A broken key on computer circuit board showing the new proposed anti encryption bill that could kill online privacy in U.S.

Anti-Encryption Bill Threatens to Kill Online Privacy in the U.S., but Does It Stand a Real Chance of Passing?

Introduced just as mass panic over the coronavirus was beginning to set in, the EARN IT Act likely would have seen a lot more media coverage if the circumstances were more normal. Submitted on March 12 by a bipartisan coalition of senators, the bill would form a government commission tasked with creating a “best practices” list that every website would be subject to. Should a site not be in compliance with the terms of this list, Section 230 of the Communications Decency Act would no longer apply to it; meaning that the site could be held legally responsible for the actions of any of its users.

So what makes it an anti-encryption bill? It’s the fact that the Attorney General’s office would have the lion’s share of influence over the creation of this list, and the present Attorney General has been vociferous about wanting to put an end to encrypted communications.

Terms of the anti-encryption bill

Sponsored by Senators Lindsey Graham and Richard Blumenthal, the EARN IT Act enjoys support from high-profile members of Congress on both sides of the aisle. Both sides have also been careful to stress to the media that it is not an anti-encryption bill as nothing in its wording mentions encryption.

Critics, such as the Electronic Frontier Foundation (EFF), say that this is a disingenuous dodge. As long as the bill puts most of the power in the hands of the Attorney General’s office, and as long as Attorney General William Barr is at his post, it is a virtual guarantee that encryption will immediately be attacked.

If passed, the bill would create a 19-person commission headed by the Attorney General and composed of representatives from various law enforcement agencies; overwhelmingly one would expect these to be people who have an interest in creating encryption backdoors for the government. Law enforcement officials would outnumber any other group on the panel, and the Attorney General would have veto power over any proposed best practices and would also be required to approve them.

The main rationale behind the anti-encryption bill is that law enforcement agencies do not have adequate tools to pursue pedophiles and child sex trafficking. The National Center for Missing & Exploited Children (NCMEC) has been the most active in agitating for these terms, and has made clear that trading privacy and the ability to use encryption is acceptable. The organization also wants to play an outsized role in this process. It has proposed that the “best practices” all sites would be subject to include screening all encrypted messages on the platform using technology that is “approved by law enforcement” and reporting any illegal content to the NCMEC.

This would give the NCMEC unprecedented access to the private communications of Americans, and also effectively ban all encryption that is not “approved by law enforcement” (read: contains backdoors for them to use). As the EFF points out, encryption subject to these terms would become useless even outside of these contexts. Encryption with mandatory backdoors will eventually become compromised by a threat actor.

Barr has expressed consistent opposition to strong encryption since he was appointed in early 2019. He openly called for backdoors and an anti-encryption bill in a series of speeches just a few months later, and in early 2020 called on Apple to insert encryption backdoors in its devices in response to the investigation of the Pensacola Naval Base shootings. However, this is a longstanding position with the Department of Justice and law enforcement agencies that dates back to at least the Obama administration.

The importance of Section 230

Section 230 protections are absolutely vital to any online business or platform that allows user-generated content, even if it is nothing more than humble forum posts. Companies would otherwise drown in lawsuits, and in anticipation of removal of Section 230 terms would likely reduce services or eliminate them entirely.

This anti-encryption bill would not just hurt private companies, but would also have a chilling effect on free speech. The amount of outlets available to the individual would shrink dramatically almost overnight if self-publishing and social media companies were faced with the choice of using only insecure encryption or being held liable for anything anyone ever publishes through their services. Those that remained would likely become extremely heavy-handed in their moderation policies out of fear of legal liability.

The NCMEC’s push for this extreme state of affairs seems to disregard that these platforms are already legally obligated to monitor their services for child abuse in most states and by the federal FOSTA-SESTA act, and already report millions of incidents per year to the organization. Platforms are already incentivized to seek out and eliminate this sort of material as existing federal law allows for potential prosecution for negligence or facilitating in these cases (see the death of Backpage.com as an example).

At the very least, the passage of this bill might cause a mass exodus of small and innovative tech companies from the United States.

Does this anti-encryption bill have a real chance of passing?

The anti-encryption bill is presently still in the proposal stage, making it difficult to accurately predict its chances of passing. But at the moment, the Skopos Labs AI prediction algorithm gives it only a 4% chance of passing — standard for any new bill that does not enjoy some unusual amount of public support.

NCMEC proposed that technology used for encrypting messages must be 'approved by law enforcement' raising concerns of #encryption backdoors. #dataprotection #respectdata Click to Tweet

The bill will face heavy opposition at every step of the way from a coalition of both the biggest privacy and civil rights advocacy groups (such as the ACLU and EFF) and major tech companies. Though the support of online platforms should not be expected to be universal — Match Group, parent company of messaging apps OKCupid and Tinder, has already stated support for the bill (likely due to nothing in the company’s portfolio of services making use of encryption).

 

Senior Correspondent at CPO Magazine