The anti-privacy EARN IT Act could change the internet as you know it

Because the internet is a strange and complicated place, the fate of your digital privacy is, at this very moment, intertwined with that of online message boards and comment sections. And things, we’re sorry to report, aren’t looking so hot.

At issue is the seemingly unrelated EARN IT Act. Pushed by Republican Sen. Lindsey Graham and a host of bipartisan co-sponsors, and voted on by the Senate Judiciary Committee last Thursday, the measure ostensibly aims to combat online child sexual abuse material. However, according to privacy and security experts who spoke with Mashable, the bill both directly threatens end-to-end encryption and promises to spur new and sustained online censorship by weakening Section 230 — a provision of the Communication Decency Act of 1996 that protects internet providers from being held liable for their users’ actions.

The devil, as it so often can be found, is in the details. That’s because the newly amended version of the bill essentially gives state lawmakers the ability to regulate the internet, according to Joe Mullin, a policy analyst with the Electronic Frontier Foundation, who broke down the censorship risks posed by the measure should it become law.

“All 50 states will be able to write new Internet rules that online platforms and websites will have to follow,” Mullin explained in an email. “The only limit on the new rules is that they will have to relate, in some way, to the fight against child sexual abuse. If websites don’t follow the new state-level internet rules, they’ll be exposed to private lawsuits and potentially state-level criminal prosecutions.”

This concern is echoed by the ACLU which, in a July 1 open letter, warned that “[by] allowing states to set their own standards for platform liability for [child sexual abuse material], the amended version [of the EARN IT Act] allows states to create inappropriate standards by which platform responsibility for user-generated content should be judged.”

In case that’s not clear enough, earlier this month, in an open letter addressed to Democratic Sen. Diane Feinstein and Sen. Graham, EFF director of federal affairs, India McKinney, predicted that the EARN IT Act would lead to the “loss of Section 230 immunity” for online platforms. In other words, online companies could be held liable for user-generated content. This could inspire those companies to proactively discontinue offerings — like message boards — that we all take for granted as an indelible part of internet culture. 

“Why have a comments section, or a discussion forum, or an email service, or file storage services,  if you could get in big trouble for something that a user did — even without your knowledge,” asked Mullin. “Online platforms will hedge their risk by removing or not providing these features.” 

And, even though the possibility of 50 distinct state-level rules exists if the EARN IT Act becomes law, it’s not like living in one relatively hands-off state would necessarily exempt you. Why would a company go to the trouble of crafting 50 different policies and releasing 50 different location-specific offerings, after all, when it could simply tailor everything to the requirements of the most restrictive state government? 

Which brings us to encryption, or, more specifically, end-to-end encryption. 

End-to-end encryption is the gold standard in digital privacy. When implemented properly, it ensures that only a message’s sender and intended recipient can read its contents. Basically, it means that third parties like governments, private companies, and hackers aren’t reading your messages, bank statements, and doctors’ notes. 

The EARN IT Act, which technically is an acronym for the “Eliminating Abusive and Rampant Neglect of Interactive Technologies,” has a list of co-sponsors that include many Senators long in opposition to the idea of consumer access to end-to-end encryption. In 2016, Sen. Feinstein, one such EARN IT Act co-sponsor, co-authored a bill with Republican Sen. Richard Burr that would have more or less made end-to-end encryption illegal.

The EARN IT Act may not be as explicit as previous efforts to ban end-to-end encryption, but experts insist it is likewise a threat to a technology used by companies such as Apple to protect customers’ data from hackers. 

When initially introduced in the Senate on March 5 of this year, the EARN IT Act directly threatened the legality of end-to-end encryption — so much so, that back in April, Signal, a free and open-source, secure messaging app, published a blog post warning its ability to operate in the U.S. was at risk should the measure pass. 

“The EARN IT act turns Section 230 protection into a hypocritical bargaining chip,” warned Signal. “At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee ‘best practices’ that are extraordinarily unlikely to allow end-to-end encryption.”

The bill was amended last week to address some of those fears, but the changes weren’t enough to convince actual privacy experts. Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society, made as much clear in a July 6 blog post. She wrote that the amendment by Sen. Patrick Leahy is “not the silver bullet that some are holding it out as in terms of answering critics’ concerns about how EARN IT could potentially discourage encryption and harm cybersecurity.”

Mullin agrees, and cautions that the bill could result in lawmakers insisting providers scan users’ devices, messages, and conversations before they are ever encrypted. 

“State lawmakers could easily get around the Leahy amendment by demanding some form of ‘client side scanning,'” he said, “which has been the direction of the anti-encryption forces for about a year now.”

Patrick Wardle, principal security researcher at Jamf, founder of the free anti-malware service Objective-See, and ex-NSA hacker, echoed Mullin in noting that the EARN IT Act looks to be more of the same from the anti-privacy crowd. 

“[This] seems just to be the latest push by the govt. for weakening encryption,” he said in a Twitter direct message. “Hopefully it doesn’t go anywhere.”

Wardle’s opposition to the EARN IT Act is notable for many reasons, and not just because he used to work for the NSA. In 2017, Wardle uncovered a malware strain that had infected hundreds of computers in the U.S. and was used to spy on unsuspecting victims through their webcams. In early 2018, an Ohio man was charged with installing the malware on thousands of computers.

That Wardle — who literally helped bring to justice someone accused of an effort to “produce child pornography” — opposes the EARN IT Act should be a huge tip-off that the measure isn’t as straightforward as its proponents suggest. 

SEE ALSO: Police used ‘smart streetlights’ to surveil protesters, just as privacy groups warned

Importantly, the bill hasn’t passed yet; it hasn’t even been brought to the floor of the Senate for a full vote. Not even the EFF could say when or even if the bill will get a full vote. 

That doesn’t mean the threat it poses to both your privacy, and the internet as we know it, is any less real should it eventually become law.