Privacy advocates fear that a new Senate proposal aimed at combating the exploitation of children would lead to new government rules that weaken encryption protections for internet users.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, draft legislation circulated by Sens. Lindsey Graham, a South Carolina Republican, and Richard Blumenthal, a Democrat from Connecticut, would establish the National Commission on Online Child Exploitation Prevention to develop best practices for preventing online child pornography. The proposal would encourage websites to follow these best practices by weakening a 24-year-old law that generally protects websites from lawsuits related to content posted by their users.
The EARN IT Act would require that online services comply with best practices developed by the commission or risk expanded legal liability under Section 230 of the Communications Decency Act of 1996. Section 230 protects sites from lawsuits for user-generated content accused of defamation, breach of contract, and other violations.
Section 230 protects not only video-hosting sites such as YouTube and social media providers such as Facebook and Twitter but also any website that allows users to post comments, including many news sites.
So what do lawsuit protections for websites have to do with encryption? The head of the new best practices commission would be the U.S. attorney general, and current officeholder William Barr has long called for device-makers and web services to give law enforcement agencies access to users’ encrypted data via a backdoor mechanism. Barr and other critics of robust encryption services argue that they protect criminals, including those who exploit children.
Groups such as the Center for Democracy and Technology and the Electronic Frontier Foundation say it’s not hard to imagine Barr pushing for encryption back doors as part of the best practices developed by the EARN IT commission.
The draft version of the EARN IT Act gives the attorney general the authority to “unilaterally modify” the best practices developed by the full commission and launch investigations against online services if he has “reason to believe” they have made a false certification, wrote Emma Llanso, director of CDT’s Free Expression Project.
There is little evidence that Section 230 legal protections hinder law enforcement investigations into the online exploitation of children, she added in a blog post.
“Preventing the exploitation of children is an unquestionably important aim,” she added. But the EARN IT proposal “would give the Attorney General significant and unaccountable power to regulate speech, control online services, and undermine the privacy and security of all of our communications.”
A spokesman for Graham noted that the EARN IT Act is only a draft proposal at this point. The draft does not mention encryption back doors as a potential tool for the commission to consider, and “with respect to Section 230, the only potential for liability would be for violations of child pornography law,” the spokesman added.
The EFF, however, called the EARN IT Act a “serious threat to your free speech and security online.” Barr could use the power given to him in the proposal to “break encryption,” the group said in a blog post.
Barr has said “over and over that he thinks the ‘best practice’ is to weaken secure messaging systems to give law enforcement access to our private conversations,” the EFF added. “The Graham-Blumenthal bill would finally give Barr the power to demand that tech companies obey him or face overwhelming liability from lawsuits based on their users’ activities.”
It isn’t the first time in recent months that lawmakers have proposed changes to Section 230, which is widely credited with fueling the growth of websites with user-based content during the past two decades.
In June, Sen. Josh Hawley, a Missouri Republican, introduced legislation that would remove Section 230’s legal protections from websites accused of anti-conservative bias. His Ending Support for Internet Censorship Act would eliminate the legal immunity from websites unless they submit to an external audit “that proves by clear and convincing evidence that their algorithms and content-removal practices are politically neutral,” according to the senator’s office.
Hawley’s bill has stalled in the Senate.
