Cookie Consent
This website uses cookies to improve the user experience. By clicking accept, you agree to the use of cookies. You can object by clicking decline. Find more details in our privacy policy.
Implications of the CLOUD Act for the users of a cloud service
Lisa Figas. Marketing Manager at Boxcryptor
Lisa Figas | Marketing Manager
Tuesday, May 26, 2020

The EARN IT Act of the USA - Trust Must Be Earned

Abstract: Under the pretext of protecting children, the USA is expanding the surveillance state by forcing companies to weaken end-to-end encryption. The means of pressure: Internet offers are supposed to be liable for the content of their users.

What Is the EARN IT Act?

Four senators from the US Senate are leading the bill, which is called the EARN IT Act. The abbreviation stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. To put it bluntly, the official goal of the EARN IT Act is to remove abusive depictions of children on the net. But this is only a pretext.

Currently, most IT companies use encryption to protect the content and passwords of their users from unauthorized access. Depending on the level of encryption, even the IT company itself can no longer decrypt the information – in other words, make it readable. Senators Graham, Hawley, Blumenthal and Feinstein want to force companies to eliminate strong encryption and/or build backdoors into their software. They are using the lever of liability law to do this. According to the EARN IT Act, the corporate disclaimer should only remain in place if the companies make it technically possible to search all uploaded, stored, or sent files. This way, illegal files can to be detected. This is sold to the American people through the pretense of child protection. After all – so the four senators argue – the search of all files is the only way to stop pedophiles who share child sexual abuse material (CSAM) online.

An influential lobby of concerned parents and self-proclaimed child welfare activists has thus set about securing broad support for the EARN IT Act, both online and offline.

Opponents of the new law, on the other hand, have a hard time: Those who oppose the EARN IT Act automatically side with pedophiles – at least that’s what the supporters of the new law claim.

What Impact Would the EARN IT Act Have?

Section 230 of the Communications Decency Act protects Internet platforms from being sued for content that their users upload. This is a legal peculiarity in the USA on which (among other things) the enormous success of US Internet platforms is based. The EARN IT Act is now intended to undermine this Communications Decency Act. The plan is that companies must earn protection from lawsuits that relate to CSAM. However, the bill does not say exactly how they can earn this right. In the future, a commission will be set up to develop those criteria. This means that the law will be passed, but the exact implementation of it will only be worked out once it has been adopted. At the moment, only the composition of this commission is known.

Civil rights activists assume that the commission will decide on the compulsory installation of back doors to undermine end-to-end encryption. Those fears are fed by two sources. On the one hand, breaking end-to-end encryption is the only technically feasible way to make all content searchable. On the other hand, several members of the commission are delegates of the state security authorities, which suggests that they have a clear agenda: to abolish end-to-end encryption.

This would be fatal from the point of view of civil rights and would further expand the surveillance state. Various organizations are already fighting against the EARN IT Act. One well-known group, the Electronic Frontier Foundation (EFF) is focusing on proving that the new law violates the First Amendment: Protect our Speech and Security Online

The First Amendment:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

An example: Searching photo databases for facial recognition is a powerful instrument of mass surveillance. End-to-end encryption can protect us all from this feature. Many Internet providers already search uploaded content for abusive images based on known hashes. However, it is not possible to search end-to-end encrypted content for these patterns. This is a known and so far, unsolved problem. However, the EARN IT Act now requires operators to find a solution – or force them to abandon end-to-end encryption.

Mathew Green, cryptographer and professor at John’s Hopkins University, summarizes the situation in his statement: “It's the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

The crypto-messenger Signal was recently the subject of much media attention. On April 8th 2020 the company announced that it would withdraw from the US market if the EARN IT Act came into force. It remains to be seen which other companies will position themselves so clearly in the coming months.

What Stage in the Legislative Process Are we at?

Compared to the first draft of the EARN IT Act, the composition of the commission was revised in a second draft due to strong criticism. In addition, the conditions for “earning” exemption from liability must now be approved by Congress. Thus, at least the control has been slightly increased. But the law is still under heavy fire.

So far, hearings on the EARN IT Act have been held in committee. We have no information as to when it is expected to be passed by the Senate and the House of Representatives. The current status of the legislative process can be followed here: S. 3398 - EARN IT Act of 2020. However, the legislative process and the practice of legal interpretation in the USA is different from that in Germany. US courts act according to the so-called common law. They can influence legislation with their jurisdiction. As a result, the EARN IT Act may already be in effect, although the law has not yet been passed.

Statement of the Boxcryptor Founders Andrea Pfundmeier and Robert Freudenreich

Picture of Andrea Pfundmeier and Robert Freudenreich, the founders of the company Secomba GmbH, the makers of the cloud encryption solution Boxcryptor.

With Boxcryptor we have dedicated ourselves to the effective protection of information. Protecting private information and trade secrets is what motivates us to work on our encryption software every day. Among our customers are journalists, political parties, companies with various business areas, critical infrastructure companies, research institutes, schools and many, many private individuals. The ability to encrypt messages and files of all these people and thus protect them from the prying eyes of third parties is a fundamental prerequisite for a free society. Any attempt to restrict freedom of expression must be firmly opposed.

Are you looking for a cloud provider that is not bound by the EARN IT Act?

We have compared the best known German cloud providers and provide you with an overview of services and data protection.

Cloud Storage — Made In Germany
Partager cette publication