Senate Bill 3398, otherwise known as the “EARN IT Act” is a bill that could do more harm than good it claims it will do.

Lindsey Graham and Richard Blumenthal, U.S. senators on the Senate Judiciary Committee, introduced a piece of legislation on March 5 called The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (the EARN IT Act), which would amend Section 230 of the Communications Decency Act of 1996. Section 230 largely protects online service providers from liability for the actions of their users. That immunity blocks most civil lawsuits and criminal charges under state law, with the exception of sex trafficking since 2018, but does not bar enforcement of federal criminal law.

The EARN IT Act would limit online service providers’ Section 230 immunity from liability for child sexual exploitation on their services. According to the Act, the only guaranteed way to retain immunity would be for the provider to certify that it complies with a set of “best practices” for fighting online child sexual exploitation. Those best practices are not listed in the bill and if the bill is passed, the best practices could be any number of things that online service providers would then be required to follow if they wanted Section 230 immunity. 

The idea behind the bill is that tech companies are turning a blind eye to child sexual exploitation on their platforms and the best way to incentivize them to do more is to threaten their Section 230 immunity. This rationale is dubious. Child sex abuse material is already illegal under federal law and providers are federally required to report it. Since Section 230 does not bar federal criminal law enforcement, the Department of Justice is already free to go after providers if they’re falling short of their obligations.

The most worrying part is that the best practices would be developed behind closed doors by an unelected, unaccountable 19-member commission headed by the attorney general who would have the authority to approve or reject them. 

The bill says the commission should include the attorney general, the heads of the Department of Homeland Security (DHS) and the Federal Trade Commission (FTC), two members with “current experience in matters related to constitutional law, consumer protection, or privacy,” and two members with expertise in “computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a nongovernmental capacity.” The bill says the commission should also include four members who have “experience in providing victims services for victims of child exploitation” or who are survivors of online child sexual exploitation.”

The commission will be charged with developing practices on how to combat child sexual exploitation online, with only 14 votes needed to adopt a best practice. The attorney general, along with the heads of DHS and FTC, will approve each best practice. The practices can consist of such things as scanning media content for abusive images or monitoring communications between suspected child abusers and potential victims.

The EARN IT Act doesn’t specifically bar encryption, a goal unsuccessfully pursued by U.S. law enforcement since the Clinton administration and now sought in earnest by U.S. Attorney General William Barr. Yet, many public interest organizations and security experts have come out and condemned the bill because it’s a hidden means to ban end-to-end encryption.

“The EARN It Act threatens the safety of activists, domestic violence victims and millions of others who rely on strong encryption every day,” said American Civil Liberties Union Senior Legislative Counsel Kate Ruane. “Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor. This legislation would empower an unelected commission to effectively mandate what Congress has time and again decided against, while also jeopardizing free expression on the internet in the process. This bill is not the solution to the real and serious harms it claims to address.”

“The EARN IT Act provides no guarantee that these so-called backdoors won’t be exploited by bad actors to gain access to our most personal information,” said Americans for Prosperity Senior Policy Analyst Billy Easley. “Make no mistake: a backdoor for law enforcement is a front door for criminals. It is not possible to separate the two. Every American has a stake in seeing this legislation fail because we all rely on encryption to protect our conversations, our finances and our internet-connected devices. We urge Congress to soundly reject this bill.”

“It’s a mistake to frame the debate about whether to ban strong end-to-end encryption in terms of privacy versus safety because our online and physical world lives are deeply entwined,”  said Hannah Quay-de la Vallee, the Center for Democracy and Technology’s Senior Technologist. “For many people, particularly the most vulnerable and at-risk among us like domestic abuse victims and the LGBT community, maintaining privacy and security online is absolutely critical to maintaining physical safety.”

The EARN IT Act calls for Congress and the administration to establish a commission to determine best practices for tech companies to prevent online exploitation of children and would condition important liability protections on certifying compliance with the best practices, effectively making them a requirement. It is almost certain these best practices will include measurements to weaken encryption. The irony is by creating a backdoor in encrypted services, it would be easier for bad actors to break into personal cameras, creating a scenario where innocent people and children can be exploited.

Strong encryption is more vital now than ever before, especially since many people are working from home due to COVID-19. That goes for Congress too. Yet the EARN IT Act’s sponsors are opening the door to banning strong encryption and dissuading tech companies from making cybersecurity improvements under the guise of promoting child safety. 

While crimes against children are horrific, it won’t make them safer if tech companies are required to drill a “backdoor” in their encryption so that law enforcement can access everyone’s communications. Those who exploit children will simply abandon those mainstream services and move their activities onto the dark web, where they’re far harder to track down.

Meanwhile, innocent people would be more at risk if we continued to use online services that weakened their encryption to comply with EARN IT “best” practices. The biggest problem with encryption backdoors is that it is not possible to build one for the “good guys” that can’t also be found and exploited by the “bad guys.” A backdoor “takes care of the hard work” for attackers seeking to breach encrypted systems. If the U.S. government gets a backdoor into Americans’ private information, so do other countries. So does organized crime. So do sophisticated hacking groups.