Technology experts say a bill before Congress to combat child sex abuse will threaten privacy and security. On Wednesday, senators behind the bill pushed back, arguing that it’s not an attack on encryption and accusing tech giants of looking for an excuse to attack the legislation.
The bill, known as the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, was introduced as a way to establish standards for tech companies that would prevent child sexual abuse online. It would compel adoption of those standards by revoking key legal protections if platforms do not comply. The immunity granted by Section 230 of the Communications Decency Act of 1996 protects websites from being sued over content posted on their platform and allows for free expression online.
The lawmakers behind the legislation argue that tech companies should be held accountable if they’re not doing everything they can to prevent child sexual abuse online. Online companies, though, already provide reports about child sexual abuse activity on their platforms.
“Some of these tech companies, with more than ample resources, have failed to meet their social and moral obligation,” Sen. Richard Blumenthal said Wednesday during a Senate Judiciary Committee hearing on the EARN IT Act. “Even 4Chan, not exactly a paragon of online virtue, provided 1,380 reports [in 2019]. Amazon provided eight.”
Amazon didn’t respond to a request for comment.
Blumenthal, a Democrat from Connecticut, is one of the sponsors of the bill, introduced March 5. The others are the committee’s chairman, Sen. Lindsey Graham, a Republican from South Carolina, along with Sens. Dianne Feinstein, a Democrat from California and Josh Hawley, a Republican from Missouri.
The encryption debate
In his opening statement, Graham denied that the EARN IT Act was targeting encryption, but rather child sexual abuse material.
“This bill is not about the encryption debate, but the best business practices,” Graham said. “I’m dying to find out what they should be.”
The proposed law doesn’t directly mention encryption. The standards would be determined by a 19-member commission led by the heads of the Justice Department, the Department of Homeland Security and the Federal Trade Commission. Both the Justice Department and the DHS chiefs have spoken out against end-to-end encryption, arguing that the security technology hurts criminal investigations.
The DOJ and other law enforcement agencies have looked to tech companies to give them access — backdoors — to encryption to aid in investigations.
Technology, privacy and security experts have all warned that creating a backdoor to encryption for law enforcement would ultimately put everyone in more danger, since it would essentially mean introducing a weakness to an otherwise secure protocol.
The Senate hearing included witnesses from the National Center for Missing and Exploited Children; online dating company Match Group; Mary Leary, a professor of law who studies technology and child abuse; and the Internet Association, a trade group representing companies including Google, Microsoft, Facebook and Amazon.
Throughout the hearing, lawmakers reiterated that the bill doesn’t mention encryption, and that Congress isn’t seeking to weaken the security technology. Elizabeth Banker, the Internet Association’s deputy general counsel, said that while the bill doesn’t specifically call out ending encryption, it sets the stage for doing just that.
“It creates a government-led commission that is tasked with addressing a broad range of matters,” Banker said. “Encryption and its impact could come up within the scope that the commission is charged with addressing.”
Lawmakers at the hearing were skeptical of tech giants’ defense of encryption in the name of data privacy — particularly because of privacy scandals that have broken out in recent years. That skepticism also comes amid a broader backlash on Capitol Hill against the tech sector. Lawmakers are reexamining how powerful tech companies have become, pushing for stronger antitrust investigations and calling for more hearings on the industry.
“You fought privacy actively and have pushed back on our efforts to work on privacy and data security,” Sen. Marsha Blackburn, a Republican from Tennessee, said at the hearing.
The bill’s supporters stressed that they don’t intend on taking on encryption through the EARN IT Act. Hawley said that he wouldn’t support any legislation that “does not protect the integrity of encryption for users,” but there’s no mention in the legislation’s 65 pages about protecting encryption.
Lawmakers at the hearing suggested that tech giants don’t actually care about security and privacy, but instead are using encryption as an excuse to keep Section 230 protections and maintain their profits.
Much of the bill’s opposition has come from nonprofit groups like the American Civil Liberties Union and the Electronic Frontier Foundation, while companies like Apple and Google have declined to comment on the pending legislation.
“Big tech is using encryption as a subterfuge to oppose this bill,” Blumenthal said. “The truth is, encryption can coexist with strong law enforcement.”
Hawley echoed that sentiment, and said tech companies would “grasp at any straw to oppose this bill.”
A call for resources
The EARN IT Act aims to take on child online sexual exploitation, but the Internet Association’s Banker suggested that there could be other ways to address the issue rather than threatening Section 230 protections.
“Internet Association members believe that Congress can pass legislation with an immediate, positive impact on the fight against child exploitation without taking on constitutional issues and the specter of encryption regulation,” Banker said.
She recommended allowing tech companies to develop new tools for detecting material tied to child sexual assaults and providing more resources for organizations like the National Center for Missing and Exploited Children.
At the hearing, John Shehan, vice president of the center’s Exploited Children Division, explained that while companies like Facebook report millions of cases every year, it only has the resources to address “hundreds of thousands” of them. More resources, he said, would help with that overload.
The EARN IT Act doesn’t provide more resources to organizations like the National Center for Missing and Exploited Children.
“Oftentimes, you’ll hear the Internet Crimes Against Children Task Force members mentioning how they can’t do proactive work, or they’re struggling to respond to other cases in their localities because of the cybertips,” Shehan said. “They need more funding for training and mental health care as well.”