The EARN IT Act revives the legal war over encryption


Miles Oetzel

The EARN IT Act has brought crypto wars back to life.

The new bill, the EARN IT Act, makes tech companies more liable for what occurs on their platforms, but critics are worried that it could weaken privacy and security on the internet. 

Historically, internet companies have not been legally responsible for the content on their service. The hope is that if tech companies are held accountable for abuse on their platforms, they will mitigate it.

But that comes with a catch: if the bill passes, services that utilize effective encryption— often to protect users’ privacy— are in legal jeopardy, and likely to weaken their security. It would make it easier for hackers to break into phones and internet connections, reducing the security of internet finance and social media.

Unbreakable cryptography is readily available in the modern world, but it has not always been that way. The United States government and its allies have long fought to keep secure encryption from the public, partly through restricting the export of encryption.

In his 1996 book, “Applied Cryptography,” Bruce Schneier wrote, “According to the U.S. government, cryptography is a munition. This means it is covered under the same rules as a TOW missile or an M1 Abrams Tank. If you sell cryptography overseas without the proper export license, you are an international arms smuggler.” 

With those restrictions, the U.S. was trying to prevent hostile governments from using unbreakable encryption. But law enforcement was also trying to keep cryptography out of the hands of U.S. citizens. In 1993, the Clinton Administration proposed the Clipper Chip, which, in theory, would have prevented criminals from eavesdropping on phone calls, but still allowed the government to listen in. In practice, however, the clipper chip had vulnerabilities that allowed anyone to disable the part of the chip that allowed government access. Phone manufacturers did not implement it, and by 1996 it was defunct.

Tech companies state that they cannot assure privacy for their users while building a flaw in their security that allows law enforcement to access user data.

Matt Blaze, the computer scientist who broke the clipper chip, said, “When I hear ‘If we can put a man on the moon, we can do this,’ it is like saying ‘If we can put a man on the moon, well surely we can put a man on the sun.”

In 1996, the U.S government passed the Communications Decency Act. Section 230 of that law states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This gives tech companies legal protection against abuse on their platforms. However, the EARN IT Act would make companies have to “earn” this protection by following the best practices. 

What worries critics of the bill is that those “best practices” are determined by a commission dominated by law enforcement.

The Electronic Frontier Foundation, an internet freedom advocacy organization partially responsible for the widespread use of secure encryption, said in their statement on the EARN IT Act, “We know how [Attorney General William Barr] is going to use his power on the ‘best practices’ panel: to break encryption.” 

While the bill brings harsh criticism from the tech industry and advocates for free speech on the internet, it has bipartisan support.

“This bill is a major first step. For the first time, you will have to earn blanket liability protection when it comes to protecting minors. Our goal is to do this in a balanced way that doesn’t overly inhibit innovation, but forcibly deals with child exploitation,” said Republican Sen. Lindsay Graham, who co-sponsored the bill with Democrat Richard Blumenthal.