EARN IT and LAEDA: How Private Is Too Private?
by Patrick McCullough | published Feb. 26th, 2021
Two laws working their way through Congress have the potential to radically change the way the internet works. Both are aimed at cracking down on illegal activities that take place over the internet, with a special focus on criminals who victimize children.
However, privacy advocates fear that these laws may go too far and could expose everyday users to malicious actors.
Section 230 refers to Section 230 of Title 47 of the United States Code, which was passed as a part of the Communications Decency Act of 1996.
It states that providers of interactive computer services, like websites or social media forums, are not treated as the publisher of any information posted to their service by any of their users.
“Under Section 230, if you said something online, say on Reddit, you would be held responsible for saying that, and Reddit would not,” Hancock explained.
This frees companies from legal liability when one of their users posts illegal material to their platform. A website like Twitter or Reddit is responsible for removing illegal content posted to their site, but only when it is brought to their attention.
The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020 is a bipartisan bill sponsored by
The commission would be in charge of crafting a set of “best practices” for internet companies to follow and would aim to crack down on child sexual abuse material online. In its earliest iteration, the EARN IT Act planned to enforce these practices by revoking Section 230 protections for service providers who violated their rules.
An amendment to the bill made these practices voluntary, and removed the ability of the commission to revoke Section 230 protections for companies that failed to comply with their guidelines. In its place, the new draft gave states the power to ignore Section 230 protections when enforcing their own laws regarding child sexual abuse material.
This could cause trouble for websites, which don’t always have the means to inspect every piece of information posted by their users.
“[The platforms] don’t want to be held responsible for thousands to millions of users and what they might say online. That’s a lot of lawsuits, and that’s a lot of potential charges,” Hancock stated.
"[The platforms] don't want to be held responsible for thousands to millions of users and what they might say online. That’s a lot of lawsuits, and that’s a lot of potential charges."
Critics like Rita Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, argued that the EARN IT Act could be used to target companies that provide encrypted messaging services, since the head of the commission would be Attorney General William Barr, an outspoken opponent of encryption technology.
End-to-end encryption allows users to send messages to each other in a way only the communicating users can read. The secret messages cannot be decoded by eavesdroppers, including hackers, internet service providers or even the provider of the communication service, because only the two users have the key needed to decipher the message.
Dr. Michael Kurdziel is a cryptography professor at RIT and an information security specialist in the field of tactical military radio communications.
“End-to-end encryption means that data is encrypted at the source, and is only available at the destination,” Kurdziel explained.
The fear is that a commission headed by the attorney general, who considers this form of encryption to be a threat to national security, could use the authority provided by the EARN IT Act to penalize companies that provide their users with these secure communication schemes.
Sen. Patrick Leahy (D-Vermont) introduced an amendment to the EARN IT Act specifically to protect encryption to help ease these fears. According to Senator Graham, the sponsor who introduced the act, EARN IT is not a backdoor encryption bill. While that may be true, he has proposed another bill which is exactly that.
The Lawful Access to Encrypted Data Act (LAEDA) was introduced to the Senate the same month EARN IT had its restrictions on encryption stripped out.
This law would compel tech companies to build “lawful access” mechanisms into their products, which would allow law enforcement agencies access to any information stored on that device.
For years, people have debated over the responsibility tech companies have to aid law enforcement versus their commitment to user privacy. As it stands, tech companies may not be able to share information about illegal activity on their services because they themselves do not have access to it.
End-to-end encryption is also sometimes referred to as warrant-proof encryption.
According to Kurdziel, “If a warrant is served on an internet service provider, they have no ability to compromise the security for whatever purpose.”
“If a warrant is served on an internet service provider, they have no ability to compromise the security for whatever purpose.”
This lack of access can be a serious problem for investigators according to James H. Moore, the senior forensic security investigator at RIT.
“The criminal justice system worked pretty effectively for a lot of years. There were limits to how far you could go to hide something, and you always had to go back to retrieve it,” Moore explained.
“Now with encryption, if you don’t have the key, you’re at a dead end,” he elaborated.
The extent to which criminals can leverage technology will always be weighed against the harm that restrictions on that same technology could do to the public.
In this country, we have the right to freedom, and we have the right to privacy As it stands, encryption allows people the privacy to communicate without fear of being monitored, or having their personal information compromised.
However, there will always be people who use that privacy to compromise another person’s freedom. Where we decide to draw the line between the two is anything but clear.