The Graham-Blumenthal Bill: A New Path for DOJ to Finally Break Encryption
Members of Congress are about to introduce a bill that will undermine the law that undergirds free speech on the Internet. If passed, the bill known as the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, will fulfill a long-standing dream of U.S. law enforcement. If passed, it could largely mark the end of private, encrypted messaging on the Internet.
The Department of Justice and the FBI have long seen encryption as a threat. In 1993, the Clinton administration promoted the installation of a “Clipper Chip” in consumer devices that would allow for easy government eavesdropping using key escrow. When researchers repeatedly demonstrated that this flawed idea would compromise privacy and security for everyone, not just criminals, the idea was scrapped. But U.S. law enforcement agencies spent the next 25 years villainizing the widespread adoption of encryption and highlighting a series of awful criminal acts in their efforts to scare elected officials into requiring backdoors.
You shouldn’t need to get a pass from a commission of law enforcement agencies just to set up a website.
In recent years, they’ve used acts of terrorism like the mass shootings in San Bernardino and Pensacola to press for draconian changes to the law. More recently, officials like Attorney General William Barr have blamed encryption for sexual crimes against children. Not only are these crimes horrific to hear about, but they are nearly impossible to get objective information about. Nearly all information that the public gets about these crimes is filtered through law enforcement and organizations that work closely with law enforcement. Because of that, it’s very hard for policymakers to make informed decisions that address both public safety and civil liberties concerns.
Meanwhile, we face immense challenges to building secure systems, and strong encryption is one the best tools we have available to protect ourselves. Encryption preserves the ability to have private, secure communications in an increasingly insecure world. Members of the government, the military and law enforcement themselves use encryption to protect their communications, as do journalists, activists and those at risk of domestic abuse, among many others. We should not sacrifice the power of these fundamental technologies, even in the name of important law enforcement goals.
A Commission Custom-Designed to Break Encryption
We’ve written many times about Section 230, the most important law protecting free speech online. Section 230 simply states that, in most cases, speakers should be responsible for their own speech, not Internet intermediaries who host that speech.
According to a draft published several weeks ago, EARN IT would strip away Section 230 protections, offering them only to Internet companies who followed a list of “best practices” set up by a government commission of 15 people. This commission, set up in the name of protecting children, will be dominated by law enforcement agencies.
The first three members would be chosen by the heads of the Department of Justice, the Department of Homeland Security, and the Federal Trade Commission, two of which have law enforcement responsibilities. The remaining 12 members will be chosen by Congress, but have to fulfill specific roles. The bill states that:
Two commission members “shall have experience in handling internet crimes against children in a law enforcement capacity.” So, more law enforcement.
Two commission members “shall have experience in handling internet crimes against children in a prosecutorial capacity.” Again, more law enforcement.
Two commission members “shall have experience in providing victims services for victims of child exploitation.” These will inevitably be organizations that work hand-in-hand with law enforcement, like the National Center for Missing and Exploited Children.
Two commission members “shall have experience in computer science of software engineering.” That sounds like a good start. It shouldn’t be two out of fifteen.
And finally, four commission members will have experience working for online services of varying sizes—but must have “experience in child safety.” So, these four commissioners will be drawn from the groups within tech companies who work most closely with law enforcement. There’s nothing wrong with that, but it’s hardly a balancing force on this lopsided commission.
So out of a 15-person commission, we have seven members who have been actively employed by law enforcement agencies and two from private organizations whose specific role is to assist law enforcement agencies. Even in the unlikely event that all of the other members of the commission dissented from a policy, law enforcement and close allies will have a 9-person majority.
What “best practices” would that commission demand in the name of protecting children? We know that offering backdoors to encryption would be high on the list. Attorney General William Barr has demanded “lawful access” to encrypted messages, over and over again. So have his predecessors. The practical result would be to force companies like Apple and Facebook, which offer encrypted messaging services, to choose between protecting user security and privacy and risking unlimited liability for crimes against children committed using these services. Some have likened this anti-encryption scheme to holding car manufacturers liable for injuries caused by defective designs. But really, it’s more like making Toyota pay when a bank robber makes a getaway in a Prius.
The ability to have a private conversation is fundamental in a democratic society, and Congress should not be disincentivizing these companies from developing secure platforms.
The Next Anti-Encryption Bill Might Claim It’s Not About Encryption
It’s possible that law enforcement may try to amend this bill in a way that sidesteps the damage they’re doing to encryption and privacy. It could be as straightforward as putting a clause in the bill explicitly saying the bill doesn’t apply to encryption.
Politically, there’s good reason for law enforcement agencies to do this. If they seek in an obvious way to damage encrypted services, other government agencies will be negatively impacted, and could speak up. International diplomats from many countries, including the U.S. State Department, rely heavily on encrypted services to get their work done. The U.S. military also relies on encryption, and Congressman Ro Khanna has spoken up about the importance of encryption to national defense.
But sidestepping that issue wouldn’t be sufficient to make it a good bill—and it likely won’t even be true. That’s because the DOJ is likely to “define down” what encryption is. It will simply say that something like client-side scanning, for instance, doesn’t into the realm of encryption. That would be patently false, since client-side scanning very much does break end-to-end encryption. But with 11 out of 15 commission members being law enforcement or those who work with them, you can bet their definition of “encryption” will differ in important ways from those of computer scientists.
Even if the bill actually did avoid encryption issues, it would be a bad idea. The Internet isn’t just a few big companies. It’s billions of people, speaking across more than a billion websites. Section 230 doesn’t give tech companies a free pass. It makes people responsible for their own speech and their own behavior online, just as we all are in the offline world. Section 230 isn’t broken, and we’ve explained elsewhere how the EARN IT bill would also undermine online speech.
You shouldn’t need to get a pass from a commission of law enforcement agencies just to set up a website. That’s the type of system we might hear about under an authoritarian regime. Yet, in the name of protecting children, U.S. lawmakers might be about to set up such a system here. That’s what the EARN IT bill comes dangerously close to prescribing.