It may have disappeared from the headlines, but the encryption debate continues to rage in the U.S., with proposed new legislation representing the clearest threat yet to the security underpinning WhatsApp and iMessage, as well as Signal, Telegram and Wickr. This is happening as protests continue to engulf the U.S., as headlines are filled with advice to protesters on how to digitally protect themselves.
Now, with more focus than ever on the security and integrity of our messaging platforms, with fears about the threat from government surveillance, the merits of end-to-end encryption have taken on a new perspective. The latest voice added to the fray comes from Human Rights Watch, which warns that the new proposals put some users in danger and risk “sweeping” restrictions for everyone else.
The EARN-IT bill had its first hearing in March, and is now advancing through Congress. Its stated intent is to enforce best practices to prevent “the online sexual exploitation of children, including enticement, grooming, sex trafficking, and sexual abuse,” as well as “the proliferation of online child sexual abuse material.”
The bill addresses Section 230 of the Communications Decency Act (CDA), which frees the tech platforms from being held accountable for “publishing” content shared on their platforms. This is the same legislation targeted by President Trump in an executive order signed last month, after Twitter fact-checked his tweets. The executive order, firmly opposed by Twitter and Facebook—the tech giants likely to be hit hardest, is now in its consultation phase.
Putting aside the rights or wrongs on fact-checking the president’s social media—and it’s worth noting that an account that just copies his tweets “was suspended 68 hours after its creation for violating the social media site’s rules,” the backdrop to this Section 230 debate is, of course, widespread access to end-to-end encryption.
Lawmakers and security agencies want legally warranted access to encrypted data. That can’t happen without some form of backdoor in those end-to-end systems. Tiring of the privacy and safety debate, those behind EARN-IT have proposed making the platforms responsible for the content they transmit, encrypted or not. This would mean, as explained by Sophos, that tech companies “either weaken their own encryption and endanger the privacy and security of all their users, or forego protections and potentially face liability in a wave of lawsuits.”
Despite being accused by one U.S. senator of proposing a “Trojan horse,” which would give the president “the power to control online. speech and require government access to every aspect of Americans’ lives,” the defense, say the bill’s architects, is the safeguarding of children and the prevention of abuse.
But now Human Rights Watch (HRW) has written to the leadership of the Senate Judiciary Committee, arguing that this defense doesn’t add up, that the EARN-IT Act “not only jeopardizes privacy and threatens the right to free expression, but also fails to effectively protect children from online exploitation.”
HRW argues that the bill would force the technology platforms to err on the side of caution rather than face a surge in legal challenges and even potential prosecutions, those “companies would have a strong incentive to adopt practices for restricting content that would sweep more broadly than the illegal content.”
On the encryption front, HRW echoes others that have argued vehemently against the proposals—that weakened encryption will “endanger all people who rely on encryption for safety and security—once one government enjoys special access, so too will rights-abusing governments and criminal hackers.” Universal access to encryption “enables everyone, from children attending school online to journalists and whistleblowers, to exercise their rights without fear of retribution.”
HRW acknowledges the assurances made by the bill’s architects that encryption will not be weakened, but says that “unless the bill is amended, the risk remains that the [National Commission on Online Child Sexual Exploitation Prevention] could interpret its mandate to include recommendations to prohibit, weaken, or undermine access to encryption.”
Putting that risk more simply, the EARN-IT bill is cleverly leaving it to the tech platforms to keep themselves safe—there would be little option other than some form of access to encrypted content, even though it would not be specified in law. Sophos describes this as “the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.”
HRW wants to see the EARN-IT bill rejected, and a more considered alternative in its place, alongside a more “holistic” approach that accounts for preventative real-world measures, not just online monitoring. Such measures, it says, should include “careful consideration of any human rights implications, and give due attention to unforeseen and unexpected consequences–for children and vulnerable groups.”
Despite its opposition, EARN-IT is the clearest threat yet to end-to-end encryption, given this clever twist in pushing the onus onto the platforms to avoid transmitting illegal content, rather than mandating a lawful interception approach. That HRW has said, very clearly, that the bill would not achieve its stated intention, the hope is that this gives some pause for thought before any legislation is introduced.
WhatsApp and iMessage are the leading end-to-end encrypted platforms, perhaps soon to be joined by a Google RCS alternative. Billions of users rely on this security worldwide, many of whom do not enjoy the legal protections that exist in North America and Europe. Weakening security in the U.S. will have ramifications in countries where this would be a genuine threat to life. As EFF has warned, “undermining free speech and privacy is not the way to protect children.”