Signal: We’ll be eaten alive by EARN IT Act’s anti-encryption wolves

Recent weeks have been rough, with droves of people turning to virtual communication for sensitive conversations they’d like to keep private – medical visits, seeing friends’ faces and hearing their voices, or solace for those who’ve lost loved ones.

Understandably, the end-to-end (E2E) encrypted messaging app Signal has been signing up new users at “unprecedented” rates and flipping the switch on servers “faster than we ever anticipated,” Signal’s Joshua Lund said last week.

… and you can say goodbye to any of that staying stateside if the EARN IT Act passes.

Signal claims that legal and liability concerns would make it impossible to operate in the US. That doesn’t mean it would shut up shop entirely, but it could mean that the non-profit would need to move operations now based in the US.

Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill was introduced last month. If it passes, EARN IT would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.

To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites aren’t liable for user-submitted content.

The proposed legislation’s details haven’t been ironed out yet, but at this early point, the bill’s intent to water down Section 230 turns that protection into a “hypocritical bargaining chip,” Lund wrote on Signal’s blog.

At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee ‘best practices’ that are extraordinarily unlikely to allow end-to-end encryption. Anyone who doesn’t comply with these recommendations will lose their Section 230 protection.

Maybe some of the tech behemoths could swing the potentially huge financial risk that would come with slews of lawsuits as they suddenly become responsible for whatever random things their users say, but not Signal, Lund said.

It would not be possible for a small nonprofit like Signal to continue to operate within the United States. Tech companies and organizations may be forced to relocate, and new startups may choose to begin in other countries instead.

It’s bizarre that a government that’s reliant on secure, private messaging would even contemplate gutting E2E encryption, Lund said. In February, the European Commission endorsed the messaging app, telling staff to switch to Signal for encrypted messaging. Lund listed other military and government endorsements, calling the proposed legislation “troubling and confusing”:

For a political body that devotes a lot of attention to national security, the implicit threat of revoking Section 230 protection from organizations that implement end-to-end encryption is both troubling and confusing. Signal is recommended* by the United States military. It is routinely used by senators and their staff. American allies in the EU Commission are Signal users too. End-to-end encryption is fundamental to the safety, security, and privacy of conversations worldwide.

*The US Military also recommends Wickr for encrypted messaging: both it and Signal feature auto-delete functions that erase messages after a set period of time.

The bill’s backers claim that they’re not targeting encryption. Rather, as with other attempts to legally enforce encryption backdoors, they’re claiming that their real goal is to get companies to accept responsibility for the enabling of online child sexual abuse.

But as has been explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at The Center for Internet and Society at Stanford Law, the bill doesn’t have any tools to actually stop online child abuse. Furthermore, if it passes, it would actually make it much harder to prosecute pedophiles, she says.

As it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.

Apple does it with iCloud content, Facebook has used hashing to stop millions of nude children’s images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.

The key word is “voluntarily,” Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they rifle through our digital content, including email, chat discussions and cloud storage.

The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, they’re private actors, so the Fourth Amendment doesn’t apply to them.

Turning the private companies that provide those communications into “agents of the state” would, ironically, result in courts’ suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.

Pfefferkorn has also pointed out that the bill would give unprecedented power to Attorney General William Barr, a vocal critic of end-to-end encryption, who would become the arbiter of any recommendations from the “best practices” commission that the EARN IT bill would create.

The “best practices” approach came after pushback over the bill’s predicted effects on privacy and free speech. The best practices would be subject to approval or veto by Barr, who has issued a public call for backdoors; the Secretary of Homeland Security (ditto); and the Chair of the Federal Trade Commission (FTC).

Basically, those wolves are going to eat smaller encryption providers alive, Lund said:

It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions ‘huffing’ or ‘puffing’ or ‘the application of forceful breath to a brick-based domicile’ at all, but the end goal is still pretty clear to any outside observer.

Last month, Sen. Ron Wyden, who introduced the CDA’s Section 230, said that the “disastrous” legislation is a “Trojan horse” that will give President Trump and Attorney General Barr “the power to control online speech and require government access to every aspect of Americans’ lives.”

The EARN IT Act is only the latest of many attempts to inject an encryption backdoor that the US government and law enforcement agencies have been trying to inflict for years.

Digital rights advocates say that the proposed act could harm free speech and data security, and Sophos concurs. For years, we’ve said #nobackdoors, agreeing with the Information Technology Industry Council that “Weakening security with the aim of advancing security simply does not make sense.”

The EARN IT Act is still working its way through Congress, not having seen a vote in either the House nor Senate.

There’s still time to stop it, Lund said. To reach out to elected officials, you can look up contact information on The Electronic Frontier Foundation’s Action Center.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.