By Joe Mullin
February 3, 2022
People don’t want outsiders reading their private messages —not their physical mail, not their texts, not their DMs, nothing. It’s a clear and obvious point, but one place it doesn’t seem to have reached is the U.S. Senate.
A group of lawmakers led by Sen. Richard Blumenthal (D-CT) and Sen. Lindsey Graham (R-SC) have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that was dropped in the face of overwhelming opposition. Let’s be clear: the new EARN IT Act would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe. It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online—backups, websites, cloud photos, and more—is scanned.
The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all—specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse.
The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. We know that EARN IT aims to spread the use of tools to scan against law enforcement databases because the bill’s sponsors have said so. In a “Myths and Facts” document distributed by the bill’s proponents, it even names the government-approved software that they could mandate (PhotoDNA, a Microsoft program with an API that reports directly to law enforcement databases).
The document also attacks Amazon for not scanning enough of its content. Since Amazon is the home of Amazon Web Services, host of a huge number of websites, that implies the bill’s aim is to ensure that anything hosted online gets scanned.
Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary “best practices” for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill’s sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites—the government will already have access to the user data, through the platform.
A provision of the bill that purports to protect services using encryption (Section 5, Page 16) doesn’t come close to getting the job done. State prosecutors or private attorneys would be able to drag an online service provider into court over accusations that their users committed crimes, then use the fact that the service chose to use encryption as evidence against them—a strategy that’s specifically allowed under EARN IT.
It’s hard to imagine anyone daring to use this supposed defense of encryption. Instead, they’ll simply do what the bill sponsors are demanding—break end-to-end encryption and use the government-approved scanning software. Just as bad, providers of services like backup and cloud storage who don’t currently offer user-controlled encryption are even less likely to protect their users by introducing new security features, because they will risk liability under EARN IT.
Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.
Possessing, viewing, or distributing CSAM is already written into law as an extremely serious crime, with a broad framework of existing laws seeking to eradicate it. Online service providers that have actual knowledge of an apparent or imminent violation of current laws around CSAM are required to make a report to the National Center for Missing and Exploited Children (NCMEC), a government entity which forwards reports to law enforcement agencies.
Section 230 already does not protect online service providers from prosecutions over CSAM—in fact, it doesn’t protect online services from prosecution under any federal criminal law at all.
Internet companies are already required to report suspected CSAM if they come across it, and they report on a massive scale. That scale already comes with a lot of mistakes. In particular, new scanning techniques used by Facebook have produced many millions of reports to law enforcement, most of them apparently inaccurate. Federal law enforcement has used the massive number of reports produced by this low-quality scanning to suggest there has been a huge uptick in CSAM images. Then, armed with misleading statistics, the same law enforcement groups make new demands to break encryption or, as with EARN IT, hold companies liable if they don’t scan user content.
Independent child protection experts aren’t asking for systems to read everyone’s private messages. Rather, they recognize that children—particularly children who might be abused or exploited—need encrypted and private messaging just as much as, if not more than, the rest of us. No one, including the most vulnerable among us, can have privacy or security online without strong encryption.
In their “Myths and Facts” sheet, the bill’s supporters have said the quiet part out loud. Some of the document’s falsehoods are breathtaking, such as the statement that internet businesses are provided “blanket and unqualified immunity for sexual crimes against children.” It (falsely) reassures small business owners who dare to have websites that the government-ordered scanning they will be subject to will come “without hindering their operations or creating significant costs.” And it says that using automated tools that submit images and videos to law enforcement databases is “not at odds with preserving online privacy.”
The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That’s completely false, no matter whether it’s called “client side scanning” or another misleading new phrase.
The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies—from the largest ones to the very smallest ones—as its tools.
The strategy is to get private companies to do the dirty work of mass surveillance. This is the same tactic that the U.S. government used last year, when law enforcement agencies tried to convince Apple to subvert its own encryption and scan users’ photos for them. (That plan has stalled out after overwhelming opposition.) It’s the same strategy that U.K. law enforcement is using to convince the British public to give up its privacy, having spent public money on a laughable publicity campaign that demonizes companies that use encryption.
We won’t waver in our support for privacy and security for all, and the encryption tools that support those values. This bill may be voted on by the Senate Judiciary Committee in just a few days. We’ve told the U.S. Senate that we will not back down in our opposition to EARN IT. We need you to speak up as well.