Yesterday a bipartisan group of U.S. Senators introduced a new bill called the EARN IT act. On its face, the bill seems like a bit of inside baseball having to do with legal liability for information service providers. In reality, it represents a sophisticated and direct governmental attack on the right of Americans to communicate privately.
I can’t stress how dangerous this bill is, though others have tried. In this post I’m going to try to do my best to explain why it scares me.
“Going Dark”, and the background behind EARN IT
Over the past few years, the U.S. Department of Justice and the FBI have been pursuing an aggressive campaign to eliminate end-to-end encryption services. This is a category that includes text messaging systems like Apple’s iMessage, WhatsApp, Telegram, and Signal. Those services protect your data by encrypting it, and ensuring that the keys are only available to you and the person you’re communicating with. That means your provider, the person who hacks your provider, and (inadvertently) the FBI, are all left in the dark.
The government’s anti-encryption campaign has not been very successful. There are basically two reasons for this. First, people like communicating privately. If there’s anything we’ve learned over the past few years, it’s that the world is not a safe place for your private information. You don’t have to be worried about the NSA spying on you to be worried that some hacker will steal your messages or email. In fact, this kind of hack occurs so routinely that there’s a popular website you can use to check if your accounts have been compromised.
The second reason that the government has failed to win hearts and minds is that providers like Facebook and Google and Microsoft also care very much about encryption. While some firms (*cough* Facebook and Google) do like to collect your data, even those companies are starting to realize that they hold way too much of it. This presents a risk for them, and increasingly it’s producing a backlash from their own customers. Companies like Facebook are realizing that if they can encrypt some of that data — such that they no longer have access to it — then they can make their customers happier and safer at the same time.
Governments have tried to navigate this impasse by asking for “exceptional access” systems. These are basically “backdoors” in cyrptographic systems that would allow providers to occasionally access user data with a warrant, but only when a specific criminal act has occurred. This is an exceptionally hard problem to get right, and many experts have written about why this is. But as hard as that problem is, it’s nothing compared to what EARN IT is asking for.
What is EARN IT, and how is it an attack on encryption?
Because the Department of Justice has largely failed in its mission to convince the public that tech firms should stop using end-to-end encryption, it’s decided to try a different tack. Instead of demanding that tech firms provide access to messages only in serious criminal circumstances and with a warrant, the DoJ and backers in Congress have decided to leverage concern around the distribution of child pornography, also known as child sexual abuse material, or CSAM.
I’m going to be a bit more blunt about this than I usually would be, but only because I think the following statement is accurate. The real goal here is to make it financially impossible for providers to deploy encryption.
Now let me be clear: the existence of CSAM is despicable, and represents a real problem for many providers. To address it, many file sharing and messaging services voluntarily perform scanning for these types of media. This involves checking images and videos against a database of known “photo hashes” and sending a report to an organization called NCMEC when one is found. NCMEC then passes these reports on to local authorities.
End-to-end encryption systems make CSAM scanning more challenging: this is because photo scanning systems are essentially a form of mass surveillance — one that’s deployed for a good cause — and end-to-end encryption is explicitly designed to prevent mass surveillance. So photo scanning while also allowing encryption is a fundamentally hard problem, one that providers don’t yet know how to solve.
All of this brings us to EARN IT. The new bill, out of Lindsey Graham’s Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don’t yet know how to solve the problem — and the techniques to do it are basically at the research stage of R&D — it’s likely that “stop using encryption” is really the preferred goal.
EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.
Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.
So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.
It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.
So why is EARN IT a terrible idea?
At the end of the day, we’re shockingly bad at keeping computer systems secure. This has expensive, trillion dollar costs to our economy, More than that, our failure to manage the security of data has intangible costs for our ability to function as a working society.
There are a handful of promising technologies that could solve this problem. End-to-end encryption happens to be one of those. It is, in fact, the single most promising technology that we have to prevent hacking, loss of data, and all of the harm that can befall vulnerable people because of it.
Right now the technology for securing our infrastructure isn’t mature enough that we can appoint a government-appointed committee to dictate what sorts of tech it’s “ok” for firms to provide. Maybe some day we’ll be there, but we’re years from the point where we can protect your data and also have Washington DC deciding what technology we can use to do it.
This means that yes, some technologies, like CSAM scanning, will have to be re-imagined and in some cases their effectiveness will be reduced. But tech firms have been aggressive about developing this technology on their own (see here for some of the advanced work Google has been doing using Machine Learning), and they will continue to do so. The tech industry has many problems, in many areas. But it doesn’t need Senators to tell it how to do this specific job, because people in California have kids too.
Even if you support the goals of EARN IT, remember: if the U.S. Senate does decide to tell Silicon Valley how to do their job — at the point of a liability gun — you can bet the industry will revert to doing the minimum possible. Why would the tech firms continue to invest in developing more sophisticated and expensive technology in this area, knowing that they could be mandated to deploy any new technology they invent, regardless of the cost?
And that will be the real outcome of this bill.
On cynicism
Over the past few years there has been a vigorous debate about the value of end-to-end encryption, and the demand for law enforcement to have access to more user data. I’ve participated in this debate, and while I’ve disagreed with many on the other side of it, I’ve always fundamentally respected their position.
EARN IT turns all of this on its head. It’s extremely difficult to believe that this bill stems from an honest consideration of the rights of child victims, and that this legislation is anything other than a direct attack on the use of end-to-end encryption.
My hope is that the Internet community and civil society will treat this proposal with the seriousness it deserves, and that we’ll see Senators rally behind a bill that actually protects children from abuse, rather than using those issues as a cynical attempt to bring about a “backdoor ban” on encryption.
A Few Thoughts on Cryptographic Engineering 
Excellent post, thank you!
My impression is this is fundamentally in conflict with data protection laws – one of the huge advantages of end-to-end encryption is you don’t have to care about telling the difference in what kind of data is being transmitted. That’s a big problem for major companies that cross lots of jurisdictional boundaries – so the best avenue to fighting this is to create awareness in major companies.
They certainly won’t want to hire a small army of lawyers, auditors, and security professionals to tackle even more than they already do – and nothing puckers up congress tighter faster than dropping share prices.
That’s a very good point. You can’t pass legislation that’s already shaky if it harms America’s economy. …usually.
Obviously politics targets encryption privacy for the masses.
If CSAM were the reason for this initiative they would also have tried to prohibit consumer digital cameras.
I wonder if EARN IT will apply to the CIA. They have been bidding JFK assassination files for years. What about Pentagon computers? If the U.S. government keeps their computers protected by end to end encryption how can they take that right from its citizens? Hypocritical to say the least!! Does not the phrase ” FOR THE PEOPLE BY THE PEOPLE” mean anything any more or has it gone the way of the dodo like ” In God We Trust?”
We will need to prepare effective defenses for those who rightly oppose EARN IT, who will be attacked by despicable rhetoric accusing them personally of being on the side of child-porn lovers.
Great post! And keep up the good work! But in the end, the only thing which EARNIT will do is to drive the pedos further underground and it will be a boon for non-US based tech companies to corner the end-to-end encrypted communications market, well beyond the reach of American shores and its punitive, totalitarian laws. Say goodbye to “Signal”; say hello to “Señal”. 😉
Of course, how long is it then before these foreign encrypted communication providers are labelled as “terrorists” and become subject to drone and F22 strikes? We do live in Orwellian times…
Good idea! In such a way russians will know all what Lindsey Graham think and do (i.e.political views, geronto-pornography, financial machinations etc) so, that way so named senators shoot in their leg. I’m PRO that NSA and CIA have access to corespondence. In a such way, russians also will have access and may be “democracy” will be restored in US? Because situation now is “1984” by George Orwell. So as worse for “democracy” as better for countries that do not recognize democracy. They will tell to their population “Look,, even in most (autoproclamed) democratic country US there are no democracy, why you want here?
No mention of the usual reason for surveillance: to limit or stop terrorism ?? I am surprised.
If I were a provider, like WhatsApp, I would just encrypt everything except pictures and videos. This way, I could still scan pictures and report them but conversations will remain private.
Kittymatec infinite encryption
Putting Telegram in the same sentence with apps e2ee by default instantly reduces the article credibility.
Also I wonder why we’re glancing over the fact that “technologies like CSAM scanning, will have to be re-imagined” has no solution even on the horizon. The claim that the bill has the sole purpose to attack encryption would sound more plausible if the author showed a better practical way to fight CSAM which lawmakers would be ignoring.
the author does have a post addressing this (called “Can end-to-end encrypted systems detect child sexual abuse imagery?”) which you are welcome to look at
By saying backdoors are hard to get right, or that we don’t know how to combine content scanning and end-to-end encryption, you are in practice saying that backdoors can be done right and encrypted content can somehow be scanned. That is not the case: these things are, by definition, mutually exclusive.
If anyone without the encryption key (or in the case of asymmetric encryption, the other part of the key), is able to read the content, then – again, by definition – the content is not encrypted. It’s merely scrambled.
In a linked post, you discussed about client-side scanning (and the problems it has). Even if the images could be scanned on the client-side with some technology which would make it impossible for anyone else to know the actual contents of the image, and if someone would actually agree to scan their content which they want to keep secret, there at least on problem comes directly from the promise of maintaining secrecy: images could just be changed slightly and tested against the algorithm to get a false as the scanning result, and then sent to a service provider.
I am not really the familiar but I imagine one thing that is being researched is the use of homomorphic encryption for scanning end-to-end encryption https://en.wikipedia.org/wiki/Homomorphic_encryption
Using homomorphic encryption one could do the scanning on the server-side, but the result of the scan could only be read on the client-side. By signing the answer, the result supplied to the client could probably be trusted if the client decrypts it and send it back to the server, but that would not remove the problem where the client could just retry to get around the scan.
I also suspect, that for the scanning algorithm to work with homomorphic encryption, all of the fingerprint data would have to be encrypted with the same key, which is not known by the server, and which would take ages to do for every single input.
Please find the very creators of the EARN IT bill and have them personally explain why this is such a necessity.
Quick question, how can we put a stop to this? Is there anything we can do as of now?
So what can we reasonably do about this? Everything seems so hopeless now.
Contact your reps and spread the word. The truth is that this will never stop because the majority of the political types do not have those they represent truly in their hearts; only the money that could end up in their palms.
These cyrptographic systems sure do remind me of the cyrpt. With all of its lihcs and zmobies.