The EARN IT Act’s serious privacy, security and free speech implications

The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (EARN IT), a bill introduced by Senator Lindsey Graham (R-South Carolina) and Senator Richard Blumenthal (D-Connecticut), aimed at protecting children from online predators, is facing scrutiny from those who believe it will undermine privacy, promote censorship and jeopardize the right to free speech.

Introduced in March, the original version of the bill proposed that if online platforms wanted to retain their Section 230 immunity (part of the Federal Communications Act that protects internet companies from liability for user content posted on their platforms), they would need to “earn it” by following the requirements of an unelected government commission.

Recent amendments to the bill make this commission’s best practices requirements voluntary, instead allowing states to bring criminal or civil charges against companies that violate them. The new version of the bill leaves discretion to each state to enforce their own child exploitation laws, which introduces inconsistency and opens the door for states to create laws that could potentially undermine data protections like end-to-end encryption.

Senator Ron Wyden (D-Oregon), criticizing the amended version of the EARN IT Act, said that “by allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.”

While the EARN IT Act is well intentioned, the bill’s serious privacy, security and freedom of speech implications are drawing a flurry of criticism from other security experts and activist groups as well.

Joe Mullin, policy analyst for the Electronic Frontier Foundation (EFF) website said: “…the bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient.”

Security experts are particularly concerned about the amended version’s requirement for some form of “client-side scanning,” which requires device makers and internet platforms to scan all data before and after encryption. Under the current version of the legislation, encrypted messaging service providers would be required to monitor messages for abusive material. Such monitoring essentially opens a back door to encryption that compromises security and confidentiality.

The American Civil Liberties Union (ACLU) called the EARN IT Act “a disaster for online speech and privacy” and noted that this bill “will strike at the heart of encrypted communications and undermine free expression on the internet.” In a letter to the U.S. Senate Judiciary Committee, the ACLU said: “by allowing states to set their own standards for platform liability for CSAM [Child Sexual Abuse Material], the amended version allows states to create inappropriate standards by which platform responsibility for user generated content should be judged. Reckless or negligence standards, which may already be in effect for publication in certain state laws, will increase the likelihood that platforms over censor speech and undermine or weaken encryption standards in order to avoid legal risk.”

Security measures such as end-to-end encryption are now more important than ever as the COVID-19 pandemic increases reliance on digital platforms in every area of life from living to working to socializing. This accelerated digital transformation is widening the threat landscape and exposing networks, devices and data to increasing cybersecurity risk.

End-to-end encryption is critical to thwarting cybercriminals that are using the pandemic for commercial gain. Alarming data collected from late January to April by cloud security company Zscaler shows that malicious cyber actors are taking advantage of the increased dependence on digital platforms, reporting an increase of 30,00 percent in phishing, malicious websites and malware targeting remote users.

As these cyber threats continue to ramp up, the amended version of the EARN IT Act was unanimously approved by the Senate Judiciary Committee in July, paving the way for the bill to head for debate on the Senate floor.

The EEF and other organizations oppose passage of the bill with EEF policy analyst Joe Mullin saying: “offering users real privacy, in the form of end-to-end encrypted messaging, and robust platforms for free speech shouldn’t produce lawsuits and prosecutions. The new EARN IT bill will do just that and should be opposed.”

Combating child sexual abuse material on online platforms is a serious problem that needs to be addressed, but Congress should go back to the drawing board on the EARN IT Act and develop measures that achieve this without limiting free speech or compromising security.

Anurag Lal is the President & CEO of Infinite Convergence Solutions. With more than 25 years of leadership and operating experience in technology, mobile, SaaS, cloud and telecom services, Anurag leads a talented team of innovators who are transforming everyday messaging technology into secure, highly scalable communication platforms that can be leveraged across a variety of markets and segments. Appointed by the Obama administration, Anurag also previously served as a Director of the U.S. National Broadband Task Force (part of the Federal Communications Commission). A frequent contributor on wireless connectivity, broadband and related security issues, Anurag has received various industry accolades, including recognition by the Wireless Broadband Industry Alliance in the U.K. for exceptional individual contributions to the wireless broadband industry.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.