Our tax dollars at work. Once again, powerful members of the US Government are pushing another well-intentioned, but sneaky and dangerous bill on the public. This one claims to encourage interactive computer service providers to do their part to curb online child exploitation and other abhorrent behavior. It even has a clever acronym, EARN-IT. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020.
Interactive computer services – think Facebook, Twitter, Google, and other social media platforms and search engines. The mega companies we used to love but now love to hate.
Sponsored by GOP Senator Lyndsey Graham from South Carolina, and co-sponsored by four other Republicans and eight Democrats, including Richard Blumenthal from Connecticut and Dianne Feinstein of California, lots of people will conclude that support from both the political left and right means the government finally got it right. After all, don’t all good people everywhere want to get rid of child sex trafficking and other awful activity? Of course we do.
This is especially painful because great organizations such as the National Center for Missing and Exploited Children support the EARN-IT act. But don’t be fooled. This bill is a wolf in sheep’s clothing. It won’t help and it will likely hurt those same children its sponsors want to help.
Read the bill for yourself. Quoting section 2(b):
Purpose.—The purpose of the Commission is to develop recommended best practices that providers of interactive computer services may choose to implement to prevent, reduce, and respond to the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.https://www.congress.gov/bill/116th-congress/senate-bill/3398/text
Section 3C details the commission membership. The commission will have nineteen members, including people to represent the US Attorney General, Homeland Security, and the FTC. Of the remaining sixteen people, the Senate majority and minority leaders, and Speaker of the House and House minority leaders appoint four members each. Various groups will be represented, including child sex abuse survivors. Six will have IT industry expertise.
What’s not to like? The EARN-IT act claims to go after the the nastiest people on the planet. The commission to define best practices will have representation from all the right groups, and both the majority and minority will choose members. Sounds fair, with all the proper checks and balances.
Why it’s bad
Here’s where it gets dicey. Once the commission sends its recommendations to the Attorney General, the Attorney General can modify them as he sees fit. And, since Attorney General William Barr is on record wanting government to restrict encryption, the odds are better than even that the EARN-IT act is a bait and switch. If the commission doesn’t send recommendations to restrict encryption, the Attorney General will put them in. See below for why restricting encryption is bad.
It gets worse. Once the EARN-IT commission adopts its best practices and the Attorney General modifies them as he sees fit, Congress is supposed to pass a bill to put these best practices into law. Interactive computer service providers will then do periodic reports about how well they adhere to EARN-IT best practices, and will face punitive action if the Attorney General doesn’t like their reports. I’m not making this up – read for yourself, starting in section 4(c).
This is where I state the obvious. Human traffickers, sexual predators, terrorists, murderers, identity thieves, and other such criminals are a scourge on society. They do exploit the internet, and they do use technology to thwart law enforcement. Attorney General Barr and other officials accurately described the problem in lots of speeches.
But the solution Barr and others propose is wrong. Do I really need to detail the slippery slope to tyranny by giving the Attorney General this much power over day to day operations of private companies? Law enforcement already has sensors in every corner of the internet. The government already operates a multi-billion dollar data center in Utah to capture and analyze internet traffic. Do we really want to give the Attorney General even more power to decide which interactive service providers live and die?
Like SESTA/FOSTA and other failed initiatives, the EARN-IT act will drive criminal activity further underground and bring more harm to very people it is intended to protect. Turning the EARN-IT act into law might make politicians feel good, but it will make it even harder for law enforcement to find, infiltrate, and eliminate online threats. Let’s learn from recent history, not repeat its mistakes.
Where it will lead
Here is why many legal scholars are convinced Attorney General Barr will use an EARN-IT blank check to restrict encryption and why restricting encryption is bad. Let me quote one paragraph of Barr’s reasoning in a recent speech.
At the end of the day, we must make these choices based on the net benefit to society. If the choice is between a world where we can achieve a 99-percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcement’s access to zero percent – the choice for society is clear.https://www.justice.gov/opa/speech/attorney-general-william-p-barr-delivers-remarks-lawful-access-summit
Barr makes a false comparison. It’s not a tradeoff between safety from cyberattack versus legitimate access to law enforcement. That hypothetical one percent sliver Barr mentions may as well be a flashing neon kick-me sign. Attackers will find and exploit any weakness, and if government puts restrictions in the way of fixing those weaknesses, then the very laws our officials claim will protect us will harm us.
Despite what any politician says, there are only two ways to control encryption. Either escrow the decryption keys or cripple the algorithms. No political calls for tech industry ingenuity will change the laws of mathematics, and both approaches lead to huge bureaucracies and rampant abuse.
To get around objections of a massive government key escrow bureaucracy, Barr and others now advocate a private entity to do it. Theoretically, this private entity would only make decryption keys available to law enforcement after proper due process. But this is another trap. Section 215 of the Patriot Act, already spells out due process for government information demands, and escrowed encryption keys are just another piece of information. When law enforcement wants information, it goes to a secret FISA court (FISA – Foreign Intelligence Surveillance Act) for a rubber stamp. The court issues an order to a service provider individual employee to provide the requested information. If that employee even discusses the order with their manager, or anyone not directly related to retrieving the information, the government can fine them or send them to jail. It reads like a chapter from the novel, 1984.
But even if there were a real due process, the whole concept of a key escrow is flawed. Bad guys are already breaking the law. Why would any bad guy submit to any key escrow requirement?
A Better Way to Do it
An honest and vigorous discussion leading to a set of best practices is a good thing. The Payment Card Industry (PCI) started this a long time ago, and now the PCI guidelines provide the gold standard for cybersecurity protection, even beyond the financial sector.
A similar set of guidelines for interactive computer services to protect children and other vulnerable people could be an invaluable tool, and a group similar to the one proposed in the EARN-IT bill to put those guidelines together makes sense. The guidelines are good. But giving the Attorney General power to modify them as he sees fit is bad. And codifying a static set of guidelines into law is worse.
As technology advances, best practices need to keep up. The PCI constantly updates its guidelines based on ongoing industry and public feedback. The interactive computer services best practices will need similar maintenance. If they’re frozen in law, then, by definition, only an act of Congress can update them. Does anyone believe the United States Congress can provide timely updates to such guidelines as technology advances?
Hold interactive computer service providers accountable by publishing how well they meet guidelines put out by a nonprofit industry group with all the right constituencies represented, not with punitive legal action based on compliance against arbitrary standards defined by the Attorney General.
If we’re serious about protecting our children, then let’s adopt solutions that have a decent probability of success.
Here is a link to my April 9, 2020 interview about the EARN-IT act on WCCO Radio with Cory Hepola.
Want to read more? I want to thank my friend, Pete Perfetti, for finding these articles. Here is a Stanford University Law School analysis. Here is commentary from the Electronic Freedom Foundation. And here a Reuters article about Apple and the US Justice Department. It seems Apple quietly cooperates with law enforcement more then politicians publicly give it credit for.