An illustration of content scanning that could happen under EARN IT.

EARN IT is a dangerous law that could be used to break encryption

Last updated 2 February 2022

On 2 July 2020, the Senate Judiciary Committee voted to approve the EARN IT Act (an acronym that stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020). It then died, never receiving a vote on the Senate floor. (That year’s other attack on end-to-end encryption, the LAED Act, met a similar fate.)

Now, Congress is again creating a likely sneak attack on encryption. Multiple senators reintroduced the EARN IT Act(new window) into the Senate Judiciary Committee in January, and the committee subsequently passed the bill on 10 February 2022. The EARN IT Act was also introduced in the House of Representatives in February. This bill, if passed, would likely require social media companies to monitor all of the content shared on their platforms, including private messages, ostensibly to prevent the spread of child sexual abuse material. 

But the bill is loosely worded and gives extraordinary power to individual states to create their own rules. Advocates for online freedom say the legislation is ill-fitted for its stated purpose and may instead force Internet companies to monitor all their users’ activity, even if that means breaking encryption.

In other words, EARN IT can be used as a trojan horse to attack encryption, or as critics have put it, a “backdoor to a backdoor.”

While we recognize the scourge of child sexual abuse material online and Big Tech’s role in its proliferation, EARN IT is a poor attempt at solving the problem. There are many proposed solutions, such as removing videos of children from the YouTube recommendation system(new window), which pedophiles have used to create repositories of content. EARN IT instead would address the problem by making YouTube remove almost all the videos of children, period, as YouTube would not want to risk the increased liability it will face under the new law.

EARN IT only tangentially addresses the problem of abusive material online. Its primary effect would most likely be to require companies to monitor their users, enforce the censorship of legal information, and create a framework to break encryption.

How EARN IT works 

Under US law, tech platforms are generally not legally liable for the content that users post on their platforms. This legal premise has enabled Facebook and Twitter to become clearinghouses for fake news, slander, and extremist content. It is codified under Section 230 of the Communications Decency Act.

The original premise of EARN IT is that online and social media companies would have to “earn” their Section 230 protections by following specific best practices, which were going to be created by a 19-member federal commission. 

This reintroduced bill is nearly the exact same as the bill that died in 2020. It still makes companies liable if child sexual abuse appears on their platform, full stop. In other words, abusive material would not be protected by Section 230. 

The federal commission’s power is also still reduced, and its best practice list will be voluntary. And all 50 states still can write their own rules and regulations to prevent abusive material. If an internet company does not comply with these laws, it opens itself up to potential state-level criminal charges.

This would result in a patchwork legal system where every state has its own set of rules, which would likely lead internet companies to simply adopt the most restrictive state code as its standard. It only takes one state to require internet companies to scan content before it is encrypted to undo end-to-end encryption. And this is where the one major change to EARN IT pops up. In 2020, there were some half-hearted attempts to state that encryption would be protected. These have largely been stripped out of the 2022 version of the bill.

How EARN IT attacks encryption and free speech

EARN IT would turn Internet companies into censors and gives states the power to undermine end-to-end encryption. 

By attacking Section 230, this bill guarantees that a large swath of legal free speech would be suppressed. To avoid liability, many online companies will delete anything that is even tangentially related to the targeted topic.

We know this because we’ve witnessed it before. The Fight Online Sex Trafficking Act, which this bill now resembles, was meant to only target sex trafficking. However, in practice, it led to Craigslist deleting its entire “Personals” section(new window) and Microsoft monitoring Skype(new window) for vulgarity and nudity. 

It could also be the bill that breaks encryption. Instead of a direct attack on encryption like the LAED Act, EARN IT would give the US states the power to undo end-to-end encryption. States could require internet companies to scan messages before they are encrypted or create new ways to access end-to-end encrypted messages without touching the encryption. Australia’s Assistance and Access law plays this same semantic game by requiring internet companies to help law enforcement develop malware that can access information after it has been decrypted on your device, thereby technically leaving the encryption intact. 

As Riana Pfefferkorn explains in the Center for the Internet and Society blog(new window), the new EARN IT Act provides questionable protection for encryption at best. While the bill says offering strong encryption isn’t a basis for liability on its own, it does nothing to stop a prosecutor from finding a separate semi-plausible cause, such as neglect, and taking a company to court for its encryption that way. In other words, as long as a civil or criminal lawsuit is based on a separate, semi-legitimate complaint and not on a service’s encryption, it can use that service’s encryption against them as evidence of neglect.

The most probable end result would be to discourage strong encryption and end-to-end encryption entirely. When EARN IT was originally proposed in 2020, the end-to-end messaging service Signal stated they would likely have to move their headquarters outside the US(new window) if it passed. 

How would EARN IT affect you?

If you are a Proton user, you will avoid the most harmful effects of EARN IT if it is passed. We are a Swiss company, and the data centers Proton Mail uses are all in Switzerland. Therefore, we are not subject to US laws. Any request from foreign law enforcement needs to be approved by Swiss authorities. 

EARN IT would likely lead to a massive overreaction by internet companies, as they will be incentivized to remove completely legal user content to avoid even the hint of liability. Or, as the ACLU said in 2020 in its letter(new window) to the Senate Judiciary Committee, “Even if the speech covered by the law could be restricted without raising constitutional concern, the content moderation practices the companies will deploy to avoid liability risk will sweep far more broadly than the illegal content.”

If a state takes up the invitation of this law and passes regulations against end-to-end encryption, it will place many American companies, like WhatsApp or Signal in a tough place. Do they fight numerous costly court cases, break their encryption, or leave the US?

We cannot allow Congress to pass EARN IT

EARN IT chips away at one of the legal foundations for free speech on the internet and jeopardizes the encryption that keeps the internet secure in the name of preventing abusive material from appearing online. However, posting child sexual abusive material is already a federal crime, which means it is exempt from Section 230 to begin with. There are many more effective ways to prevent the proliferation of this type of material.

Furthermore, if this bill was not intended to target encryption, the lawmakers could have included much stronger and explicit protections for encryption.

In short, EARN IT is vague, unnecessary, and unlikely to solve the problem it claims to be addressing. Instead, it would expand government surveillance and censorship and likely force companies to create backdoors in their encryption or do away with their encryption entirely. 

What you can do

EARN IT is currently being voted on in the Senate Judiciary Committee. You can monitor its progress here(new window)

We strongly encourage all Americans to write to their representatives in Congress and tell them to vote against EARN IT. This is your chance to remind Congress that you value your security and freedom of speech. The Electronic Frontier Foundation’s Action Center(new window) will help you get in touch with your representatives.

You can also protect your personal messages by signing up for a free secure email account with Proton Mail. This account will also give you access to the free version of Proton VPN(new window), which you can use to encrypt your online browsing.

EARN IT threatens everyone’s right to an internet that protects people’s privacy and freedom. Help us stop it.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

Protect your privacy with Proton
Create a free account

Related articles

People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subjec
Your online data is no longer just used for ads but also for training AI. Google uses publicly available information to train its AI models, raising concerns over whether AI is even compatible with data protection laws. People are worried companies
iPhone stores passwords in iCloud Keychain, Apple’s built-in password manager. It’s convenient but has some drawbacks. A major issue is that it doesn’t work well with other platforms, making it hard for Apple users to use their passwords and passkeys
There are many reasons you may need to share passwords, bank details, and other highly sensitive information. But we noticed that many people do this via messaging apps or other methods that put your data at risk. In response to the needs of our com
Large language models (LLMs) trained on public datasets can serve a wide range of purposes, from composing blog posts to programming. However, their true potential lies in contextualization, achieved by either fine-tuning the model or enriching its p
is Google Docs secure
Your online data is incredibly valuable, particularly to companies like Google that use it to make money through ads. This, along with Google’s numerous privacy violations, has led many to question the safety of their information and find alternative