The EARN IT Act is on its way to become law in the US and might make it impossible for service providers to keep effective end-to-end encryption in place for their products. And with that, it seems the Crypto Wars are back in full swing.
Today on The Private Citizen, we are talking about the EARN IT bill that’s currently making its way through the US legislature and has been in the news recently. It could change the way the internet works forever – including threatening end-to-end encryption. As a huge part of the internet infrastructure everyone of us uses every day is located and/or headquartered in the US, and thus has to adhere to US law, this legislation will have a huge impact on people’s internet usage, no matter where they reside. It is therefore an important topic everyone should be aware of. In today’s episode of the podcast, I will try to recap what’s been going on so far.
I also want to address some comments on my writing with respect to the German contact tracing app that came up on another podcast recently. And as is becoming the norm, we have a lot of producer feedback to go though as well.
Section 230 & The EARN IT Act
Section 230 of the Communications Decency Act of 1996 (47 U.S.C. § 230) is also known as a “safe harbour” provision. It stipulates (broadly) that internet service providers like social networks, search engines, forums and chat systems aren’t publishers in the traditional sense and thus can’t be held accountable for the legal ramifications of content posted by their users. As long as such a platform does not vet every single post by every single user, ie. exercises editorial oversight, it is thus protected from lawsuits regarding user content. On the contrary, to receive the benefits of these safe harbour protections, service providers must actively protect their users' free speech.
This legislation from the early days of the internet is generally regarded as having enabled the technology growth we benefit from today. But that doesn’t mean that politicians and other groups do not want to change it. These moves are usually wrapped in a mantle of the righteous fight against either child pornography or terrorism. Especially since the beginning of this year, several new initiatives to do so have cropped up. The biggest one is the so called EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act (Senate Bill 3398), which we are looking at today.
The purpose of this bill is to walk back some of the protections, especially for large providers, and require them to actively remove certain content from their platforms. If they do not do so, they risk losing safe harbour provisions and could get sued by the US federal government. The trouble with this is that some of the language surrounding the measures that have been proposed make it sound very much like the US government wants to backdoor effective cryptography measures (cf. the so-called Crypto Wars of the ’90s).
Since effective end-to-end encryption means the service provider does not know what a user said, they can’t police it for violations under the new legislation. Which would mean that to comply with the law, the provider either needs to build in a backdoor (ie. scanning the content locally on the device before it is encrypted) or disable E2E encryption completely on their service.
The EFF explains this as follows:
The day before a committee debate and vote on the EARN IT Act, the bill’s sponsors replaced their bill with an amended version. Here’s their new idea: instead of giving a 19-person federal commission, dominated by law enforcement, the power to regulate the Internet, the bill now effectively gives that power to state legislatures. And instead of requiring that Internet websites and platforms comply with the commission’s “best practices” in order to keep their vital legal protections under Section 230 for hosting user content, it simply blows a hole in those protections. State lawmakers will be able to create new laws allowing private lawsuits and criminal prosecutions against Internet platforms, as long as they say their purpose is to stop crimes against children.
When we say the original EARN IT was a threat to encryption, we’re not guessing. We know that a commission controlled by Attorney General William Barr will try to ban encryption, because Barr has said many times that he thinks encrypted services should be compelled to create backdoors for police. The Manager’s Amendment, approved by the Committee today, doesn’t eliminate this problem. It just empowers over 50 jurisdictions to follow Barr’s lead in banning encryption.
An amendment by Sen. Patrick Leahy (D-VT), also voted into the bill, purports to protect encryption from being the states' focus. It’s certainly an improvement, but we’re still concerned that the amended bill could be used to attack encryption. Sen. Leahy’s amendment prohibits holding companies liable because they use “end-to-end encryption, device encryption, or other encryption services.” But the bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient. We think that would violate the spirit of Senator Leahy’s amendment, but the bill opens the door for that question to be litigated over and over, in courts across the country.
And it will only take one state to inspire a wave of prosecutions and lawsuits against online platforms. And just as some federal law enforcement agencies have declared they’re opposed to encryption, so have some state and local police.
The previous version of the bill suggested that if online platforms want to keep their Section 230 immunity, they would need to “earn it,” by following the dictates of an unelected government commission. But the new text doesn’t even give them a chance. The bill’s sponsors simply dropped the “earn” from EARN IT. Website owners—especially those that enable encryption—just can’t “earn” their immunity from liability for user content under the new bill. They’ll just have to defend themselves in court, as soon as a single state prosecutor, or even just a lawyer in private practice, decides that offering end-to-end encryption was a sign of indifference towards crimes against children.
Naturally, amid the COVID-19 chaos in the US, it seems like the bill will pass.
On Thursday, the Senate Judiciary Committee voted to approve a bill that would weaken Section 230 protections to ensure social media companies remove child abuse imagery from their platforms. Introduced in March by Sens. Lindsey Graham (R-SC) and Richard Blumenthal (D-CT), the EARN IT Act is intended to curb the spread of child abuse images on social media, but has undergone a number of significant changes on its way to a full Senate vote. The version that emerged from the committee today follows the legislative framework of FOSTA, or the Fight Online Sex Trafficking Act, from 2018. While FOSTA created a carve-out in Section 230 for online conduct that “promotes or facilitates prostitution,” EARN IT would create a similar carve-out for child abuse imagery online.
That is significantly milder than earlier versions of the bill, which would have presented immense new risks for platforms like Facebook and YouTube. Early versions of EARN IT took aim at platform protections under Section 230 of the Communications Decency Act, threatening to revoke the protections for specific platforms if they did not meet third-party standards for the handling of child abuse imagery. It was met with skepticism from tech companies and trade organizations that feared the measure was an attack on encryption due largely in part to language that could give law enforcement access to users' private conversations.
Shortly before the bill was taken up in committee, Graham filed an amendment that addressed many of those concerns, but critics are not entirely won over. The bill still pokes holes in Section 230 and allows states to sue tech companies based on a variety of state laws.
But throughout Thursday’s hearing, lawmakers suggested that the EARN IT Act was not a sneaky attempt to weaken encryption on platforms. “This bill is not about encryption and it never will be,” Blumenthal, a co-sponsor, said Thursday. Graham also said that his “goal here is not to outlaw encryption… that will be a debate for another day." The new version of the bill voted on Thursday weakens language that could force companies to create encryption backdoors for law enforcement. Sen. Patrick Leahy (D-VT) filed an amendment to the bill that would “exclude encryption” as something that could heighten liability for platforms. It was approved and incorporated into the measure that now faces a floor vote.
Logbuch: Netzpolitik on the TÜV and the German Contact Tracing App
The German podcast Logbuch: Netzpolitik has, in past episodes, covered the German coronavirus contact tracing app and also talked about my coverage of this on heise online. In their most recent episode , they read out an email from Dirk Kretzschmar who I had interviewed about the TÜV security and privacy testing of the app – which I’ve also talked about on this show. That email says some things that nake it sound like I didn’t do my job properly. Do defend myself against this assumption and in the interest of transparency, I’ve written a blog post explaining some facts about that story .
Producer Feedback
An anonymous Canadian producer from British Columbia replies to producer feedback on the previous episode of the show:
I was just listening to your latest podcast, where Paul rebuked my statements regarding the going-ons in Canada. I feel your comments regarding my previous information was exactly what I was trying to convey. As for my stating that people were being arrested in Ontario, you were 100% correct that I simply stated people where getting fined. Here is a link to a newspaper in Ontario with a picture of the ticket. I did however state that some of the eastern most provinces, not Ontario, had enabled police to enter homes and remove people, and this appears to be linked to this: Provinces and the police are cracking down on cross-border travellers who break the COVID-19 rules
When it comes to the firearms legislation, Paul is correct that it has been in and out of debate for years. The problem is that the party in power wants this and is a minority government, so they need opposition parties to back their bill, or they can not get it passed. Now that the Prime Minister has shut down parliament, he was able to use an “order in council” to bypass the need for support or a democratic vote in parliament, and simply sign his bill right into law. Now I don’t personally own a gun, but I really do not care either way on this one. I do have a military background, so I am quite familiar with firearms. Here is a link to a news TV site that talks about it bypassing democracy. The above order in council is further muddied when you consider the Canadian law regarding the Governor General declaring firearms prohibited.
You also seem to have a very good grasp on our previous firearms regulations. You are correct that you could not previously own an automatic weapon of any kind in Canada. The magazine size of weapons has also been restricted to 10 rounds for more years than I can remember, so this is not much of an issue either. They have now restricted anything that “looks” like an “assault rifle”, including some air soft rifles. The have also limited muzzle power, which will remove some of the larger rifles, such as those needed for buffalo hunting here. And they have also limited bore size, making all shot guns used for hunting fowl illegal. So this is a pretty wide reaching regulation for something that did not go through parliament.
On Paul’s last point that a business in BC did not allow customers in if they wore a mask, I am not sure where he was headed with that one. I feel that his comment actually backs up what I said about the widely varying rules regarding COVID around here. While I did not see that article myself, it is completely in line with what I have been seeing myself, to the point that I would not be surprised in the least. Once again, thank you for your great work and effort. I look forward to hearing from you every week. Every episode is a pleasure to listen to, no matter the topics.
Mika sent me a message via Patreon:
I’d like to take the chance and write in about your last couple of episodes. I really enjoyed No. 28 with Mike. It was an interesting conversation. However at times it was hard to follow you two chatting, with just the Audio. The matter was pretty complex at times. I have no idea how to fix this, but I learned to appreciate the work you put into structuring things in the more regular episodes. Good work.
Regarding Episode 29: You explained how the police went and gathered data the politicians weeks ago explicitly mentioned to be off the table. Somehow in recent years I got the feeling, that in many parts of society (family, politics, media, work…) I get told stories that after very short time or a simple research just fall apart. I will stand away from calling this lies, but either I got a hell of a lot more critical recently or this is just happening more often nowadays. Maybe that is just me, but I feel telling such shit does not cost you anything, if you are, let’s say a politician or a journalist. For me that is a constant breach of trust there, to a point where I just feel utterly lost that you can so easily get away with this. Really wonder if thats just me or, if this is part of what makes you so angry about this, too. What do you think?
Daniël Bos says:
I’m probably the listener from China that you saw in the logs. I took Linux Outlaws with me when I moved to Beijing from NL a bit over a decade ago, and have been following your work ever since!
Fadi Mansour shares his thoughts on episode 29:
I think your position about the data privacy laws and how they are being applied is totally justified, especially in the context of a democracy, where the target is to refine the laws, and prevent “the scope creep”, where you start with a good intentioned law, and then you have all those “interesting” side effects (trying to avoid being too conspiracy theory minded here). It’s very important to exercise the available options, to make sure that these democracies remain as such. But on the other hand, the pragmatic in me would also keep in mind that laws could be ignored. And here “Datensparsamkeit” becomes important.
Jumping to a different topic: The feedback from Martin raised some interesting points (not data privacy specific though). For whatever reason, I find conspiracy theories and the reactions towards them quite interesting. And, sometimes jokingly, I would call myself a “Conspiracy Theorist”, although this is only due to my willingness to entertain different ideas, and not take facts in terms of absolute blacks and whites. It’s really sad how this “conspiracy theory” label is used to tag information that someone, somewhere, would like others to avoid!
And to go back to Martin’s comment, what he probably wanted to say is that, unlike religion, “fantasists” (to use his term) are arguing against un-disputable facts. It might be the case in some, edge and really far-fetched ones. But the core issue for me is: What is “un-disputable”?! You gave the Trump-Ukraine issue, and I would bet that every side has their own version of the un-disputed facts. Thanks again for the thought provoking topics, and always stay free and misbehave.
Barry Williams says he loves it when I reference Terry Pratchett. He says he actually laughed out loud when I mentioned the exclamation mark thing in a previous episode.
Evgeny Kuznetsov also chimes in again:
I must confess, don’t think highly of GDPR and similar regulations. I think they do more harm than good, and I think the whole “right to be forgotten” concept is outright insane. I mean, ask Barbra Streisand, it doesn’t work that way; it you expose something you don’t want people to become aware of, there’s no way to un-expose it anyway, and if that’s something you don’t care whether people become aware of or not, the whole point is moot…
And I don’t really care what information corporations have about me anyway. The only case where I can realistically fathom a corporation have advantage when they know something about me that I’d rather they didn’t is insurance: if they want more money from me because they know I eat unhealthy from time to time, that’s an issue. Other than that, what can a corporation do with that information about me or my family? Sell me a product I didn’t really need? Well, it’s up to me to make right purchase decisions, and I’m not going to blame my unfortunate purchase decisions on ads. Google knows a lot about me; I used to have Gmail for my main inbox. For a decade they knew literally everything about my life. Do I think it’s a problem? Yes. Why? Only – only! – because they can be subpoenaed by the government to give that information up.
And the government – oh, yes, that’s dangerous. Corporations are about money, which is relatively harmless; the government is about power. Power over me personally, with the police to tell me what to do. And money, too, of course, with the taxman telling me how much I owe. That’s the real threat here, not some subtle influence on my purchasing decision; these people can put me in jail, they can execute me, they can take all my money, they can do anything they please, and I have no way to retort, nothing to fight back with short of mass protest – and for that I need to come in big numbers, or they just throw me in jail individually. If you think I sound tinfoil-hat’y or otherwise paint too dark a picture, keep in mind: I’m Russian. There’s history here, and not a single good reason to assume the government’s benevolence on any level of any aspect. The government is bad and it is out to get me, period. Better safe than sorry.
So yes, I agree with you: the government getting the information is much worse that companies. And we should resist that in any way we can. The problem is – and you’ve pointed that out – where’s the public outcry? Where indeed? Or are we – me, you and other listeners of this show – a geeky minority with tinfoil hats and weird ideas of no use to anyone?
Oh, and you’ve asked on an earlier episode to provide pronounciation hints. In case you’re going to mention this piece of feedback, my name is [jevˈɡʲenʲɪj] [kʊznʲeˈt͡sof] (maybe even [jɪvˈɡʲenʲɪj] [kʊznʲɪˈt͡sof] in some of the variants).
If you also have thoughts on the topics discussed in this or previous episodes, please feel free to contact me.
Toss a Coin to Your Podcaster
I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.
You can also support the show by sending money to via PayPal, if you prefer.
This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.
Thanks and Credits
I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.
Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.
But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Rasheed Alhimianee, Butterbeans, Kai Siers, Mark Holland, Steve Hoos, Shelby Cruver, Vlad, Fadi Mansour, Jackie Plage, 1i11g, Matt Jelliman, Joe Poser, Philip Klostermann, ikn, Dirk Dede, Jaroslav Lichtblau, Dave Umrysh, David Potter, Mika, Vytautas Sadauskas, RikyM, drivezero, Martin, Jonathan Edwards, Barry Williams, Silviu Vulcan and S.J.