why the earn it act is a backdoor for a digital police state

With the EARN IT bill, politicians are unwittingly and stubbornly putting us at greater risk from criminals and terrorists while insisting they’re just trying to protect us.
one nation under cctv

While it may be our first instinct to protect kids, the phrase “think of the children!” has become a punchline in American politics. Usually, when it’s uttered, you know it’s meant as a way to push through a law that creates dangerous, far-reaching, and potentially disastrous loopholes and opportunities for abuse under the guise of protecting the youngest and most vulnerable. But while these gambits may be transparent, they’re always a Herculean task to fight because no one wants to be smeared as supporting child trafficking, terrorism, and pedophiles by criticizing proposed laws that politicians swear up and down are meant to save kids from the clutches of awful people.

The latest iteration of this ploy is the EARN IT bill, which mandates that all online services have to follow a list of best practices determined by a 19-person panel ran by the Justice Department and the National Center for Missing and Exploited Children. Among those best practices is the ability to scan encrypted messages and report objectionable content to relevant authorities, and the penalty for failing to do so is the loss of Section 230 protections. In less legal terms, if an online communication service doesn’t read your messages and report users sending illegal content, the whole site can face criminal liability.

This is actually a huge deal because Section 230 is what allows social media to exist. Largely U.S. based companies created vast platforms where users could post whatever they want within reason, and as long as they don’t encourage illegal content or ignore reports of users engaging in illegal actions, criminals caught using their services are the only ones in trouble. Revoking, or significantly weakening Section 230 protections means that social media will have to police its users or find itself in court along with the actual criminals. It’s a scary thought, which is why it’s being used as a cudgel by politicians who want more control over Facebook and Twitter, while undermining public support for encryption and privacy by invoking horrific crimes.

One of the most common examples of this is prosecutors talking about how many pedophiles use encryption to share sickening videos and images, and how terrorists plot future attacks on encrypted messaging services. But while this may be true, it also conveniently skips how many people rely on the same exact encryption technology to make sure no one other than them is reading their emails or turning their phones into spy cams, technology that used to be complex and relegated to programmers and IT professionals but is now built into almost every laptop and smartphone on the market and activated with a simple tap or click.

the war on encryption

The biggest problem law enforcement and politicians have with our modern electronics is that widespread use of encryption to keep personal data safe. Some prosecutors even declared that any device that encrypts your data just helps criminals which only makes sense if you use your electronics to commit crime and nothing else. Even worse, Bill Barr, the current U.S. Attorney General, demanded that tech companies undermine encryption even if it will deal nothing short of a mortal wound to the nearly $3 trillion ecommerce market, and snidely dismisses legitimate concerns about leaving highly sensitive personal data exposed to hackers who run entire black markets on the dark web trafficking stolen identities and credit cards.

Given the DOJ’s crusade against digital security and unholy zeal in reading everyone’s private messages, the inclusion of the NCMEC seems a lot like a thinly veiled excuse to get their way under the guise of helping vulnerable children. And if that wasn’t crude and exploitative on its own, sponsors of the EARN IT bill pretend that a department which cannot stop talking about how much it wants encryption backdoors no matter the risk to citizens and worldwide users of American software and online services, will definitely not put such backdoors on the required list of best practices because the bill never uses the term encryption.

This legal maneuver is about as sneaky as having a toddler you keep catching in the act of trying to steal cookies from a jar ask for access to “all containers determined by a group on my peers at all hours of the day” and balking at your skepticism by insisting he never said a word about cookies in this particular instance. Only in this case, the downside of agreeing to the terms isn’t tummy aches and being too full for dinner, but having your financial data exposed to hackers who can clear out your bank accounts, collect blackmail material by making your own devices spy on you, and make online shopping almost impossible to do safely.

Just as some criminals take advantage of encryption to hide evidence of their crimes, there are plenty of hackers highly motivated to take advantage of any lapse in security and sell anything valuable they find to the highest bidder. In fact, some of these hackers profit from selling RATs, or Remote Access Tools, which have been used to turn kids’ electronics into pedophiles’ private peep shows. Creating an encryption backdoor may make it harder for perverts to send files to each other on messaging platforms, but much easier to exploit the very children EARN IT claims it wants to protect by allowing them to hijack webcam feeds, as well as for terrorist groups to launder money or fund their schemes with cybercrime.

why encryption is so important

The problem here is that encryption did make it much harder for law enforcement to collect certain types of evidence and some cases take a lot more effort to crack, but as every expert on the subject has explained ad nauseam for decades, encryption is math and math does not allow for the “safe backdoors” demanded by politicians and prosecutors. We have to use the same libraries, algorithms, and equations to secure everything from our private messages to online banking sessions. If you can monitor what people are saying to each other in encrypted DMs, you can get their online banking passwords, credit card numbers, and either download any compromising pictures of yourself or create them surreptitiously.

Even worse, anyone with access to these decryption keys can sell them on the black market or manage to expose the required software by mistake. Faced with these risks, the reaction from numerous prosecutors and Barr has been some form of “who gives a shit?” which is less than reassuring. It’s absolutely terrifying when you consider that the EARN IT bill would place them in charge of determining what sites will be threatened into doing their bidding. And given their goal of mandating backdoors in all encryption, who’s to say that they’ll stop at online platforms and won’t come after any secure messaging system while talking about criminals who are now on to their efforts to screen online services for illegal content and evidence of crimes?

Suppose you’re fine with social media shutting down. Maybe you think it’s for the better that it goes away because vast swaths of it have become toxic cesspools of lies and paranoia. But it’s unlikely that you want the government snooping through your texts and chats, popping in on your Zoom sessions with friends, telemedicine appointments, or spying on your corporate IM and emails just in case. I know you may want to dismiss this as one big slippery slope fallacy, but again, remember that the people involved in this bill have been very vocal about wanting to go down that slippery slope since 1995 and their counterparts in Australia have already taken the same steps.

how tech companies will fight back

Of course, tech companies will fight back, just like they did after Australia’s anti-encryption law was passed. They will refuse to store data on servers located in countries which demand legal backdoors or to sell their software in those markets. In the U.S., the effects will be especially disastrous since it’s home to so many tech heavyweights and data centers. These titans with ten figure war chests will absolutely unleash legal hell to defend themselves, but should they fail or if the government refuses to back down, this will open the door to other nations’ tech companies to rapidly gain market share by promising a product that’s actually safe while the Americans fight about how much security and privacy you deserve.

While the ins and outs of laws governing how much privacy an individual has or can expect can be a legal minefield, the answer has to be more than zero in a state that doesn’t want to end up as a totalitarian regime. And while you may think that you have nothing to hide, that’s not the point in question. The question should be why you have to allow anyone to rifle through your personal data anytime they feel like it. After all, there’s a reason why the standard in criminal prosecutions is that you’re innocent until proven guilty. Flipping that presumption on its head means you have to prove a negative, in which case evidence that you didn’t commit a crime can be used as an argument that you must have committed a different one.

We may also see American tech companies expanding to Canada, Ireland, and Germany faster than they ordinarily would to avoid this legal morass and routing their services and through data centers out of U.S. jurisdiction. Politicians will, of course, accuse them of aiding criminals and terrorists but it’s hard to imagine a lot of customers interested in electronics or platforms on which all their data can be easily stolen by any halfway decent hacker no matter how much you tell them to think about the children or accuse them of helping terrorists and pedophiles. They may loathe both, but they also have bills to pay and need to be able to log into their bank accounts and find them not empty and credit cards not maxed out.

If you’re a well to do country with an educated population that wants a thriving tech scene, now is the time to recruit top notch talent and encourage satellite offices for tech startups by making it clear that you very much believe in encryption and security. Reading private messages and demanding access to everyone’s electronics under the guise of preventing crime is what authoritarian nations do, and they too can make themselves sound like worried parents in the process. So, let’s make no mistake about the EARN IT act. It opens the door for those who see any real privacy and security measures as an affront to themselves — and have said so many times — to build the vast digital dragnets they’ve always wanted.

# tech // cybersecurity / encryption / lawmakers


  Show Comments