencies to be able to sue the platforms directly if crimes against children are prosecuted. Providers of the Internet platforms understandably want to minimize this risk. Leverage would almost certainly work. It is assumed that the providers will therefore grant the authorities access to user accounts and content. If this law is passed, it would impact civil rights considerably and would further expand the surveillance state. Various organizations are thus fighting against the EARN IT Act. One well-known group, the Electronic Frontier Foundation (EFF) is focusing on proving that the new law violates the First Amendment: Protect our Speech and Security Online

The First Amendment:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

An example: Searching photo databases for facial recognition is a powerful instrument of mass surveillance. End-to-end encryption can protect us all from this feature. Many Internet providers already search uploaded content for abusive images based on known hashes. However, it is not possible to search end-to-end encrypted content for these patterns without weakening the encryption. This is a known problem. The EARN IT Act now requires operators to actively implement weaker encryption.

Mathew Green, cryptographer and professor at John’s Hopkins University, summarizes the situation in his statement: “It's the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

The crypto-messenger Signal was recently the subject of much media attention. On April 8th, 2020 the company announced that it would withdraw from the US market if the EARN IT Act came into force. It remains to be seen which other companies will position themselves so clearly in the upcoming months.

What Stage in the Legislative Process Are we at?

State: November 2020

So far, hearings on the EARN IT Act have been held in committee. We have no information as to when it is expected to be passed by the Senate and the House of Representatives. The current status of the legislative process can be followed here: S. 3398 - EARN IT Act of 2020. However, the legislative process and the practice of legal interpretation in the USA is different from that in Germany. US courts act according to the so-called common law. They can influence legislation with their jurisdiction. As a result, the EARN IT Act may already be in effect, although the law has not yet been passed. After the election of the new president in November 2020, Senator Lindsey Graham is suspected of manipulating the election and faces calls for his resignation. What happens to the EARN IT Act after its main sponsor is removed is questionable.

Statement of the Boxcryptor Founders Andrea Pfundmeier and Robert Freudenreich

Picture of Andrea Pfundmeier and Robert Freudenreich, the founders of the company Secomba GmbH, the makers of the cloud encryption solution Boxcryptor.

With Boxcryptor we have dedicated ourselves to the effective protection of information. Protecting private information and trade secrets is what motivates us to work on our encryption software every day. Among our customers are journalists, political parties, companies with various business areas, critical infrastructure companies, research institutes, schools and many, many private individuals. The ability to encrypt messages and files of all these people and thus protect them from the prying eyes of third parties is a fundamental prerequisite for a free society. Any attempt to restrict freedom of expression must be firmly opposed.

Are you looking for a cloud provider that is not bound by the EARN IT Act?

We have compared the best known German cloud providers and provide you with an overview of services and data protection.

Cloud Storage — Made In Germany
Share this post