Technology

Bill to protect children online ensnared in encryption fight

Senate legislation to protect children from sexual exploitation online is being dragged into a larger fight over privacy and encryption.

The bill in question, the EARN IT Act, which has bipartisan support, would create a government-backed commission to develop “best practices” for dealing with rampant child sexual abuse material online.

If tech companies do not meet the best practices adopted by Congress, they would be stripped of their legal liability shield, laid out in Section 230 of the Communications Decency Act, in such cases.

But critics worry that the bill is simply a vehicle to block the tech industry’s efforts to implement end-to-end encryption, a feature which makes it impossible for companies or government to access private communications between devices.

They worry the legislation could give government a backdoor to encrypted devices. That concern has been amplified by Attorney General William Barr, vocal opponent of encryption, who would head the best practices commission under the legislation.

Sen. Ron Wyden (D-Ore.) has slammed the bill as a “Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans’ lives.”

But supporters of the bill are pushing back.

Senate Judiciary Committee Chairman Lindsey Graham (R-S.C.), a bill co-sponsor, said during a hearing before his committee on Wednesday that the legislation is “not about the encryption debate, but the best business practices.”

“This bill is not about ending encryption,” added Sen. Richard Blumenthal (D-Conn.), another co-sponsor, Wednesday. “And it is also — I’m going to be very blunt here — not about the current attorney general, William Barr.”

Blumenthal pointed out that the commission would have 19 members and that 14 votes would be needed to approve a best practice. Among those 19 members would be the attorney general, but also the Department of Homeland Security secretary and the chair of the Federal Trade Commission. The other 16 members would be appointed by the Senate majority leader, Senate minority leader, Speaker of the House and the House minority leader.

That has failed to calm the worries of privacy advocates.

Kathleen Ruane, senior legislative counsel at the American Civil Liberties Union, told The Hill that although there are other members on the committee, Barr will have an outsize role. She pointed to language in the bill giving the attorney general, along with the DHS and FTC leaders, final approval power before best practices are sent to Congress.

Blumenthal has said the attorney general can only reject proposed best practices on the commission, as opposed to pushing any through unilaterally.

Regardless of Barr’s role and powers, experts say encryption will come up as the commission debates best practices.

“You have law enforcement representatives [on the committee] and this is a huge issue among the law enforcement community … so it’s very likely they’ll bring it up,” said Alan Rozenshtein, associate professor of law at the University of Minnesota and former attorney adviser for the Department of Justice. “And then you have victim advocates and to the extent that they believe that encryption is part of the problem or needs to be addressed as part of the problem, they’re going to bring it up as well.”

“I don’t really see a realistic situation in which this does not implicate encryption,” he added.

“Encryption is not explicitly mentioned in the bill, but that also means nothing stops them from making best practices related to it,” said Elizabeth Banker, the deputy general counsel of the Internet Association, a trade association that represents many online companies.

Critics also have broader privacy concerns over the legislation outside of the encryption debate. Ruane said other best practices could pose threats to communication privacy.

One compromise that has been floated is to make it explicit in the legislation that the commission will not make any recommendations about encryption. But Graham has rebuffed that idea.

“I’m not going to pre-determine what the right answers are,” Graham told reporters Wednesday. “Let the commission work.”

Other lawmakers have also downplayed any threat to weakening encryption.

“I can tell you right now I will not support something that compromises the integrity of encryption for users, because I think that that’s hugely significant,” Sen. Josh Hawley (R-Mo.), one of the 11 bill co-sponsors, told reporters Wednesday.

Hawley accused tech companies of bringing up the issue of encryption to derail the legislation, which will place more responsibility on them to prevent exploitation of children online.

“What the tech companies will do is seize at any straw to try to argue that we just can’t possibly revise Section 230,” he told reporters. “Let’s not underestimate how rich they’ve gotten on Section 230.”

Blumenthal said at the hearing that some big tech companies are using “encryption as a subterfuge to oppose this bill.”

There have been changes to the bill from an earlier version leaked in February. That version had only 15 members on the commission and required a lower threshold to approve best practices.

Asked about those changes, Blumenthal told reporters that legislators “were listening for constructive suggestions” as they drafted the bill.

As lawmakers move to finalize the bill, both sides are digging in.

“I am not going to stand on the sidelines any longer,” Graham said Wednesday, vowing to push the legislation forward.