What is the EARN IT Act?
A bi-partisan supported bill called The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act is making the rounds on capital hill.
This bill is designed to combat online child sexual exploitation on the internet by creating a commission of 19 members with the agency heads consisting of the U.S. Attorney General, Secretary of Homeland Security and Chairperson of the Federal Trade Commission. The rest of the 16 members must meet varying qualifications such as having law enforcement, prosecutorial, constitutional law and computer science experience as well as at least 4 members having been a survivor of online child sexual exploitation or provided services to such victims in a non-governmental capacity.
The duties of this commission is to provide “best practices” to providers of interactive computer services to prevent, reduce, and respond to online child exploitation of children, including enticing, grooming, sex trafficking and sexual abuse of children and the proliferation of online child sexual abuse material (CSAM). Each best practice needs 14 votes to be adopted. These practices could include image scanning for illegal content or monitoring possibly illegal communications.
Communications Decency Act of 1996
Right now these providers are protected by Section 230 of the Communications Decency Act of 1996. The section bars these providers from legal action for what their users do on their platforms. The reason for this law was to keep from these companies being sued out of business. Or, never even starting their companies just to incur damages from their users actions. EARN IT Act plans to change Section 230. From a company being exempt of its users actions to having to “earn” this exemption by adhering to the adopted best practices of the commission.
A backdoor to get a backdoor in encryption or worse
There are two trains of thought right now on how this will end encryption or severely cripple it.
The first is that the commission will outright adopt best practices for these companies to create a backdoor in their encryption to allow law enforcement to perform a man in the middle attack (MITM) on an encrypted communication stream over the internet.
Most companies do not invent their own encryption. They use industry standard protocols that have been created by a consortium and other organizations where the source code or implementation is open for everyone to see so adopters know the cryptography is sound. Furthermore, when a vulnerability is found in the wild by a security researcher, everyone is alerted so a patch can be made and updates can be pushed to their systems. Such as the Heart Bleed vulnerability found in OpenSSL.
This would mean that all companies would have to roll their own encryption protocols or adopt a secret protocol only accessible by the providers and government to accomplish the best practices. When creating any new technologies, it always leaves for an introduction to new bugs and vulnerabilities. This is usually why most companies adopt tried and true open source cryptographical protocols. Everyone is working and looking at the same protocol. More eyes means better code and better coverage of catching new vulnerabilities.
The second train of thought would be that these providers simply get rid of encryption themselves. Either because without doing so they could not meet the best practices to attain section 230 exemption or because they offer to open their services up unencrypted for the government to see as a way for leniency for incurring legal liability of its users, a “we have nothing to hide but can’t stop CSAM proliferation so you do it” excuse.
How does the potential to cripple or ban encryption outright hurt children?
Since this is a bill to protect children we’ll bypass the privacy issues for adult individuals and corporations in this article. Let’s stick with the children. If this bill is passed or one like it in the future, it will eventually lead to the proliferation of what it attempts to stop.
Mandated backdoors to encryption protocols will introduce a whole myriad of issues. For one, this could mean that there are a new generation of untested encryption protocols that are created by these providers and submitted to the government to have access to. That is a broad range of attack vectors for attackers to exploit to gain access to children’s communications over the internet. The same if there is a consortium to create one secret protocol that only these service providers and the government have access to. Again, less eyes means more potential to miss bugs and patch them.
But the self-ban of using encryption in these providers’ services is the worse case scenario for all of us, much less children. It would mean that every type of communication over the internet is susceptible to a MITM attack. Anyone that has a tap between the child’s communication and its destination is a game over situation. Every word written sent, every photo taken or uploaded, every password entered, every personal identifiable information such as name, address, etc, that is crossed over the wire is now available to the attacker. Keep in mind the average age a child receives a phone is 10 years old.
There is no question that this bill seeks to fight a worthy cause of ridding the internet of child exploitation. Of course it is something everyone can get behind. But in the end, it has the potential to open up even more ways to exploit children. Encryption is made to keep people safe and it saves more people than it conceals illegal activity.