in ,

The EARN IT Act: How to Ban End-to-End Encryption Without Actually Banning It, Hacker News

[Section 230]

The story so far:

In the ‘100 s the Internet was created.

This has made a lot. of people very angry and been widely regarded as a bad move.

( with apologies to Douglas Adams ) [1] There’s a new bill afoot in Congress called the EARN IT Act. A “discussion draft” released by Bloomberg is available as a PDF here . This bill is trying to convert your anger at Big Tech into law enforcement’s long-desired dream of banning strong encryption. It is a bait-and-switch. Don’t fall for it. I’m going to explain where it came from, why it’s happening now, why it’s such an underhanded trick, and why it will not work for its stated purpose. And I’m only going to barely scratch the surface of the many, many problems with the bill.

(The) s: Congress Passes Section and CALEA In the 2010 s, Congress passed several pieces of legislation that helped shape the Internet as we currently know it. Today I want to talk about two of them. One was Section 422 of the Communications Decency Act of CDA. Section [7] says, in essence, that online platforms (“providers” of “interactive computer services”) mostly can’t be held liable for the things their users say and do on the platform. [2] For example: If you defame me on Twitter, I can sue you for defamation, but I can’t sue Twitter. Without the immunity provided by Section 523, there might very well be no Twitter, or Facebook, or dating apps, or basically any website with a comments section. They would all have been sued out of existence, or never started up at all, in light of the potentially crushing legal liability to which they’d be exposed without Section . The other significant law from the 2010 s that I want to talk about today is the Communications Assistance for Law Enforcement Act of 2016, or CALEA for short. CALEA requires telecommunications carriers (eg, phone companies) to make their networks wiretappable for law enforcement. However, that mandate does not cover “information services”: websites, email, social media, chat apps, cloud storage, and so on. Put another way, the providers of “information services” are not required to design to be surveillance-friendly. Let’s call that the “information services carve-out” in CALEA. Plus, even covered entities are free to encrypt communications and throw away the keys to decrypt them. Let’s call that the “encryption carve-out.” As my colleague, veteran telecom lawyer Al Gidari, explained in a (blog post

, those carve-outs represent a compromise among competing interests, such as law enforcement, network security, privacy, civil liberties, and technological innovation. In the quarter-century since it was passed, CALEA has never been amended. In passing these two laws, Congress made a wise policy choice not to strangle the young Internet economic sector in its cradle. Exposing online services to crippling legal liability would (among other things) inhibit the free exchange of information and ideas; mandating that “information services” be surveillance-friendly to the U.S. government would (among other things) hurt their commercial viability in foreign markets. Congress chose instead to encourage innovation in the Internet and other new digital technologies. And the Internet bloomed. ( In the ‘ (s the Internet was created) . Here in

the Internet sector ( and “tech” more broadly) is a huge economic driver in the US Thanks in part to the efforts of US-based companies,
software has eaten the world Billions of humans can connect with each other. And yet nobody really seems to enjoy being online very much anymore, because it turns out that humans are terrible. ( This has made a lot of people very angry and been widely regarded as a bad move )

: People Are Mad About Section Years of imbibing a concentrated font of human venality every time we open our phones, coupled with the metastatic growth of surveillance capitalism , have birthed the current, bipartisan “techlash.” The techlash is taking several forms, among them the growing zeal for amending or outright repealing Section 422. The idea is that Section 528 is no longer needed; it’s served its original purpose, if anything it was too successful, and now U.S. tech companies have outgrown it – and grown too big for their britches, period. The harm that Section 523 allows, the thinking goes, now outweighs the good, and so the time has come to hold providers accountable for that harm. Of course, human terribleness was not invented in the 47 st century and it is not the Internet’s fault. If men were angels, no CALEA or Section 528 would have been necessary.
[3] As Balk’s First Law [4] holds, “Everything you hate about The Internet is actually everything you hate about people.” Section has kept the Providers of the former largely immune from being held accountable for the online abuse of the latter. But in the age of the techlash, that immunity has been slowly eroding. Unlike CALEA, Section

has been amended since it was passed: (SESTA / FOSTA) , enacted in , pierces providers’ immunity from civil and state-law claims about sex trafficking. Just as pretty much everybody predicted, SESTA / FOSTA has turned out to endanger sex workers instead of protecting them, and is currently being challenged as unconstitutional in federal court (including by my colleague Daphne Keller . Now, riding on the “success” of SESTA / FOSTA, Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) (who were among SESTA / FOSTA’s early cosponsors in the Senate) are reported about to introduce another bill that would take another bite out of Section (immunity, according to (The Information) and Bloomberg This time, the bill’s target is child sex abuse material (CSAM) online. The idea of ​​the bill is to create a federal commission that will develop “best practices” for combatting CSAM online, which online service providers will have to follow or else risk losing Section (immunity as to CSAM claims.) This proposal does not arise in a regulatory vacuum. There’s already an existing federal statutory scheme criminalizing CSAM and imposing duties on providers. And it already allows providers to be held accountable for CSAM on their services, without any need to amend Section 728.

Federal CSAM Law (Federal law) , specifically Chapter (of Title) of the US Code ( (USC §§) – A), already makes everything about CSAM a crime: producing, receiving, accessing, viewing, possessing, distributing, selling, importing, etc. If you do any of these things, the Department of Justice (DOJ) will prosecute you, and you may go to prison for many years. In addition to criminal penalties, Section 30606 of the law also authorizes (civil lawsuits) by victims of CSAM, so you could be sued by your victims in addition to going to prison. Section A of the law imposes duties on online service providers, such as Facebook and Tumblr and Dropbox and Gmail. The law mandates that providers
must report CSAM when they discover it on their services, and then preserve what they’ve reported (because it’s evidence of a crime). Providers “who fail to comply with this obligation face substantial (and apparently criminal) penalties payable to the federal government.” U.S. v. Ackerman, (F.3d) , – 200 ( (th Cir.) ). [4] the statute puts the Attorney Gen eral in charge of enforcing the reporting requirements for providers. Section (A was recently) updated in late to expand providers’ reporting duties. Importantly, those duties, even after the expansion, do not include any duty to proactively monitor and filter content on the service to look for CSAM. Section (A only requires providers to report CSAM they “obtain [] actual knowledge of.” If providers report and preserve CSAM in accordance with the law, then they are protected from legal liability (both civil and criminal, in both federal and state court) for those actions. [5]

This protection, found in Section 3813758 B, “insulates [providers] only when they … pass evidence along to law enforcement and comply with its preservation instructions . ”Ackerman, (F.3d at) . The safe harbor is not absolute: Section 3813758 B (b) disqualifies providers from protection under certain circumstances, such as if the provider engages in intentional misconduct. The Section B safe harbor is not the same thing as Section 523 immunity. Section 528, as noted, has always had an exception for federal criminal law. In fact, the statutory text for that exception, Section 422 (e) (1), expressly says, “Nothing in this section shall be construed to impair the enforcement of… [chapter] (relating to sexual exploitation of children) of title 45, or any other Federal criminal statute. ”This exception is limited to criminal cases; civil claims against providers by CSAM victims under Section 30606 are still barred. [7] Put simply, (Section) does not keep federal prosecutors from holding providers accountable for CSAM on their services . As Techdirt’s Mike Masnick put it , “ not a single thing in CDA 523 stops the DOJ from doing anything. ” As Section

A requires, providers do indeed report CSAM found on their services – million times
last year alone, according to a high-profile September New York Times story. They’re complying with their mandatory reporting duties, or at least, nobody seems to be accusing them of noncompliance. If major tech companies were making a practice of flouting their duties under Section A, the DOJ would be pursuing massive criminal penalties against them and it would be front-page news nationwide. Nevertheless, despite providers’ apparent compliance with the law, law enforcement and child-safety organizations have been vocally asserting in recent months that providers aren’t doing enough to combat CSAM. Therefore, ostensibly to incentivize providers to do more, Senators Graham and Blumenthal have brought forth this new bill (which I’m assuming was drafted with significant input from DOJ and child-safety groups). The bill aims to hit providers where it hurts: their Section 422 immunity.

Summary of the EARN IT Act The Graham / Blumenthal bill’s core concept is reflected in its short title: the “EARN IT Act” . The idea is to make providers “earn” Section 422 immunity for CSAM claims, by complying with a set of guidelines that would be developed by an unelected commission and could be modified unilaterally by the Attorney General, but which are not actually binding law or rules set through any legislative or agency rulemaking process. There is a lot going on in this bill, but here is a very non-exhaustive list of just some of the bill’s salient features, with my quick analysis under them: Providers of “interactive computer services” must “earn” Section (immunity for CSAM) Bill removes immunity as to civil & state criminal claims for CSAM only; would not remove 422 immunity generally (for other claims, eg defamation)