We are in a decades-old battle between government surveillance and individual privacy. The Crypto Wars of the 90s are back with a vengeance as Congress wields the EARN IT Act in its attack on the oft-misunderstood Section 230.
47 U.S.C. § 230 provides a relatively simple and logical safe harbor; however, it is frequently twisted in statements by politicians and in news articles to be something that it is not — a shield for Facebook and other evil social media services to hide behind as they publish their illegal content, conspire to misinform, and defame innocent citizens.
Section 230(c)(1) states:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
This single sentence provides for so much unfettered innovation and social interaction on the internet in the past 20+ years, as well as promises for unforeseen innovation in the future. Without this safe harbor, it’s hard to see how the internet works going forward. As you can glean from the title of his book, Cybersecurity Law Professor Jeff Kosseff of the U.S. Naval Academy buttresses the importance of Section 230’s safe harbor in The Twenty-Six Words That Created the Internet.
Section 230 lets people talk freely on Facebook and Twitter, upload videos to YouTube and Vimeo, and post comments on personal and commercial blogs and websites. These are the ways we connect on new and innovative online services. It helped make the world smaller. Users of these services can post content to them and, if that content is somehow actionable in a civil claim, the service is not held liable solely because the content appeared on it.
The application of Section 230’s safe harbor is a logical application of traditional distributor and publisher roles — yet it allows for online services to engage in content moderation without assuming liability for users’ content. See 47 U.S.C. § 230(c)(2).
You create a service that you open for users to make accounts and post stories, pictures, or videos. You run the service and add features, run some ads, and make a profit. You moderate the user-generated content. You try to respect people’s differing views and keep a light hand on moderation (although not required) but you take down content that violates your own community guidelines. (Or maybe you don’t moderate at all… because you don’t have to.**) It’s a fairly logical conclusion to expect the service shouldn’t be responsible for everything that users say on your service. And that’s what the Section 230 safe harbor is supposed to do.
**There are narrow exceptions to Section 230’s protections (e.g., federal criminal law, intellectual property, etc.). See 47 U.S.C. § 230(e).
What Section 230 doesn’t do, however, is to provide a safe harbor for a first-party to post content without consequence. Facebook, Google, The New York Times, my blog, and your website are all directly responsible for the content that they create. However, this simple, yet crucial, distinction seems quite near impossible for many policymakers and news outlets to comprehend.
In an interview with The New York Times earlier this year, presidential candidate Joe Biden epitomized the misconceptions of Section 230, “[The Times] can’t write something you know to be false and be exempt from being sued. But [Mark Zuckerberg] can. The idea that it’s a tech company is that Section 230 should be revoked, immediately should be revoked, number one.”
The distinction that Facebook is not creating the content that appears on its site is somehow too complex for Section 230 critics to grasp.
This misstatement of fact and law is repeated over and over by politicians and news outlets on a regular basis from both the right and left. Depending on which action the social media service of choice has taken, both Democrats and Republicans overstate the function of Section 230 to include a fundamental misunderstanding of how the internet and the Section 230 safe harbor work. Of course, watching members of Congress question Mark Zuckerburg about Facebook’s privacy practices makes it easier to see just how out of touch that decision-makers can be when it comes to technology.
But what does Section 230 have to do with encryption?
Absolutely nothing.
While Section 230 is rooted in limiting liability for the acts of third parties in publicly published content, the backdoor to encryption the government seeks is all about accessing private communications. EARN IT is just the carrot to lead tech companies to the backdoor.
The pruning of Section 230 and erosion of encryption is a middle-of-the-road issue for politicians. The EARN IT Act is bipartisan legislation — just as restrictions on encryption from the 70s, 80s, and 90s were bipartisan. The EARN IT Act was written by Republican Senator Lindsey Graham and Democrat Senator Richard Blumenthal.
While their stated purpose behind the bill is “to encourage the tech industry to take online child sexual exploitation seriously,” one only has to look at the stakeholders’ records and the short history of the public availability of encryption technology in the US to see that this is another play for power to keep private individuals from having privacy.
A Brief History of the Crypto Wars
If Congress succeeds in passing the EARN IT Act, it may indirectly achieve the goal of keeping end-to-end encryption out of the hands of the average person — a goal it has sought since the 1970s as its regulation of encryption technology under the Arms Export Control Act began to slip from its grasp.
Prior to the revolutionary discovery of public-key infrastructure by Whitfield Diffie in 1976, along with developments culminating in the Diffie-Hellman key exchange and RSA algorithm, encryption was essentially a state secret. Yes, the very thing that we use to safeguard our private communications and valuable data today was too dangerous for Americans to have just a few short years ago. The practice and academic subject matter were closely guarded and monitored by the NSA.
Even after the Diffie-Hellman and RSA revelations were made known to the world, it wasn’t taken seriously by corporate America, let alone private citizens. Researchers and corporate frontrunners who dared to experiment with encryption were harassed under the guise of weapon export regulations in order to keep them quiet or to limit the strength of their encryption so that the NSA could still crack it and, therefore, monitor ostensibly private communications around the world.
The United States’ effort to limit encryption, particularly transborder encryption, was quite successful through the early-90s. For decades it was illegal to export encryption algorithms outside the US borders. Doing so could result in a federal criminal charge for exporting illegal arms. But then, the internet’s promise began to emerge.
As the federal grasp on encryption began to crack in the 1990s, the government conspired with AT&T to push to market an encrypted cell phone with a backdoor that was only accessible by the government. The NSA created a “Clipper Chip” that would attach to AT&T’s phones, provide encryption for the calls on the device, and provide the government with a backdoor to the encryption so it could listen in. To gain access, the government had to obtain a search warrant for a wiretap. Then, the government would use an “escrowed” encryption key to access the encrypted phone line. The Clipper Chip project was a commercial failure after much public policy and technical criticism.
Coincidentally, US Representatives Chris Cox and Ron Wyden were advocating for what would eventually become the Section 230 safe harbor at the same time (in 1995) as the intelligence community was losing hold of its encryption monopoly.
The direct approach to limit encryption used by American citizens ultimately lost its steam when courts held it unconstitutional in several different legal challenges. When the federal government was challenged in its attempts to limit the export of books containing encryption algorithms, US courts held that encryption code is a free speech matter and the government’s restriction was unlawful. Other challenges in teaching college courses to non-American students failed in a similar fashion. There are situations in which encryption export is still limited today; however, those cases are more narrowly limited in circumstances involving export to specific countries and specific military technology or programs. Largely, Americans are now free to use end-to-end encryption to communicate in private.
Today, we know of so many practices that show us how weak our personal communications have become due to Edward Snowden’s revelations of bulk data collection practices under PRISM. Additionally, the DEA used administrative subpoenas for two decades to justify bulk data collection in the war on drugs. Our private data is further weakened by the plethora of data mining practices and the overwhelming number of data breaches that seem to push into the millions of records on a weekly basis. However, it finally seems like average Americans are starting to take note of government and corporate encroachment on privacy. Encryption is now, more than ever, the key to taking back our privacy.
But Everyone Hates Facebook
After having its hands smacked by US courts in the 90s and early 2000s, the federal government fully knows that it can’t directly regulate encryption. Public backlash and the First Amendment pushback would be too great to overcome.
If, however, the government can use Section 230 as a weapon to point at Facebook and other online services, it can all but mandate a backdoor into every communication service that Americans use. Else, Facebook and its ilk will be sued into oblivion for actions from which Section 230 would otherwise provide a shield.
The FOSTA-SESTA debacle fully demonstrates that companies will roll over and comply with whatever restrictions are necessary to keep their Section 230 safe harbor intact. In fact, as FOSTA-SESTA demonstrated, online services will go the extra mile by restricting additional, lawful speech to avoid even the possibility of losing their safe harbors or (if the risk of harm from the long reach of FOSTA-SESTA appears too great) they will simply shut down altogether.
Whether Facebook is the flavor of the day or another company has angered a politician or group of citizens, it’s easy to find a tech company to poke. And because nobody is bothered if Zucks and company have to eat a pile of crap, it’s easy for politicians to shove EARN IT down their throats while the rest of America cheers them on.
Facebook and its ilk have made plenty of mistakes and engaged in plenty of egregious anti-privacy and anti-competitive behavior. However, when they build the privacy backdoor at the behest of the government, they get to keep their Section 230 immunity, and American citizens have one more surveillance tool added to the law enforcement and intelligence communities’ arsenal.
You don’t have to beat them if you just make them join you.
The EARN IT Act is the next era of the Cyber Wars. The generation before us fought for the right to encryption tech by reinventing it in public during the 70s and 80s and then fighting for the right to freely use it in the 90s.
They won. We won.
Encryption technology is ours to freely use.
Unless Americans respond to the EARN IT Act with the same outrage that we did to AT&T’s Clipper Chip, we’re handing our right to privacy over to a government that spent years post-9/11 collecting bulk data from American citizens under the pretense of “national security.”
Today, the threat to encryption is rationalized by a more sympathetic plea to “think of the children.”
As Andre Mcgregor, a former FBI cyber agent points out, “The American public will never side with the terrorist or child molester [by] saying they have rights worthy of protection, and DOJ knows this.”
Attorney General Bill Barr is clear that encryption is a problem and he would most certainly conclude that a best practice under the EARN IT Act would be to restrict the use of encryption among Americans. In a press release last week, Barr lashed out at Apple over their use of encryption without a backdoor on the iPhone:
The bottom line: our national security cannot remain in the hands of big corporations who put dollars over lawful access and public safety. The time has come for a legislative solution.
In a fiery rebuke of Apple and Facebook, EARN IT Act sponsor Lindsey Graham told the companies, “You’re going to find a way to do this [encryption backdoor] or we’re going to do this for you.”
Persistent privacy advocate and Section 230 architect Senator Ron Wyden called the bluff on EARN IT, saying, “This terrible legislation is a Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans’ lives.”
While the bill supporters have bipartisan support, opponents of EARN IT are also making unusual alliances to condemn the legislation in a similar fashion that the Clipper Chip united Rush Limbaugh and the ACLU.
Now, the ACLU and the libertarian/conservative Americans for Prosperity released a joint statement in opposition to the EARN IT Act. Anytime the government proposes a law that puts the ACLU and the AFP on the same page, Americans should pay attention to what its legislature is trying to do.
The EARN IT Act is Clipper Chip 2.0
The latest attempt to backdoor encryption restrictions is a more subtle approach than what the NSA attempted in the 1990s. AT&T tried to market encryption to the masses, while intelligence and law enforcement communities pinky-promised to only peek inside if they had a warrant. EARN IT is much more subtle.
To be clear, the EARN IT Act doesn’t expressly call out encryption; however, given the players involved and their recent saber-rattling, the target of the Act is squarely aimed at American citizens’ use of end-to-end encryption.
The Act would establish a National Commission on Online Child Sexual Exploitation Prevention. This sounds like a laudable goal — a whole “National Commission” that aims to prevent online child sexual exploitation. Who wouldn’t support that?
And now the hook is in…
Just think of the children. Please! To fight against EARN IT is to attack the children.
Anything “for the children” is worth the cost — whatever it may be. Right?
This National Commission is going to protect children more than every other law that already criminalizes the online sexual exploitation of children. At least that’s what Senators Graham and Blumenthal would have us believe.
This commission is to be made up of 19 members, which include the Attorney General, the Secretary of Homeland Security, and the Chairman of the FTC (or their appointed representatives). Additionally, each of the Senate and House majority and minority leaders gets to appoint four members. So, that’s 16 members appointed by legislative leaders to go along with the three named members.
Once assembled, “the Commission shall develop and submit to the Attorney General recommended best practices that providers of interactive computer services may choose to engage in to prevent, reduce, and respond to the online sexual exploitation of children….”
These best practices will then be introduced as bills in the House and Senate. Once the best practices become law, tech companies will have to comply with the best practices or lose Section 230 immunity.
The well-founded fear is that a critical “best practice” is a backdoor to Americans’ data and communications. End-to-end encryption can’t be a best practice because the government can’t see inside.
Again, this is a bipartisan affair. Those 16 members appointed by the legislature will certainly be screened for their opinions on privacy and a willingness to do whatever it takes for the children. Then, their recommendations become a rubber stamp in Congress because there is no way a majority of Congress will vote against the children.
The Crypto Wars are a War for Privacy
If we’ve learned anything over the past 40 years, it’s that the Crypto Wars have really been the Privacy Wars. We have a government with interests that are often at odds with the interests of Americans’ privacy.
If Americans have more privacy, the government has less power. The government justifies its interests and attempts to align them with American sentiment (“but look at the terrorists” or “think of the children”). At times, this works, and Americans meet the government in the middle to surrender a little more privacy.
Prohibitions on the export of encryption technology make sense (when officials claim secret privileges, “if you only saw the classified things I see”) until the people want to protect their personal emails and corporate networks from prying eyes. And when the people ask for more encryption technology, the government gives them technology with backdoors — the Clipper Chip.
Nothing could be more patriotic than a PATRIOT ACT! Sign us up, and go America! Mission Accomplished! But then it leads to a bi-partisan slippery slope of mass surveillance on Americans instead of just the terrorists from whom we were supposed to be protected. The reach of the Patriot Act persists today. The Senate, in a bipartisan fashion with 10 Democrats joining the GOP, just rejected an amendment that would have limited the warrantless collection of browsing search history under the Patriot Act.
And now, think of the children! Of course, we want to protect the children. How could anyone oppose this? This new commission assembled by politicians who supported all the prior attacks on Americans’ privacy will now define industry best practices for private technology and communication companies. There’s no way that could go awry.
But seriously, what about the children?
It’s a problem. A very bad problem. One that the EARN IT Act won’t solve.
Senator Ron Wyden (because, of course, it’s Wyden) and Representative Anna G. Eshoo recently introduced the Invest in Child Safety Act that “would direct $5 billion in mandatory funding to investigate and target the pedophiles and abusers who create and share child sexual abuse material online.”
Despite clear congressional mandates, the Justice Department not only never requested additional funding to address this growing scourge, the agency’s current budget actually cuts more than $60 million from programs to prevent child exploitation and support victims. Instead, it has demanded backdoors in encryption, which would weaken security for every American, and make it easier for pedophiles and other predators to find and exploit children and other vulnerable populations.
This is the kind of legislation Americans should demand. It directly addresses the problem by putting the resources closest to the need. There is no need for a hand-picked bureaucratic committee with travel allowances, expense accounts, and a dubious charge to create “best practices.”
The tech community identifies an order of magnitude more leads for child sexual abuse material offenders than law enforcement can investigate. We need more boots on the ground to fix the problem. The Wyden/Eshoo Invest in Child Safety Act does that. The EARN IT Act does not.