Before the novel coronavirus arrived on its shores, the United States had spent decades becoming a heavily digitized society. Now, the pandemic is deepening that dependence on digital technology, converting millions of in-person interactions into online communications. That dependence means good cybersecurity, including strong encryption, has become more crucial than ever.
With millions of Americans banking, working, and living online, there is no worse time to weaken encryption and disincentivize improvements in cybersecurity. And yet that’s precisely what the Senate Judiciary Committee is trying to do right now, with a bill called the EARN IT Act that would deal a disastrous blow to online privacy and security.
The COVID-19 cybersecurity crisis
When was the last time you attended a meeting in person? If you’re like me, it’s probably been a month or more. When the San Francisco Bay Area’s stay-at-home order went into effect here on March 17, gone overnight were the kinds of in-person meetings I used to have at work: grading exams alongside my teaching assistants, prepping with co-counsel for an upcoming court hearing, meeting with a tech company to get a sneak preview of a new product feature. Gone, too, were my in-person activities outside of work, from therapy sessions to my annual physical, from visiting a financial planner to heart-to-heart talks with friends. What’s the common thread connecting these meetings? They all really need to be private.
The United States faces crises in public health and the economy that are without precedent, and that has required moving much of life online. Key aspects of society are under severe strain, and compared to life-or-death issues in the medical system or food supply chain, computer security may seem like an afterthought.
But on top of everything else, this is also a crisis for cybersecurity. Federal officials have warned that “the COVID-19 pandemic provides criminal opportunities on a scale likely to dwarf anything seen before.” Cybercrime reports have increased four-fold. Google Gmail is detecting 18 million malware and phishing emails, and 240 million spam emails, related to COVID-19 per day. A coordinated response by the private sector, the Department of Justice, and multiple other agencies has already disrupted “hundreds” of online scams that sought to steal people’s money and personal information.
Meanwhile, the pandemic response is creating ever more electronic information that needs protection. This includes financial information, such as stimulus checks, small business loans, and unemployment claims. More and more health information is now online, as “telehealth” care proliferates. Information about individual health was already private and subject to strict protections, but moving forward, who is and isn’t positive for COVID-19 represents one of the most sensitive pieces of information about a person. Schools have been forced to move classes online. And with the economic crisis prompting layoffs, insurance claims, lawsuits, and bankruptcies, a huge amount of confidential legal information and attorney-client communications is now being generated.
And that sensitive information is already being compromised. The Small Business Administration experienced a data breach of the personal and financial information of nearly 8,000 small business owners who had applied for economic injury disaster loans. The SBA became aware of the breach around March 25, less than two weeks after applications opened.
The right to privacy does not end when life moves online. We still have confidential business matters to discuss, financial affairs to conduct, health, friendships, and relationships to care for, religious services to attend. We have always been free to have private, ephemeral interactions with only those whom we wish to take into our confidence, while excluding everybody else.
Encryption is not a panacea for privacy and data security, but it is a key tool to staying safe online and keeping eavesdroppers out of our personal and business lives. Disturbingly, it is a technology that is now under threat in Washington.
The EARN IT Act is a sneak ban on encryption
Introduced on March 5, the EARN IT Act would amend Section 230 of the Communications Decency Act of 1996. Section 230 largely immunizes online service providers (websites, social media platforms, apps, etc.) from liability for the actions of their users. That immunity blocks most civil lawsuits and criminal charges under state law (with the exception, since 2018, of sex trafficking), but does not bar enforcement of federal criminal law.
The EARN IT Act would truncate providers’ Section 230 immunity from liability for child sexual exploitation on their services. The only guaranteed way to retain immunity would be for the provider to certify that it complies with a set of “best practices” for fighting online child sexual exploitation. Those best practices would be developed behind closed doors by an unelected, unaccountable 19-member commission headed by the attorney general, who would have the authority to approve or reject them. Upon AG approval, the bill would, in a highly unusual move, bypass normal deliberative processes so that the best practices could be rapidly rubber-stamped by Congress.
The idea behind the bill is that tech companies are turning a blind eye to child sexual exploitation on their platforms, and the best way to incentivize them to do more is to threaten their Section 230 immunity. This rationale is dubious. Child sex abuse material is already illegal under federal law, and providers are federally required to report it (which they do, millions of times a year). Since Section 230 does not bar federal criminal law enforcement, the Department of Justice is already free to go after providers if they’re falling short of their obligations. (That’s something the DOJ conveniently leaves out when criticizing Section 230.)
Meanwhile, Attorney General William Barr is notoriously hostile to encryption, and he has illegally spied on Americans’ communications before. It’s expected that Barr would not OK any “best practices” unless they condemned end-to-end encryption, and potentially other privacy and security measures too if they might impede law enforcement surveillance.
The EARN IT Act is widely regarded as a Trojan horse for the DOJ’s longstanding anti-encryption agenda, which Congress has shown no appetite for enacting directly. You might hope that, after weeks on the front lines battling COVID-19-related cybercrime, the DOJ would finally recognize how badly Americans need stronger security. Sadly, the government shows no sign of backing down from its years-old war against encryption.
The bill wouldn’t make anyone safer
Strong encryption is more vital now than ever before. We need it to safely do our work (and just about everything else) from home. That goes for Congress too. Yet the EARN IT Act’s sponsors are opening the door to banning strong encryption and dissuading tech companies from making cybersecurity improvements, under the guise of promoting child safety. While crimes against children are horrific, it won’t make them safer to induce tech companies to drill a “backdoor” in their encryption so that law enforcement can access everyone’s communications. Those who exploit children will simply abandon those mainstream services and move their activities onto the dark web, where they’re far harder to track down.
Nor will the EARN IT Act keep strong encryption technology out of the hands of criminals. They were already using it years before popular devices and services started including it by default. That won’t change if the EARN IT Act passes. The technology will still be readily available. Criminals and terrorists already develop encrypted programs themselves. And encrypted apps currently based domestically may simply move overseas (joining the majority of encryption products), outside U.S. jurisdiction. The Senate cannot force that genie back in the bottle.
Meanwhile, innocent people would be more at risk if we continued to use online services that weakened their encryption to comply with EARN IT “best” practices. The intractable problem with encryption backdoors is that it is not possible to build one for the “good guys” that can’t also be found and exploited by the “bad guys.” A backdoor “takes care of the hard work” for attackers seeking to breach encrypted systems. If the U.S. government gets a backdoor into Americans’ private information, so do China and Russia. So does organized crime. So do sophisticated hacking groups.
Indeed, not even the “good guys” can be trusted with a backdoor. Our government has shown, over and over again, that it cannot safeguard sensitive information. It has lost control of federal employees’ personnel records, the CIA’s secrets, and the NSA’s hacking tools, with devastating consequences that include leaks, compromise of state secrets, IP theft, industrial espionage, business losses, stolen identities, and blackmail.
It’s hard for malicious actors to listen in on your in-person meetings about highly sensitive topics. Now that you have to hold those discussions online, the EARN IT Act’s sponsors are determined to make life easier for these adversaries. The EARN IT Act would trade away everyone’s privacy and security without making children safer in return.
We need to improve America’s cybersecurity posture and privacy protections, not roll them back. That was true last year, it’s true now, and it’ll be true after this crisis has passed. The EARN IT bill, and the harmful mindset it represents, must be abandoned.
Riana Pfefferkorn is the associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.