tl;dr: Help fight the EARN IT Act and sign the petition to stop it from becoming law!
Tutanota has joined a coalition of Human Rights activists to urge Senators to oppose the EARN IT bill in an open letter (read full letter at the end to this article) namely because the EARN IT bill jeopardizes the security of our communications by undermining end-to-end encryption. The bill threatens encryption and online free expression:
"Although Section 5(7)(A) purports to protect the ability of intermediaries to offer encryption, it actually does the opposite. Section 5(7)(A) of EARN IT states merely that provision of encrypted services shall not “serve as an independent basis for liability of a provider” under the expanded set of state criminal and civil laws for which providers would face liability under EARN IT. At the same time, Section 5(7)(B) specifies that courts will remain able to consider information about whether and how an intermediary employs end-to-end encryption as evidence in cases brought under EARN IT. Together, these provisions explicitly allow courts to consider the offering of end-to-end encrypted services as evidence of an intermediary’s guilt of crimes related to CSAM. While prosecutors and plaintiffs could not claim that providing encryption, alone, was enough to prove a violation of state CSAM laws, they would be able to point to the use of encryption as evidence in support of claims that providers were acting recklessly or negligently."
The EARN IT bill has been re-introduced to the Senate two weeks ago - for the third time, after it being successfully fought by a huge opposition in 2020 and 2022.
Fight for the Future tweeted:
"BREAKING: Congress just reintroduced the dangerous #EarnItAct, an internet surveillance bill that makes all of us less safe by attacking online encryption. We’ve killed this bill 💀twice 💀, and we’re going to do it again at NO EARN IT ACT."
The EARN IT Act of 2023 is essentially identical to the version that was introduced in the last Congress of 2022.
Last year we joined an open letter that details everything that is wrong with EARN IT. The new version of EARN IT does not contain any major changes so it looks like policymakers just want to get this law - which faces a lot of public opposition - passed, hoping that this time no one will notice, or opposition will not have enough time to mobilize.
Statements from policymakers in 2022 about the back then "new" version of the EARN IT bill sounded just like the fear-mongering, privacy-infringing, unconstitutional nonsense as in 2020. Again the proponents of the bill try to present tech companies as being complicit with child sexual abuse by offering secure communication online.
Senator Blumenthal tweeted:
"THREAD: The #EarnItAct is very simply about whether tech companies should be held responsible for their complicity in the sexual abuse & exploitation of children when they refuse to report or remove images of these crimes hosted on their platforms."
Regardless of such claims more than half a million of Americans have already signed the petition started by Fight for the Future. The digital rights group issued a statement in 2022 defending the use of strong encryption:
"The EARN IT Act is one of the most poorly conceived and dangerous pieces of Internet legislation I have seen in my entire career, and that’s saying a lot."
"The EARN IT Act also takes aim at end-to-end encryption, which is one of the most important technologies keeping people safe from violence and abuse. Strong encrypted messaging also protects our hospitals, schools, airports and water treatment facilities. Disincentivizing popular services from offering strong encryption to users will put lives in danger for absolutely no benefit."
The Center of Democracy and Technology has issued a similar statement:
"The newest version of the bill not only retains these core problems, but, in some cases, makes things worse. In particular, the bill would threaten encryption and the role it plays in protecting cybersecurity for everyone, and especially at-risk users. Given its significant problems and potential vast impact on internet users, CDT is especially concerned to see the EARN IT Act being rushed through the legislative process. We urge Senators to oppose the new bill."
All of these statements explaining why EARN IT is wrong - even if one year old - are still valid today.
Evan Greer of Fight for the Future tweeted:
"More than HALF A MILLION people signed this petition to lawmakers opposing the EARN IT Act last Congress. Why would you reintroduce this bill without fixing any of the glaring problems that have been pointed out by human rights and security experts?"
EARN IT is a law proposed by Attorney General William Barr to stop American tech companies from using encryption. The bill pretends to deal with the very serious issue of child exploitation online, but in reality will put an end to encryption and security online for everyone. Instead of actually providing law enforcement with more money and more officers, it attacks free speech and security online.
In the past, Barr and others have repeatedly tried to pass anti-encryption laws in the USA, but regularly failed because of a public outcry. Even though we know that more surveillance won't keep us more secure, politicians keep pushing for such legislation.
Nevertheless, people must have the option for a private conversations online, and they increasingly understand that encryption it the best tool they have to protect their private messages from any third party.
That's why the proposed EARN IT bill does not explicitly outlaw encryption. Instead, it says that tech companies must apply "best practices" to scan data before it is being uploaded. If they don't apply these "best practices", they can be sued into bankruptcy.
While having to follow "best practices" sounds rather harmless at first sight, the anti-encryption goal quickly becomes obvious. Cryptography experts like Bruce Schneier and Matthew Green publicly warn that the EARN IT bill will do more harm than good.
The biggest fear: As the "best practices" list will be defined by a government commission, encryption might soon be outlawed. It is publicly known that proponents' main goal is to ban encryption and enable law enforcement access to any online conversation.
When EARN IT was first introduced in 2020, there was immense public opposition to the draft law:
"This terrible legislation is a Trojan horse to give Attorney General Barr and [President] Donald Trump the power to control online speech and require government access to every aspect of Americans' lives," Sen. Ron Wyden (D-Ore.) said.
"While Section 230 does nothing to stop the federal government from prosecuting crimes, these senators claim that making it easier to sue websites is somehow going to stop pedophiles. This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned."
In the end, EARN IT is very similar to any other anti-encryption bill: It pretends to solve problems of online criminality (child abuse) by stopping citizens from protecting their online communication with encryption.
The threat here is a destruction of freedom of speech and democracy itself.
The Electronic Frontier Foundation says: "You can’t have an Internet where messages are screened en masse, and also have end-to-end encryption any more than you can create encryption backdoors that can only be used by the good guys. The two are mutually exclusive. Concepts like 'client-side scanning' aren't a clever route around this; such scanning is just another way to break end-to-end encryption. Either the message remains private to everyone but its recipients, or it’s available to others."
The truth is that most people and businesses today face significant challenges when it comes to safeguarding their online presence against a myriad of threats. Whether it's personal information breaches, cyberattacks, or unauthorized access to sensitive data, the digital landscape is rife with potential hazards. A fundamental step towards securing your data is opting for end-to-end encrypted email when you create an email account, as well as when choosing other tools like cloud storage, calendars, instant messaging and business productivity tools, because there are multiple entry points for cyber threats.
Cryptography expert Matthew Green says: "There are a handful of promising technologies that could solve this problem. End-to-end encryption happens to be one of those. It is, in fact, the single most promising technology that we have to prevent hacking, loss of data, and all of the harm that can befall vulnerable people because of it."
What we need now, is more innovation online to improve the security for everyone. Yet, EARN IT would kill innovation: Why would any tech company invest in improving their users' security if they knew that in the end their innovation will not make it to the "best practices" list leaving their innovation unused?
That's why cryptography experts like Bruce Schneier and Matthew Green as well as Fight for the Future call on everyone to sign the petition against the EARN IT bill.
At Tutanota, we aim at stopping mass surveillance with encryption. We reject any legal approach to destroy encryption as it ultimately would destroy freedom of speech and, in consequence, our democracy.
To make sure Tutanota stays true to its promise of encrypting all data end to end, all Tutanota clients are published as open source.
Re: Opposition to the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2023 (EARN IT Act)
Dear Chairman Durbin, Ranking Member Graham, and members of the Committee:
The undersigned organizations write to express our strong opposition to the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2023 (EARN IT, S.TK). We support curbing the scourge of child exploitation online. However, EARN IT will instead make it harder for law enforcement to protect children. It will also result in online censorship that will disproportionately impact marginalized communities. In addition, EARN IT will jeopardize access to encrypted services, undermining a critical foundation of security, confidentiality, and safety on the internet. Dozens of organizations and experts have repeatedly warned this committee of these risks when this bill has been previously considered, and those same risks remain. We urge you to oppose this bill.
Section 230 of the Communications Act of 1934 (as amended, 47 U.S.C. § 230) generally shields online intermediaries from liability for the content users convey on their services. Section 230’s liability shield applies to smaller and start-up companies that are interactive computer service providers, not just a handful of large companies like Google and Meta. In addition, it protects both consumer-facing intermediaries like social media companies and infrastructure intermediaries that are crucial to running the internet and are not aware of the content that flows through their systems. Since its enactment, Section 230 has fueled innovation online, allowing millions of U.S.-based internet intermediaries to emerge over the last few decades. Section 230 also helps to promote free expression online, which is further supported by the use of strong end-to-end encryption.
Section 230 has never been a bar to federal criminal prosecution of intermediaries, and current federal law imposes criminal liability on intermediaries who have knowledge that they are distributing child sexual abuse material (CSAM). Current law also requires intermediaries to report these images, resulting in millions of reports to the National Center for Missing and Exploited Children every year. EARN IT would vastly expand the liability risk of hosting or facilitating user-generated content by permitting states to impose criminal liability when intermediaries are “reckless” or “negligent” in keeping CSAM off their platforms; EARN IT also exposes them to civil liability under state laws with similar requirements with respect to the provider’s mental state but subject to much lower standards of proof. These changes will threaten our ability to speak freely and securely online, and threaten the very prosecutions the bill seeks to enable.
EARN IT would repeal intermediaries’ Section 230 liability shield for any state criminal and civil law prohibiting the “distribution” or “presentation” of CSAM. EARN IT requires no specific or minimum mens rea for state laws, which means states will be free to impose any liability standard they please on platforms, including holding platforms liable for CSAM they did not actually know was present on their services. Nothing in the bill would prevent a state from passing a law in the future holding a provider criminally responsible under a “reckless” or “negligence” standard. At least one state, Florida, already imposes a lower standard for liability on CSAM distribution than the federal standard, allowing liability for distributors that did not have actual knowledge that they were transmitting CSAM.
By opening providers up to significantly expanded liability, the bill would make it far riskier for platforms to host user-generated content. Some states may conclude that an intermediary acted recklessly or negligently, for example, if it knows that its service has been used to convey CSAM in the past and it fails to proactively filter content. Such a standard would threaten free expression for online services that host user-generated content directly, because it would almost certainly cause them to remove constitutionally protected speech that is not CSAM. It would be particularly problematic for internet infrastructure intermediaries like content delivery networks and internet service providers, which are not designed nor meant to assess the content of the traffic they are carrying or helping to transport.
Facing potential liability under dozens of laws regulating conduct at different standards, some intermediaries may choose to simply forgo hosting user content. Others will try to mitigate the legal risks inherent in the massive expansion of liability under state law enabled by EARN IT by engaging in overbroad censorship of online speech. These providers will remove any content that they suspect could be CSAM or even simply all sexually explicit content, sweeping up large amounts of content that are not CSAM and are constitutionally-protected speech. These wide ranging removals of online speech will negatively impact diverse communities in particular, including LGBTQ people, whose posts are disproportionately labeled erroneously as sexually explicit. As a result, LGBTQ people will be less free to express themselves online and less able to use the internet to find community or to organize against anti-LGBTQ legislation and sentiments. Overbroad removals of online speech will also especially impact content carried on platforms ranging from social media apps to video game websites designed for minors and young adults.
Past experience demonstrates that these risks to online free expression are not hypothetical. The only time that Congress has limited Section 230 protections so far was in the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 (SESTA/FOSTA). That law purported to protect victims of sex trafficking by eliminating providers’ Section 230 liability shield for “facilitating” sex trafficking by users. According to a 2021 study by the US Government Accountability Office, however, the law has been rarely used to combat sex trafficking. Instead, it has forced sex workers—whether voluntarily engaging in sex work or forced into sex trafficking against their will—offline and into harm’s way. It has also chilled their online expression, including through platforms’ overbroad removals of speech sharing health and safety information and speech wholly unrelated to sex work. Moreover, these burdens have fallen most heavily on smaller platforms that either served as allies and created spaces for the LGBTQ and sex worker communities or simply could not withstand the legal risks and compliance costs of SESTA/FOSTA. Congress risks repeating this mistake by rushing to pass this misguided legislation, which also limits Section 230 protections.
End-to-end encryption ensures the privacy and security of sensitive communications by making certain that only the sender and receiver can view them. It does this by ensuring that the keys used to encrypt and decrypt data are known only to the sender and the authorized recipients of the data. Billions of people worldwide rely on encryption to secure their daily activities online, from web browsing to online banking to communicating with friends and family.
Everyone who communicates with others on the internet should be able to do so privately. However, this security is especially relied upon by journalists, Congress, the military, domestic violence survivors, union organizers, immigrants, and anyone who seeks to keep their communications secure from malicious hackers. Since the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, encryption has become even more important for healthcare workers and pregnant people, who are increasingly at risk of prosecution under state laws that criminalize abortion or sharing information about reproductive healthcare. Police in states where abortion is illegal have already used unencrypted digital evidence for prosecutions. Experts routinely recommend that people seeking abortions use encrypted services, and some women’s healthcare providers say they rely heavily on encrypted forms of communication.
EARN IT puts Americans, U.S. businesses, and everyone around the world at great risk of harm online by strongly disincentivizing providers from providing strong encryption. It does so in two main ways.
First, EARN IT would permit states to seek to impose criminal or civil liability on intermediaries who offer encryption, by arguing that the use of encryption is evidence under state law that a service acted recklessly or negligently in failing to identify CSAM. In the face of the risk of civil and criminal liability, many services will decide not to offer encrypted services.
Although Section 5(7)(A) purports to protect the ability of intermediaries to offer encryption, it actually does the opposite. Section 5(7)(A) of EARN IT states merely that provision of encrypted services shall not “serve as an independent basis for liability of a provider” under the expanded set of state criminal and civil laws for which providers would face liability under EARN IT. (Emphasis added). At the same time, Section 5(7)(B) specifies that courts will remain able to consider information about whether and how an intermediary employs end-to-end encryption as evidence in cases brought under EARN IT. Together, these provisions explicitly allow courts to consider the offering of end-to-end encrypted services as evidence of an intermediary’s guilt of crimes related to CSAM. While prosecutors and plaintiffs could not claim that providing encryption, alone, was enough to prove a violation of state CSAM laws, they would be able to point to the use of encryption as evidence in support of claims that providers were acting recklessly or negligently.
This risk that encryption could be used as evidence against them in state proceedings will discourage intermediaries from offering it. Small “mom and pop” intermediaries that could be bankrupted by a single lawsuit will be especially deterred from offering encryption. For all intermediaries, the mere threat that use of encryption could be used as evidence against an intermediary in a civil suit or criminal prosecution will serve as a strong disincentive to deploying encrypted services in the first place.
Second, EARN IT sets up a law enforcement-heavy and Attorney General-led Commission charged with producing a list of voluntary “best practices” that providers should adopt to address CSAM on their services. Given the oft-stated opposition of federal officials to encryption, the Commission could well recommend against offering end-to-end encryption and recommend providers adopt techniques that ultimately weaken their product’s cybersecurity. While these “best practices” would be voluntary, they could cause reputational harm to providers if they choose not to comply. Refusal to comply could also be considered as evidence in support of a provider’s liability, and inform how judges evaluate cases against providers. States may even amend their laws to mandate the adoption of these supposed best practices. The lack of clarity and fear of liability, in addition to potential public shaming, will likely disincentivize many companies from offering strong encryption, at a time when we should be encouraging the opposite.
Finally, the EARN IT Act risks undermining child abuse prosecutions by transforming providers into agents of the government for purposes of the Fourth Amendment. If a state law has the effect of compelling providers to monitor or filter their users’ content so it can be turned over to the government for criminal prosecution, the provider becomes an agent of the government and any CSAM it finds could become the fruit of an unconstitutional warrantless search. In that case, the CSAM would properly be suppressed as evidence in a prosecution and the purveyor of it could go free. At least two state laws—those of Illinois and South Carolina—would have that effect.
The EARN IT Act would have devastating consequences for everyone’s ability to share and access information online, and to do so in a secure manner. We urge you to oppose this bill. Congress should instead consider more tailored approaches to deal with the real harms of CSAM online, and it should commit to conducting a full, independent internet impact assessment to identify potential harms likely to result from any internet-related legislation, such as harms to users’ freedom of expression and privacy, before the legislation is voted upon.
(S.T.O.P.) - The Surveillance Technology
Advocacy for Principled Action in Government
American Civil Liberties Union
American Library Association
Arkansas Black Gay Men's Forum
Association of Research Libraries (ARL)
Blogger On Pole
Center for Democracy & Technology
Centre for Multilateral Affairs (CfMA), Uganda
Charity for People Powered Democracy
Collaboration on International ICT Policy for East & Southern Africa (CIPESA)
Defending Rights & Dissent
Electronic Frontier Foundation (EFF)
Fight for the Future
Free Speech Coalition
Georgia Tech Internet Governance Project
Government Information Watch
Human Rights Campaign
Indivisible Bainbridge Island
Indivisible Plus Washington
Indivisible Washington's 8th District
Internet Safety Labs
MassachusettsTransgender Political Coalition
National Coalition Against Censorship
New America's Open Technology Institute
North Kitsap Indivisible
Organization for Identity & Cultural
Privacy & Access Council of Canada
Ranking Digital Rights
Restore The Fourth
Sex Workers Project of the Urban Justice Center
Snohomish County Indivisible
Tech for Good Asia
The Tor Project
UM-Dearborn Muslim Students Association
University of Bosaso
Woodhull Freedom Foundation