Stanford CIS

The EARN IT Act is a disaster amid the COVID-19 crisis

By Riana Pfefferkorn on

Before the novel coronavirus arrived on its shores, the United States had spent decades becoming a heavily digitized society. Now, the pandemic is deepening that dependence on digital technology, converting millions of in-person interactions into online communications. That dependence means good cybersecurity, including strong encryption, has become more crucial than ever.

With millions of Americans banking, working, and living online, there is no worse time to weaken encryption and disincentivize improvements in cybersecurity. And yet that’s precisely what the Senate Judiciary Committee is trying to do right now, with a bill called the EARN IT Act that would deal a disastrous blow to online privacy and security.

The COVID-19 cybersecurity crisis

When was the last time you attended a meeting in person? If you’re like me, it’s probably been a month or more. When the San Francisco Bay Area’s stay-at-home order went into effect here on March 17, gone overnight were the kinds of in-person meetings I used to have at work: grading exams alongside my teaching assistants, prepping with co-counsel for an upcoming court hearing, meeting with a tech company to get a sneak preview of a new product feature. Gone, too, were my in-person activities outside of work, from therapy sessions to my annual physical, from visiting a financial planner to heart-to-heart talks with friends. What’s the common thread connecting these meetings? They all really need to be private.

The United States faces crises in public health and the economy that are without precedent, and that has required moving much of life online. Key aspects of society are under severe strain, and compared to life-or-death issues in the medical system or food supply chain, computer security may seem like an afterthought.

But on top of everything else, this is also a crisis for cybersecurity. Federal officials have warned that “the COVID-19 pandemic provides criminal opportunities on a scale likely to dwarf anything seen before.” Cybercrime reports have increased four-fold. Google Gmail is detecting 18 million malware and phishing emails, and 240 million spam emails, related to COVID-19 per day. A coordinated response by the private sector, the Department of Justice, and multiple other agencies has already disrupted “hundreds” of online scams that sought to steal people’s money and personal information.

Meanwhile, the pandemic response is creating ever more electronic information that needs protection. This includes financial information, such as stimulus checks, small business loans, and unemployment claims. More and more health information is now online, as “telehealth” care proliferates. Information about individual health was already private and subject to strict protections, but moving forward, who is and isn’t positive for COVID-19 represents one of the most sensitive pieces of information about a person. Schools have been forced to move classes online. And with the economic crisis prompting layoffs, insurance claims, lawsuits, and bankruptcies, a huge amount of confidential legal information and attorney-client communications is now being generated.

Read the full piece at Brookings.