Cookie Consent
This website uses cookies to improve the user experience. By clicking accept, you agree to the use of cookies. You can object by clicking decline. Find more details in our privacy policy.
Implications of the CLOUD Act for the users of a cloud service
Lisa Figas. Marketing Manager at Boxcryptor
Lisa Figas | Marketing Manager
@meet_lisa
Thursday, August 6, 2020

The EARN IT Act of the USA - Trust Must Be Earned

Abstract: Under the pretext of protecting children, the surveillance state is to be expanded in the USA. A new law, the EARN IT Act, is intended to force companies to abolish end-to-end encryption. The means of pressure: Platform providers should be liable for the content of their users. This law is now available in a revised and mitigated version. But there is no reason to sound the all-clear.

What Is the EARN IT Act?

Four senators from the US Senate are leading the bill, which is called the EARN IT Act. The abbreviation stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. To put it bluntly, the official goal of the EARN IT Act is to remove abusive depictions of children on the net.

The law was heavily criticized for abolishing end-to-end encryption - an effect that was never officially stated, but would have been the only way for companies to implement the law's requirements. The passage in question was amended shortly before it was passed in the Senate.

Currently, most IT companies use encryption to protect the content and passwords of their users from unauthorized access. Depending on the level of encryption, even the IT company itself can no longer decrypt the information – in other words, make it readable. Senators Graham, Hawley, Blumenthal and Feinstein want to force companies to eliminate strong encryption and/or build backdoors into their software. They are using the lever of liability law to do this. According to the original version of the EARN IT Act, the corporate disclaimer should only remain in place if the companies make it technically possible to search all uploaded, stored, or sent files. This way, illegal files can to be detected. After all – so the four senators argue – the search of all files is the only way to stop pedophiles who share child sexual abuse material (CSAM) online.

An influential lobby of concerned parents and self-proclaimed child welfare activists has thus set about securing broad support for the EARN IT Act, both online and offline.

Opponents of the new law, on the other hand, have a hard time: Those who oppose the EARN IT Act automatically side with pedophiles – at least that’s what the supporters of the new law claim.

What Impact Would the EARN IT Act Have?

Section 230 of the Communications Decency Act protects Internet platforms from being sued for content that their users upload. This is a legal peculiarity in the USA on which (among other things) the enormous success of US Internet platforms is based.

The EARN IT Act is now intended to undermine this Communications Decency Act. The plan was that companies must earn protection from lawsuits that relate to CSAM. However, the bill did not say exactly how they can earn this right. In the original version, a commission was planned to be responsible for further development.

The current version of the EARN IT Act no longer provides for this commission. At first it seems that the danger has been averted. But instead of a commission, the legislator hands over the design of the regulations of the EARN IT Act to the individual states.

The EARN IT Act thus sets the framework for private individuals and law enforcement agencies to be able to sue the platforms directly if crimes against children are prosecuted. Section 230 is also undermined in the new version of the EARN IT Act – but now passed on to state level.

Companies are to be forced to weaken end-to-end encryption to give authorities access to user accounts and content. If this law is passed, it would impact civil rights considerably and would further expand the surveillance state. Various organizations are already fighting against the EARN IT Act. One well-known group, the Electronic Frontier Foundation (EFF) is focusing on proving that the new law violates the First Amendment: Protect our Speech and Security Online

The First Amendment:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

An example: Searching photo databases for facial recognition is a powerful instrument of mass surveillance. End-to-end encryption can protect us all from this feature. Many Internet providers already search uploaded content for abusive images based on known hashes. However, it is not possible to search end-to-end encrypted content for these patterns without weakening the encryption. This is a known problem. The EARN IT Act now requires operators to actively implement weaker encryption.

Mathew Green, cryptographer and professor at John’s Hopkins University, summarizes the situation in his statement: “It's the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

The crypto-messenger Signal was recently the subject of much media attention. On April 8th 2020 the company announced that it would withdraw from the US market if the EARN IT Act came into force. It remains to be seen which other companies will position themselves so clearly in the coming months.

What Stage in the Legislative Process Are we at?

State: August 2020

So far, hearings on the EARN IT Act have been held in committee. We have no information as to when it is expected to be passed by the Senate and the House of Representatives. The current status of the legislative process can be followed here: S. 3398 - EARN IT Act of 2020. However, the legislative process and the practice of legal interpretation in the USA is different from that in Germany. US courts act according to the so-called common law. They can influence legislation with their jurisdiction. As a result, the EARN IT Act may already be in effect, although the law has not yet been passed.

Statement of the Boxcryptor Founders Andrea Pfundmeier and Robert Freudenreich

Picture of Andrea Pfundmeier and Robert Freudenreich, the founders of the company Secomba GmbH, the makers of the cloud encryption solution Boxcryptor.

With Boxcryptor we have dedicated ourselves to the effective protection of information. Protecting private information and trade secrets is what motivates us to work on our encryption software every day. Among our customers are journalists, political parties, companies with various business areas, critical infrastructure companies, research institutes, schools and many, many private individuals. The ability to encrypt messages and files of all these people and thus protect them from the prying eyes of third parties is a fundamental prerequisite for a free society. Any attempt to restrict freedom of expression must be firmly opposed.

Are you looking for a cloud provider that is not bound by the EARN IT Act?

We have compared the best known German cloud providers and provide you with an overview of services and data protection.

Cloud Storage — Made In Germany
Поделиться этой записью