
The EARN IT Act: how to ban end-to-end encryption without banning it - liotier
https://cyberlaw.stanford.edu/blog/2020/01/earn-it-act-how-ban-end-end-encryption-without-actually-banning-it
======
manfredo
So in short:

* EARN IT creates a committee that is set out to define "best practices" for preventing child sex abuse.

* Companies that don't adhere to these best practices lose liability protections for user-generated content.

* The attorney general can unilaterally edit these best practices as he sees fit.

* The current attorney general has repeatedly made statements that he wishes to eliminate the ability for companies to offer end-to-end encryption - he wants all communications to be vulnerable to wiretapping.

This effectively gives the attorney general the power to compel tech companies
to do whatever he wants (so long as he can argue that it's preventing sex
abuse) by threatening to revoke section 230 protections, and it's likely that
this would be used to revoke protections from companies that offer end to end
encryption.

~~~
nine_k
This is a perfect case against centralized messaging: no company = no
liability.

Sorry, moxie; there's going to be no way to have a beautiful e2e encrypted IM
еxperience under wise oversight of a single company; only ugly p2p hodgepodge
without a legal SPOF has a chance to pull it off.

~~~
matheusmoreira
We still need to replace the ultimate centralized industry: internet service
providers. The telecommunications industry has always cooperated with the
government and they can be ordered to block the "dangerous" messaging
services. We need to somehow replace ISPs with a world-wide mesh network that
can't be censored no matter how much governments want to.

~~~
clarry
I agree that ISPs are a problem, but it's possible to build a reasonably
blockproof service with a doze of p2p darknet and reliance on common transport
protocol (read: https). They would, essentially, have to find every node on
the network and block them. Or perform very expensive traffic analysis, which
can be defended against by designing normal protocol traffic to look very much
like normal web traffic.

As always, adoption is going to be poor because even among geeks it's rare for
one to deeply care about privacy & anonymity let alone lift a pinky for it.

Unfortunately, the worst threat is a legal one: just offer punishment for
anyone who is found guilty of participating in such a network.

------
iamatworknow
I do find it interesting that Lindsay Graham is one of the main sponsors of
this legislation. From the linked article,

>The idea is to make providers “earn” Section 230 immunity for CSAM claims, by
complying with a set of guidelines that would be developed by an unelected
commission and could be modified unilaterally by the Attorney General, but
which are not actually binding law or rules set through any legislative or
agency rulemaking process.

The structure and powers of this agency sound kind of like the Consumer
Financial Protection Bureau setup by the Obama administration. The CFPB was an
unelected commission that could create rules financial institutions had to
abide by, and dole out punishment in terms of fines, without going through a
legislative or rule making process. What were Lindsay Graham's thoughts on the
CFPB?

>Graham, however, called the agency the "most out-of-control, unaccountable
federal agency" in Washington.

>"Really no oversight at all," he said. "They can get into everybody's
business. I don't think they added much at all to the consumer protection.
They sure add a lot to increasing costs for midsize banks throughout the
country that had nothing to do with the financial collapse."

[https://www.politico.com/story/2017/11/26/graham-durbin-
cons...](https://www.politico.com/story/2017/11/26/graham-durbin-consumer-
protection-agency-259969?tab=most-read)

~~~
sailfast
Pedantic but for clarity: CFPB is directed by a single person who serves for
five years and cannot be terminated by the President except for cause, which
is one of the reasons unaccountability is brought up. Folks often indicate
they want a "commission" (similar to SEC or FDIC) instead of an agency with a
single director.

All that said, yes, this panel of people making "recommendations" that are not
laws but have the effect of law seems like a great recipe for selective
enforcement based how large or small a company is and what they do, which is
not going to do much to solve the bigger issue. Congress is not going to move
at the speed of the internet / technology. I'm not sure if that's a named
"rule" yet, but it should be.

Illegal communities will move. And similarly, conditional "safe harbor" to
operate a website should not be a thing. These regs are easily avoided by
operating in other countries which will just make the US even less involved
and competitive in this space.

~~~
iamatworknow
I just think it's interesting that you can make almost exactly the same
argument against this new commission that Graham made against the CFPB with a
couple of words swapped out:

"They can get into everybody's business. I don't think they added much at all
to child protection. They sure add a lot to decreasing privacy for people in
the country that had nothing to do with the exploitation of children."

~~~
KarlKemp
You can make that sort of argument against anything: the FAA, FEC, FCC,
National Wetland Agency, etc.

What’s euphemistically called "the real world“ simply moves too fast for _any_
legislative body to keep up, let alone the current US Senat. So to some
degree, the specific implementation of regulation will always be delegated to
agencies.

------
tantalor
This sums it up: "This bill takes popular rage at social media companies’
immunity under Section 230 for _public speech_ on their platforms, and twists
it into a backhanded way of punishing messaging service providers’ use of
encryption for _private conversations_." (emphasis original)

~~~
incompatible
Does a service that only provides private conversations need 230 protections?

~~~
BlueTemplar
Seems so.

------
t223
What a great write up. The bill is rather dangerous, and I’m immediately
suspicious of anything claiming to help children in the context of
legislation.

FOSTA/SESTA is a horrible law and it has done a lot of damage.

~~~
ne9xt
Maybe I'm missing something, but I can see how this would apply to a platform
providing end-to-end encryption and how restricting that is a bad thing.
What's to stop someone from using, e.g. PGP in an email? Isn't that outside
the scope of this?

~~~
wmf
There aren't PGP plugins for mobile apps and people wouldn't use them if there
were.

~~~
paulryanrogers
K9mail has at least two

------
post_below
I love the hitchhiker's reference.

The post was well written and covered what I think are the important points.

There's only one thing I think deserves more attention than she gave it: The
economics. The US' place in the tech world is largely a result of limited
barriers to innovation in tech.

The kinds of "duties" proposed by this bill would be bad for big tech (a huge
part of the economy) but worse than that they would be prohibitive for new
innovators.

New social media services which attempt to serve the increasing demographic of
people disillusioned with big tech aren't even going to try to get into a
market with draconian requirements amd potential legal obligations like those
proposed (or those that logically follow from the proposals).

Which means those services will be built elsewhere or not at all.

And of course there are the innovations we haven't imagined yet which won't be
allowed to happen.

------
nine_k
* E2E encryption is incompatible with eavesdropping.

* Forbidding content, like child porn, hate speech, etc in _private_ communication requires eavesdropping.

* Courts are used to communication channels that are easy to eavesdrop, like paper or analog phone, and keep requiring disclosure from communication providers using court orders.

* Same as with guns, law enforcement wants to ban e2e encryption so that criminals could not use it, but criminals break the law anyway, so effectively the ban is for law-abiding citizens first and foremost.

Unless you can compel general public that having communication services with
unbreakable encryption is more important than law enforcement, e2e encryption
will stay effectively banned for non-technical users. That is, for almost all,
including most criminals, too.

------
msp_yc
How many people here think of encryption as a second amendment right?

If you find yourself arguing that it is - what happens when you are largely,
if not wholly, dependent on a third party to be able to exercise that right?

We've decided that corporations get first amendment rights independent of
their members - do they also get second amendment rights?

Are these just silly arguments? It's late Friday afternoon...

~~~
noident
Encrypted data is more like speech than a weapon. The analogy to guns just
doesn't work.

~~~
henryfjordan
The US Govt considers encryption a form of weapons tech so that it falls under
Munitions Exports Controls (see
[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)).
But the proposed law doesn't outlaw private use of encryption, only
potentially outlawing corporations from offering it, so I don't know the 2nd
Amendment would really apply.

~~~
dependenttypes
The US courts seem to agree that encryption software are protected under the
1st amendment. See
[https://en.wikipedia.org/wiki/Bernstein_v._United_States](https://en.wikipedia.org/wiki/Bernstein_v._United_States)

------
__jal
Don't fall for the trap that this is about "big tech".

It isn't.

It is about your freedom of speech and ability to protect yourself.

~~~
OrangeMango
It is about big tech: WhatsApp doesn't need section 230 immunity if it isn't
part of Facebook.

~~~
elpool2
Can you explain how? The article lists WhatsApp as an example of an
interactive computer service that is covered by section 230 immunity. Is it
because WhatsApp is purely a messaging service without curation or moderation
and so the law wouldn't consider WhatsApp to be a publisher anyway?

~~~
OldHand2018
I don't use WhatsApp, but my understanding is that they are in the business of
providing private communication between parties.

Section 230 protects the likes of Facebook, where people can post things for
all the world to see, including things that are slanderous or illegal.

[https://en.wikipedia.org/wiki/Section_230_of_the_Communicati...](https://en.wikipedia.org/wiki/Section_230_of_the_Communications_Decency_Act)

~~~
ryukafalz
Yes, section 230 protects Facebook for public conversations. But as far as I'm
aware it _also_ protects providers of private communication, because as a user
of the provider you could potentially receive illegal content from them. The
provider, should they choose to moderate content by e.g. having report buttons
and moderation teams, could still be treated as a publisher.

------
craftinator
Are there any stats available for child sex abuse using end to end encryption?
It is used widely, along with "terrorism!" as a reason to ban e2eE, so I'd
like to see some stats that show that it's actually an issue. Does regular
mail post have this problem, or random websites? Not sure that e2eE is
exploited more for this than those other platforms ...

------
danShumway
Other people have mentioned this already, but in light of bills like this I am
starting to get a little annoyed at people like Moxie and at people more
broadly who seem to be purely interested in punching down on efforts to build
sustainable, censorship-resistant encrypted platforms. People who want to
argue that decentralized systems are pointless need to start offering
feasible, multi-country legislative solutions alongside their criticism, or
else I do not care about what they have to say.

Everything going on right now indicates to me that the UX problem is easier to
solve than the legal problem. No, decentralized systems aren't perfect, they
have significant challenges. But they are a way more promising field than
anything Moxie is proposing, specifically because of bills like this. We have
been fighting this battle for so long, and we have barely managed to stay on
the winning side. But these bills are not going to go away, and in light of
that I just do not believe that centralized Open platforms are sustainable.

There is no world where governments give up trying to gain control over a
centralized communication platform.

So we just have to suck it up and figure out how to build good decentralized
systems that ordinary people can use. We don't have an alternative. Yes,
that's a very difficult challenge. But deal with it -- unless you have a
better way to build an uncensorable Internet.

------
xvector
I think we need age limits. And lower term limits. We cannot have people stuck
in an era 3 decades old deciding the fate of our country as it goes into the
future. They are simply not equipped to deal with today's problems, let alone
tomorrow's.

At 60 years[1], the median age of the Senate is 20 years more than the median
age of the US population[2] - if this isn't an example of how broken and
entrenched our power structures are, I don't know what is.

These issues are also also an artifact of a societal structure in which we use
the winners of a rigged popularity contest to decide the future of our country
rather than that of independent academics on a per-issue basis.

Through the lens of E2EE legislation, we are seeing our democracy crumbling
because we failed to enforce that our representatives _actually knowing what
they are talking about_.

[1]:
[https://www.senate.gov/CRSpubs/b8f6293e-c235-40fd-b895-6474d...](https://www.senate.gov/CRSpubs/b8f6293e-c235-40fd-b895-6474d0f8e809.pdf)

[2]: [https://www.worldometers.info/demographics/us-
demographics/](https://www.worldometers.info/demographics/us-demographics/)

~~~
reaperducer
_We cannot have people stuck in an era 3 decades old deciding the fate of our
country as it goes into the future._

While I agree that the age skew in politics is curious, and perhaps incorrect,
the other side of this is, "We cannot let people with 30 years less
experience, knowledge, and history decide the fate of our country as it goes
into the future."

Automatically associating youth with intelligence and "progress" and
stereotyping people with years of accrued wisdom to being "old fogies" is
textbook ageism.

It's something most of the rest of society grows out of by the time they hit
college, but also a thing that persists within the SV bubble and what is now
called "bro" culture. Fortunately, it's also illegal in many arenas.

~~~
dathinab
But when I look at the decisions today's politicians do wrt. IT, I would argue
that many 30year old ex-IT students have _far_ more experience wrt. IT topics
than our current politicans.

The problem is that the tech landscape moved to fast and all the wisdom and
experience often just doesn't apply anymore but, to make it worse, sometimes
it seems that you can bend technology to make it apply but that a very
dangerous fallacy. One I have seen politicans step into frequently.

~~~
hobofan
How many ex-IT students become politicians?

Old politicians with no IT experience are being replaced with young
politicians with no IT experience. Age limits don't improve anything here.

~~~
jvalencia
I'm also not sure that having IT-savvy politicians will change policy. The
government has certain safety goals (eg trafficking) that it will still have
to deal with. These might be a driver regardless of tech savvy-ness. There's
an assumption that if only they knew enough -- but perhaps it's not them who
don't know enough.

~~~
Mirioron
I've been watching Louis Rossman advocating for right to repair recently.[0]
Louis tells a story about how opposition lobbyists have made outrageous claims
and politicians bought it, because nobody actually showed up to disagree with
the claims. While it's possible that politicians would vote the same way
regardless, I think they they likely do miss out on a lot of information.

[0] video, watch 1 minute from here:
[https://www.youtube.com/watch?v=cHQYyYSZdvQ&t=1m57s](https://www.youtube.com/watch?v=cHQYyYSZdvQ&t=1m57s)

------
swiley
How does this work for services in other countries? Do they also have to get
liscenced in the US for handling user generated content? If so that’s pretty
crappy, I’m reasonably sure a worldwide legal monoculture will hurt the
poorest people of the world including children.

------
morpheuskafka
This is exactly analogous to DMCA in its structure--except that instead of the
procedures being part of the law, the will be subject to constant change by
the executive branch of government.

------
microcolonel
Write Congress to say that if something like this is passed, it must be actual
legislation, and not this "whatever the regulator approves" nonsense.

~~~
Nasrudith
Sadly that horse has long left the barn, fled thousands of miles, died and
been eaten by vuktures. Its grandchildren are feral and flee at the sight or
scent of humans.

I suspect there are only two ways to fix that issue both unlikely. Game theory
and sloth favor buck passing to agencies let alone the logistical scale
involved with a mytgical ideal Congress of honest actors.

The first is an amendment limiting the delegation abilities of congression to
departments and agencies to be essentially programatically explicit or else be
unconstitutionally vague.

The second is a precedent and jurisprudence shift as judges strike down such
delegation as unconstitutional.

~~~
microcolonel
Well, the way you put it, we should be taking up arms right now. If we're not
there yet, then there's politics to do.

------
dchyrdvh
Who am I to say that these two senators don't understand big politics, but
here's my theory why the other 98 senators won't support the idea. Laws is a
barrier between those who rule and those who obey. When the latter complain,
the laws barrier diffuses their anger. The two senators find it too difficult
to play this game and want to break this wall to rule the internet directly.

------
hatenberg
So if the encryption moved into the mobile is layer instead. Lets say for
images and blogs of text...

Note: I don't think technology can actually beat a government that doesn't
feel bound by the constitution or above the law.

------
tomc1985
Sexual abuse is terrible but I am so tired of it being used as the handle of
the billyclub used to beat technology down

~~~
api
Look into some of the people who have set up fake CP sites on the dark web or
who have posed as young girls on public social media. It's incredibly easy to
create a honey pot to ensnare sexual predators. There are many articles on
such experiments and they are highly effective.

They don't need back doors or hacker hanky panky to catch sex pests, just
creative but conventional police work.

This is an issue that gets dragged out to scare the public but the authorities
really don't care much about it. Reports of sex abuse from real victims are
often ignored and sexual predators get shorter sentences than people convicted
of minor drug possession or other stupid crap.

~~~
choward
Exactly, they need to actually do their jobs instead of trying to cheat by
taking away everyone's privacy and other rights.

------
dropoutcoder
This may be an unpopular opinion, but this is a great idea. Huge tech
companies now worth trillions facilitate criminal activity at scale and wash
their hands of any responsibility. E2EE at scale is problematic for
maintaining sanctity in society, as people are terrible. Giving common folks
easily accessible tools to engage in global secure comms has been a recipe for
disaster. LE’s job has been made more difficult, and the tech companies should
bear responsibility for policing their pipes.

~~~
argomo
Law enforcement has more tools for mass surveillance than ever before. The
Stazi could only dream of what we have built. But it's not the job of tech
companies to make policing easy, and it's not in the best interest of a free
people to give their government too much power. Please look at the history of
the FBI for examples.

~~~
dropoutcoder
Sorry for delay in responding. The issue is that there’s a huge proliferation
of inaccessible comms which creates a growing sea of unchecked globally
enabled online activity. This isn’t the same as allowing people to congregate
in person and in private. The abstraction of privacy expanding on a virtual
global scale presents unique challenges to law enforcement. This is
independent from the proliferation of surveillance mechanisms at hand, and
isn’t a valid counterbalance.

The tech companies assume power and disclaim responsibility. It is their job
to police their pipes, so respectfully and urgently I disagree.

Concerns about historical corruption within three letter agencies is best
addressed by working towards technical solutions that enable proper checks and
balances amongst involved players: governments, tech oligarchies, and
commoners. The current trend is towards a growing sea of entropy without
checks and balances, and this is unacceptable to governments motivated to
maintain/increase order and reduce suffering. Resistance via deployment of
technical libertarian mechanisms at scale isn’t a solid long term solution.

The federal government isn’t aiming to ban math, encryption, pgp, one time
pads, steanography, etc. Instead the goal is to prevent the proliferation of
unbreakable encryption at scale, as that growing void enables criminal
activity at scale, despite the growing surveillance apparatus.

------
jejei992o
This is great. We can all run private Kubernetes pods and share over
Wireguard.

This will only ever apply to corporations right?

------
Mindless2112
> Without the immunity provided by Section 230, there might very well be no
> Twitter, or Facebook, or dating apps, or basically any website with a
> comments section.

Going on that description, a bit of me wishes for Section 230 to be repealed.

Of course there would be no GitHub either, which wouldn't be so great.

~~~
manfredo
I don't think you fully understand the scope of what section 230 protects
against. Even running an email server could put people at risk of being held
liable for crimes, if users were to use that server to coordinate criminal
acts. Revoking section 230 essentially mandates total surveillance of user
activity.

~~~
Mindless2112
So you would have to run your own email server or be given access to one by
someone who trusts you, which would be a better situation in some ways than
the Gmail monoculture we have today. Google likely has your mail on one end or
the other; you're already under surveillance; Section 230 hasn't saved you.

~~~
DuskStar
And that email server has to be in a datacenter you own, because AWS doesn't
exist. (What is AWS if not hosting user-generated content?)

And if you run a tor node, then you're liable for anything someone does with
tor.

And if you host a blockchain mirror.

And...

~~~
dimensi0nal
There's already child pornography in the Bitcoin blockchain, right?

~~~
DuskStar
Yep!

