Draft bill could penalize companies for using end-to-end encryption
Politicians may be looking for a roundabout way to thwart end-to-end encryption. Senator Lindsey Graham is drafting a bill, the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, that would modify the Communications Decency Act’s Section 230 to make companies liable in state criminal cases and civil lawsuits over child abuse and exploitation if they don’t follow practices set by a national commission. Some of these would be relatively uncontroversial, such as offering parental controls and setting age limits with disclosures. However, the bill also includes requirements to “preserve, remove from view, and report” material as well as retain evidence, and there’s a concern these could be used as pretexts for punishing the use of end-to-end encryption that would make some of this data inaccessible.
The draft does ask the commission to consider issues like privacy and security when establishing the practices. However, the 15-person commission would be led by the Attorney General, and current AG William Barr has been a vocal opponent of end-to-end encryption. As the draft law would let Barr modify the rules without a consensus, it wouldn’t take much for him to require a backdoor and thus weaken encryption for everyone by creating a hacker-friendly vulnerability.
Riana Pfefferkorn, an Associate Director at the Stanford Center for Internet and Society, also warned that the commission wouldn’t have much oversight. She also noted that the last modification of Section 230, for FOSTA-SESTA, is facing a constitutional challenge and appears to have done more to hurt sex workers than curb sex trafficking.
This is a draft bill and isn’t guaranteed to reach the Senate Judiciary Committee as-is, let alone make it to the floor for a vote or pass both sides of Congress. Senator Richard Blumenthal was supposed to co-sponsor the bill, but there hasn’t been any sign of this so far. It does illustrate some congressional attitudes toward liability for online content, though, and suggests that Section 230 might be vulnerable in the future.
(11)