EARN IT or face the consequences

Recently, I came across the following hackernews thread An even worse anti-encryption bill than EARN IT (stanford.edu). TL;DR The US Senate Judiciary Committee proposed a bill that would have a commission setting up best pratices & guidelines for online services to adhere to, in preventing exploitation of children, failing to do so would invite civil & criminal charges. The hacknernews article I told earlier, was related to the LAED Act. But, the very title of that article led me to this act, EARN IT.

What is EARN IT?

EARN IT stands for Elimination Abusive and Rampant Neglect of Interactive Technologies is an act that basically sets up a commission, whose job would be creating best practices & guidelines for onlines services to adhere to, in order to prevent exploitation of children.

Sounds great, right? I mean it looks so innocent, because they are only giving you guidelines, what else could they do? If you thought that, then you are wrong. Because, with this bill, services that fail to adhere, will face the full force of law, with civil & criminal charges. Before we go further, lets take a look at Section 230 of the Communications Deceny Act of 1996.

What is Section 230?

Section 230 basically provides immunity to providers & users of an online service, from any illegal/indecent content published by any other party. Or, to put it even more simply, if you say/post something illegal online, you are held responsible, not the website or platform that you posted in. Verbatim text from wikipedia,

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

This law has also been dubbed as The twenty six words words that created the internet. The reason is because, without this law, every service from Facebook to Wikipedia can be sued to kingdom come. This doesn't mean that this law is a get out of jail free card for online services, rather the law was amended by FOSTA-SESTA Act, where the provider should remove any such content if they find any or through a court order.

What are the implications?

With EARN IT Act, Section 230 would be amended in such a way that, the online services have to earn (no pun intended) the immunity from any liability, if someone posted illegal content on their platform. They earn it, by implementing best practices & guidelines on their platform. The bill even gives incentives for doing so. They just can't raise their hands and say they aren't responsible for that content.

Still, what is the problem and how hard is it going to be to implement these so called "guidelines"? Well, if you think about it, in today's day & age, every communication is encrypted in some way, like End-2-End-Encryption in instant messaging platforms like Signal, WhatsApp, Telegram and so on. So, to achieve this, the platforms would have design their systems with backdoors, weaker encryption or subtle client side scanning, which is basically a way to read every data sent by users.

This would be an attack on user's to right to free speech, security & privacy. Scanning every message sent by users, like the NSA did with its mass surveillance programs on its own citizens, is proof for the fact that this bill would be abused in the pretext of preventing exploitation of children. We have seen, countries doing bad deeds on false prextext, like US invasion of Iraq, because they had WMDs.

This would also prevent small players or startups from implementing the said guidelines. Because, big players have enough resources to do such screening, but small players, would be forced to compete with that, while they are just trying to get into the market.

Moreover, this commission would have around 15 members from Homeland Security, Department of Justice, Federal Trade Commision, Law Enforcement & other agencies, headed by the Attorney General. They would be coming up with best practices for online services to adhere to. But, the Attorney General has the veto to override any decision made by the members and give their own guidelines. The current Attorney General, William Barr, is known for his caring views on encryption. This shows, that this bill gives sweeping powers to the commission (Attorney General, to be fair), to decide what the guidelines will be, and sure it would be in the favor of law enforcement.

Moreover, when Section 230 was enacted, it didn't have in mind how technology would be in the future. There wasn't Wikipedia when this law came to be. So, how would bill like these with their hardline requirements, cater for future technology?

My thoughts

My thoughts on this bill is similar to the LAED Act. Governments come with sweeping bills without understanding the technical aspects of it, like accessible only by good guy, kind of expectations. If understanding technicality is one aspect, misusing law is another. We see all the time, when the law enforcement goes above & under the law to get what they want, no wonder bill like these would be used for purposes other than intended.

Exploitation of children is an inhumane thing to do, since it scars them and their families for life. But, with or without this bill, criminals are going to find ways to continue to do what they do. They'd find their own apps, use their own encryption and so on. Government use our own fears in making us surrender our freedoms one at a time. We should look past all that and see if the price we give is worth it.