The Senate’s twin threats to online speech and security

This is a cruel summer. The COVID-19 toll increases daily. Millions are out of work and risk losing their homes. The senseless loss of Black lives continues despite weeks of mass protests. Behind it all lurks the climate crisis. Amid these pressing issues, members of the Senate have decided to spend their time creating their own threat to Americans: legislation that would make Americans less safe, while simultaneously harming online speech, privacy, and encryption.

This threat comes in the form of two bills: the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which the Senate Judiciary Committee unanimously voted to advance out of committee last week; and the Lawful Access to Encrypted Data Act, which was introduced the prior week by Sen. Lindsey Graham, the South Carolina Republican, who is also a co-sponsor of EARN IT. The EARN IT Act is described as an attempt to crack down on child sexual abuse material online but ends up drastically undermining user security and privacy in the process. The LAED Act, meanwhile, represents an attempt to outright ban strong encryption technology.

Taken together, the two measures represent a serious threat to online security, and the LAED Act’s outlandishness, timing, and lack of bipartisan support have been interpreted to mean that it is a go-nowhere bill intended to make EARN IT look reasonable by comparison. That’s no excuse. The LAED Act doesn’t make the EARN IT Act OK. Both of these bills threaten core freedoms online, and moving an attack on encryption from one bill to another is not progress.

LAED is no less than a nuclear assault on encryption in the United States, and, by extension, on security, privacy, and speech online. By modifying the legal framework for search warrants and electronic surveillance, LAED would make encryption backdoors mandatory. It would ban providers in the U.S. from offering end-to-end encryption, encrypted devices that cannot be unlocked for law enforcement, and indeed any encryption that does not build in a means of decrypting data for the police. Security researchers and civil-rights advocates have long feared the introduction of such a radical bill, and now it’s finally here.

But the hard-line approach of the LAED Act is no reason to endorse the EARN IT Act, which could result in many of the same consequences as the LAED Act, if in a more roundabout way.

The EARN IT Act targets Section 230 of the Communications Decency Act, which makes online platforms largely immune from liability for the actions of their users and bars most state criminal charges and civil lawsuits (but not federal criminal law enforcement). It was designed to give platforms a free hand in moderating user content by shielding their decisions about what to leave up and what to take down. The law thus protects free speech online by removing the incentive to suppress users’ speech in response to all-too-common false accusations or threats of litigation.

By narrowing the scope of Section 230 immunity to no longer include child sexual abuse material (CSAM) uploaded by users, EARN IT incentivizes platforms to quash legal user speech in the hopes of avoiding lawsuits. That’s what happened after Congress passed the FOSTA statute in 2018, which carved out sex trafficking offenses from Section 230 immunity. When FOSTA became law, websites such as Craigslist immediately shut down parts of their services, purging large swaths of innocuous content (such as online personals) just in case something in there could get the platform accused of “facilitating sex trafficking.” It’s like a library burning all its romance novels and medical textbooks lest one be deemed obscene. This chilling effect on online speech is why FOSTA is currently being challenged in court for violating the First Amendment.

It’s important to fight horrific images and videos of child abuse online, which is why federal law already requires platforms to report it when they find out about it. But EARN IT would expose platforms to liability even for content they don’t know about, by excepting a wide array of civil and criminal claims under state laws, some of which impose liability for “reckless” or “negligent” behavior—a lower bar than the federal reporting law’s “actual knowledge” standard. That carve-out is broader than FOSTA’s exception for sex trafficking.

EARN IT recently passed out of committee following major revisions, but those changes, including an amendment by Sen. Patrick Leahy (D-VT), may make EARN IT a more dangerous bill. The manager’s amendment of EARN IT, coupled with Leahy’s amendment, responded to concerns that the bill had constitutional defects, would effectively ban strong encryption, and would force platforms to weaken their user privacy and security protections. Instead of solving those issues, however, the revised bill still has immense practical and constitutional problems.  

Like FOSTA, EARN IT has a fundamental First Amendment problem. But EARN IT’s problem is worse: By exposing platforms to liability under a patchwork of state CSAM laws, EARN IT would let the most aggressive states set the rules for the entire Internet. To avoid incurring liability under those laws, platforms would (as with FOSTA) take down large amounts of legal user content lest some illegal CSAM sneak through. CSAM is a persistent, complex challenge for platforms. While they report it millions of times a year, they have still been accused of not doing enough to combat it, and EARN IT’s stated goal is to incentivize them to do more. But scaring platforms into censoring lots of protected speech is an unconstitutional way for Congress to achieve that goal.

What’s more, EARN IT raises serious concerns under the Fourth Amendment and risks undermining prosecution of real-world predators and purveyors of CSAM. The state laws unleashed by EARN IT may, explicitly or implicitly, force platforms to scan all user content for CSAM. When done voluntarily (as many platforms already do), this is permissible. If done at government behest, however, the platform becomes an arm of the state, rendering those scans warrantless searches that violate the Fourth Amendment—meaning any CSAM evidence they turn up will be inadmissible in court. This was a clear problem in the original bill thanks to a carrot-and-stick incentive structure that has now been removed. Now, the bill punts the liability question to the states—and if some of them require scanning all content to avoid liability, or if platforms can only avoid charges of “negligence” or “recklessness” by scanning, then compliance still risks turning providers into agents of the state.

The potential stakes are high. Exclusion of evidence in CSAM prosecutions would make it harder to obtain a conviction for a hideous crime. If the senators who unanimously voted this bill out of committee care so much about online child safety, why are they willing to roll the dice on whether the bill will backfire and result in accused CSAM offenders going free?

The Leahy amendment attempts to neutralize concerns about EARN IT’s impact on encryption and cybersecurity by preserving immunity from CSAM claims based on the platform’s use of encryption. This does not go far enough. The amendment has been called a “fig leaf” that will merely tie up platforms in litigation. It could also lead platforms to either encrypt everything they can, making detection of CSAM more difficult, or else collect much more private information from their users. Plus, platforms could still be held liable for other measures besides encryption that they take to protect users’ security (or for refusing to implement measures that would undermine it).

LAED, however, renders Leahy’s effort superfluous. By outlawing platforms from giving users strong encryption, LAED would swallow Leahy’s EARN IT amendment. And the LAED bill applies even more broadly than EARN IT, encompassing everything from websites and social media platforms, to apps, email, messaging and chat, videoconferencing and voice calling apps, cloud storage, operating systems, and any electronic device with at least 1 gigabyte of storage—a very low bar in 2020.

Any provider of encrypted devices or services that is moderately popular—meaning 1 million or more U.S. customers—would have to redesign its encryption to add a law enforcement backdoor. For smaller providers, the U.S. attorney general (a position currently occupied by the notoriously anti-encryption Bill Barr) would get the power to command them to add in a decryption capability.

The rationale for mandating backdoors is so that if an entity receives legal process requiring it to decrypt data for law enforcement, it will be able to comply. But a “backdoor” is just a hole by another name. What Graham is proposing isn’t merely to make law enforcement’s job easier. It’s to mandate security vulnerabilities in the devices and services we rely on to keep our electronic data and communications private and secure.

The problem with backdoors is that they can’t be limited to just the “good guys.” They’ll also be found and exploited by the “bad guys”: nation-states, hackers, cybercriminals, organized crime. Under Graham’s bill, we wouldn’t know who might be exploiting those intentional vulnerabilities to snoop through our electronic data and listen in on our conversations. That has ramifications for free speech, not just privacy. Fear of surveillance chills how people express themselves online. That’s why millions of people, including members of Congress and their staff, use end-to-end encrypted apps such as Signal and WhatsApp to communicate for perfectly legitimate, law-abiding purposes: They feel safer speaking their thoughts when they can be sure no uninvited guests are listening in.

By mandating backdoors that will be used by good guys and bad guys alike, the LAED Act is a grave threat not only to privacy, free speech, and cybersecurity, but also to the economy and national security. A backdoor mandate is a gift to the foreign adversaries that are constantly attacking America’s cyber defenses. Strong encryption was crucial to America’s and Americans’ security before, and it is even more so now, with COVID-19 shifting much of our lives online.

It’s time for lawmakers to stop making ill-conceived threats against Americans’ cybersecurity, privacy, and online speech rights—especially with proposals that will create grave new harms themselves. Graham and his Senate colleagues are merely exacerbating the multiple crises ravaging the country, including the silent killer that has taken over 130,000 American lives so far this year. Congress should spend the balance of this legislative session focusing on those towering infernos and stop throwing more fuel on the fire.

Riana Pfefferkorn is the associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.