When brought to the senate floor early 2020, the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020” or “EARN IT Act of 2020” was introduced to combat online child sexual exploitation. Now no one would even attempt to say that what the bill is combating is not important. However, there are potentially dangerous implications when looking deeper into the act. The act is seemingly benign at face value, yet the act has the opportunity to undermine some of the basic grantees of the internet, free speech and encryption.
A big implication of this new act is the potential regulation of “editorial activity” that is protected by the first amendment. According to the EFF (Electronic Frontier Foundation), “the bill would allow the government to go much further and regulate how online service providers operate their platforms and manage user-generated content.” Instead of targeting child sexual abuse material (CSAM) directly the government is turning online service agents into agents of the government. For fear of liability when it comes to CSAM these online service providers might elect to filter out content themselves which attacks the very freedoms that the First Amendment provides.
As government actors, online service providers might also intrude on Americans’ Fourth Amendment rights. According to CDT (Center for Democracy and Technology), “If a private party becomes an agent of the government who conducts searches for the government, the Fourth Amendment applies to those searches.” Therefore, if an online service provider conducts a search without a warrant because of pressure due to the government, incriminating material can be thrown out of a case due to the breach of the Fourth Amendment. Despite the almost guaranteed attacks to Americans’ First and Fourth Amendment rights, the potential undermining of end to end encryption is far worse.
The reason the EARNIT Act has the potential to bring down e2ee (end to end encryption) is that the only possible way for a service provider to take down CSAM and identify it is to breach encryption. The clearly undefined meaning of “best practices” when it comes to monitoring and removing CSAM allows the government to establish whether encryption of user data removes liability from the entity in the courts. An amendment to the bill was brought up in August 2020 to address this very issue. However, the very structure of the bill pushes the detection of CSAM to the client-side. While one idea is to hash all images and match these hashes to known CSAM this would still require known CSAM to be monitored and regulated. No matter what future amendments to the bill there may be, the fact that liability is put on online service providers undermines the peoples right to encryption.
The EARNIT Act was introduced with good intentions, but like all things government not every possible avenue was considered. It is very clear that no professionals were consulted before the creation of this bill. If enacted this bill will have very dire consequences. From attacking Americans’ First and Fourth Amendment rights to undermining their right to encryption, not much good will come from this act.
– Jacob Doll
RIT Cyber Security Policy and Law Class Blog 