The EARN IT Act Could Seriously Threaten Online Privacy
Today, most of our interactions have moved online since everyone is stuck at home. Given that fact, now is the perfect time to talk about what keeps our private messages private: encryption.
Whenever you send a message online, it is first put through a cipher so that if anyone intercepts the message (and it isn’t hard to do), they won’t be able to read it. Many messaging services (such as WhatsApp) even encrypt the user’s messages so that the service’s employees cannot read the user’s content. They do this because when we use their services to send messages, we want those messages to be kept private, even from the service provider.
This has caused some problems for law enforcement. FBI investigations into MS-13 gang activities were interrupted because conversations over the encrypted mode of Facebook Messenger could not be accessed. When the FBI asked Facebook for help, they refused.
The reason is that once you break encryption, it’s worthless. Let’s assume for the sake of argument that the government only uses the method of breaking encryption to view the conversation that it has a warrant for (an optimistic assumption considering the Snowden documents). The very existence of a flaw in an encryption system renders the system next to worthless.
Normally a flaw in an encryption system is a big problem that makes the news with headlines like “10,000 Personal Account Details Hacked”. The company that was attacked makes a big show of upping their security, they change to a better encryption scheme, and we move on. If law enforcement requires these backdoors to exist, then the better encryption scheme will be broken even before it’s implemented. That’s how encryption works: if law enforcement can get in, then any sufficiently advanced actor can, be they state or private, malicious or benevolent.
There have been a few attempts made by legislators to require tech companies to insert encryption backdoors. Attorney General Barr has repeatedly called for legally mandated backdoors and he isn’t alone in these efforts. The latest bill to threaten the right to privacy online is known as the EARN IT Act of 2020. It has been introduced in the Senate and it currently has five Republican and six Democratic cosponsors including Alabama Senator Doug Jones (D).
The bill establishes a commission to develop “best practices” that tech companies must implement to combat child sexual abuse on their platforms. Should a company fail to implement these best practices, they will lose protections under section 230 of title 47, thus making the platforms legally liable for instances of child sexual abuse on their platforms (instances that the platforms are already legally mandated to report to NCMEC). Basically, if a user posts criminal content, the website is criminally liable. No company is going to take that risk, so every company will follow the commissions “best practices”.
There are two big ways that “best practices” could be hugely damaging to the American people. First, they could implicitly require platforms to screen all user-generated content (probably using AI). Interestingly, because this is legally mandated, that could make the platform an agent of the government. The platform would then be subject to the constitutional restrictions that come with that, most notably a 4th Amendment restriction.
Second, and more direly, the commission could require platforms to put backdoors into their encryption. The composition of the commission and the massive power given to the Attorney General as its Chairman puts privacy advocates in a bad position to prevent more invasive-minded commission members from requiring backdoors. Furthermore, the commission must update its best practices every five years. So even if Attorney General Barr is replaced by a more privacy-minded official, all of the successive Attorneys General would have to be pro-encryption as well. The latest nominees for attorney general have made a pro-encryption policy view a rarity for the office.
At this point, you may be wondering: “Sure, we lose some privacy, but isn’t it worth it to stop child sexual abuse?” There’s some merit to this argument. But killing encryption won’t be as impactful as one might expect. Making conversations on WhatsApp public to any advanced actor just pushes those criminals who abuse private channels to more secure options. Most notably The Dark Web, which is so well encrypted via the TOR browser that people can openly sell hard drugs online without being caught. That being said, killing encryption would still help some.
When we infringe on American citizens’ rights in the name of national security, it tends to work. If we ignore the right to unreasonable search and seizure and send SWAT members into low-income neighborhoods, have them break down every door, and search every home, we’ll put a lot of criminals in jail. If we ban all firearms, then we’ll see a massive decline in gun violence. The question is whether we are willing to give up any of those rights.
In this case, it’s the right to privacy online. The right to send and receive messages with reasonable assurance that no one other than the recipient will read them. Not our government, not a foreign government, and not cybercriminals.
Gavin Miller is a Senior at UAH studying Computer Science and Communication Arts.
Topic tags: