House Introduces EARN IT Act Companion Bill, Somehow Manages to Make It Even Worse

On September 30, Representatives Sylvia Garcia (D-TX) and Ann Wagner (R-MO) introduced the House version of the EARN IT Act (H.R.8454), which had previously been introduced in the Senate (S.3398) in March. This is the first significant movement on the bill since early July, when the Senate Judiciary Committee (SJC) unanimously passed a “manager’s amendment” version of EARN IT.

I’ve written extensively this year about the myriad problems plaguing the EARN IT Act. Even after several rounds of changes in the Senate, it’s still a terrible bill, one that threatens online speech, privacy, and cybersecurity without guaranteeing any actual improvements in child safety. Even an amendment offered by Senator Patrick Leahy (D-VT) that was supposed to protect encryption isn’t all it’s cracked up to be, as I explained here.

The version introduced in the House of Representatives is virtually identical to the version that passed out of the SJC. (Thanks to TechFreedom for comparing the documents, and for taking the lead pen on a coalition letter setting forth the bill’s ongoing problems.) The only material change: the House version makes Leahy’s encryption protections even weaker.

To recap, Leahy’s amendment attempts (albeit imperfectly) to foreclose tech providers from liability for online child sexual exploitation offenses “because the provider”: (1) uses strong encryption, (2) can’t decrypt data, or (3) doesn’t take an action that would weaken its encryption. It specifies that providers “shall not be deemed to be in violation of [federal law]” and “shall not otherwise be subject to any [state criminal charge] … or any [civil] claim” due to any of those three grounds. Again, I explained here why that’s not super robust language: for one thing, it would prompt litigation over whether potential liability is “because of” the provider’s use of encryption (if so, the case is barred) or “because of” some other reason (if so, no bar).

That’s a problem in the House version too (found at pp. 16-17), which waters Leahy’s language down to even weaker sauce. For one thing, it takes out Leahy’s section header, “Cybersecurity protections do not give rise to liability,” and changes it to the more anodyne “Encryption technologies.” True, section headers don’t actually have any legal force, but still, this makes it clear that the House bill does not intend to bar liability for using strong encryption, as Leahy’s version ostensibly was supposed to do. Instead, it merely says those three grounds shall not “serve as an independent basis for liability.” The House version also adds language not found in the Leahy amendment that expressly clarifies that courts can consider otherwise-admissible evidence of those three grounds.

What does this mean? It means that a provider’s encryption functionality can still be used to hold the provider liable for child sexual exploitation offenses that occur on the encrypted service – just not as a stand-alone claim. As an example, WhatsApp messages are end-to-end encrypted (E2EE), and WhatsApp lacks the information needed to decrypt them. Under the House EARN IT bill, those features could be used as evidence to support a court finding that WhatsApp was negligent or reckless in transmitting child sex abuse material (CSAM) on its service in violation of state law (both of which are a lower mens rea requirement than the “actual knowledge” standard under federal law). Plus, I also read this House language to mean that if WhatsApp got convicted in a criminal CSAM case, the court could potentially consider WhatsApp’s encryption when evaluating aggravating factors at sentencing (depending on the applicable sentencing laws or guidelines in the jurisdiction).

In short, so long as the criminal charge or civil claim against WhatsApp has some “independent basis” besides its encryption design (i.e., its use of E2EE, its inability to decrypt messages, and its choice not to backdoor its own encryption), that design is otherwise fair game to use against WhatsApp in the case. That was also a problem with the Leahy amendment, as said. The House version just makes it even clearer that EARN IT doesn’t really protect encryption at all. And, as with the Leahy amendment, the foreseeable result is that EARN IT will discourage encryption, not protect it. The specter of protracted litigation under federal law and/or potentially dozens of state CSAM laws with variable mens rea requirements could scare providers into changing, weakening, or removing their encryption in order to avoid liability. That, of course, would do a grave disservice to cybersecurity – which is probably just one more reason why the House version did away with the phrase “cybersecurity protections” in that section header.

The Senate version of EARN IT has not yet been scheduled for a vote by the full Senate, and it looks unlikely to do so during the remainder of the legislative session. That’s thanks in part to an anticipated hold by Senator Ron Wyden (D-OR), who’s been a vocal opponent of the bill. Coming this late in the session, then, the choice to introduce EARN IT in the House on September 30 looks less like a last-minute effort to get the bill passed this Congress, and more like a warning shot: that once the 117th Congress begins early next year, there will be a bipartisan, bicameral full-court press to push EARN IT through. Also, I wouldn’t rule out the revival of the Lawful Access to Encrypted Data Act, the even-more-evil twin of EARN IT, born from the same father (Senator Lindsey Graham [R-SC], who’s up for re-election). That bill has gone precisely nowhere, but if it became law, it would effectively ban providers like WhatsApp from offering strong encryption at all, rendering EARN IT’s half-assed “protection” from liability moot.

There are multiple urgent existential issues facing America right now. It’s confounding that with so many other crises going on, this is what members of Congress are deciding to spend their energy on. But we can’t afford to sleep on this bill. It’s still important to make your voice heard and tell your Senators and your Representative to vote “no” on the EARN IT Act. You can take action here or here. They work for you, so make sure to VOTE in the November 3 election!

Add new comment