photograph of laptop with a lock with keys on it
"Computer security and data protection concept" by makidotvn (via depositphotos)

At the moment, the subject on everyone’s minds is COVID-19, and for good reason: the number of infected and dying in the United States and around the world is growing every day.  But as Kenneth Boyd has pointed out, there are a number of subjects that are getting ignored. There is a massive locust swarm devastating crops in East Africa. There is an ongoing oil war driving gas prices down and decimating financial markets. And, in the United States, Congress is considering passing a bill that would have significant negative impacts on privacy and free speech on the internet. The bill in question is the EARN-IT Act, and the reason it is not capturing popular attention is obvious: viruses are scary, fast-moving, and make their ways into people’s homes. This bill is complex and understanding its ramifications for people’s rights to privacy and free speech requires a good deal of legal context.

But first, what is the EARN-IT Act? Legislators are clearly not marketing it as an attack on privacy and free speech since such a bill would be widely unpopular. The EARN-IT Act is really intended as a necessary measure to combat the widespread issue of child pornography, or, as the act would admirably rename it, “child sexual abuse materials” on the internet. This is a big problem. Right now, a ring of child abusers using the encrypted messaging app Telegram are being uncovered in South Korea. Proponents of the bill view the encryption that Telegram and other apps like WhatsApp, and soon Facebook, use as a tool for child abusers to evade government detection and prosecution. They see the owners of these apps as neglecting their responsibility to monitor the content going through their servers by encrypting said content so even they cannot see it. Essentially, these companies seem to know that child abuse is a problem on their platforms and instead of putting in the effort to find and report it, they simply blindfold themselves with encryption for their users.

So how will the EARN-IT Act resolve this seemingly willful ignorance and bring child abusers to justice? Well, here is where the issue gets complex and requires legal context. The act itself creates a government committee which would create a recommendation of “best practices” for companies to follow to minimize the spread of child sexual abuse materials on their websites. This recommendation would also be binding. If companies were to fail to follow the recommendations of the committee, they might lose something called “Section 230 immunity” which ordinarily keeps them from being prosecuted when child sexual abuse materials are found on their websites. Right now, if the government finds these materials on a hard drive belonging to you or me, we would go to jail for at least 5 years. But, if those same materials are found on Facebook or Telegram’s hard drives, the site owners will not go to jail, all due to that Section 230 immunity. Understanding why such a difference makes any sense requires understanding the history behind it and the distinction between speakers (the ones who create and share child sexual abuse materials) and distributors (sites like Facebook or Telegram that child abusers may use to share the evidence of their abuse).

In legislation prior to the internet, the legal burden for illegal speech (which, though it sounds weird when you say it, includes images) fell only on publishers and speakers, not distributors. If a book containing illegal content was sold in a bookstore (a “distributor”), the bookstore would not be responsible; only the author (“speaker”) of the content and the publisher would be. Obviously the author would know he broke the law and presumably his publisher should have had the sense to check what they were publishing. But the store that sold the book could not have this responsibility since they might sell thousands upon thousands of titles and could not spend the time checking each one. If the government put that responsibility on the bookstore, bookstore owners might be afraid to sell more titles than they could reasonably read through and check themselves. Fewer ordinary writers would be able to get their works to their audiences. So, many authors would not bother writing, knowing their books would never be sold. While the government would never directly force them to stop speaking, authors would be indirectly silenced. As Supreme Court Justice William Brennan put it in the Court’s unanimous opinion in Smith v. California, the law cannot “have the collateral effect of inhibiting the freedom of expression, by making the individual the more reluctant to exercise it.”

The question, then, is whether Facebook or Telegram should count as distributors or publishers. In 1996, Congress decided the issue with Section 230 of the Communications Decency Act. In this section was the following provision: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Let’s break this down. An “interactive computer service” would be any website or app people share content on (like Facebook or Telegram). The “provider” would be the owner, and “user[s],” would be, of course, anyone who used the site. Any other “information content provider” would be another person sharing information on the “interactive computer service.” If someone (the “information content provider”) posts illegal content on Facebook (the “interactive computer service”), that means that neither the owners of Facebook (the “provider”) nor someone who retweets that content (a “user”) is legally responsible for it. They are not legally responsible because they are not “treated as publisher or speaker” of that content. So, when child sexual abuse materials are shared using Facebook or Telegram’s servers, they have immunity.

The problem is that this immunity does not incentivize sites to find and remove these materials. There is no penalty for allowing them to spread, so long as the site owners never see them. And, with encryption, they can’t see them. One binding “recommendation” the committee created by the EARN-IT Act might make is to require sites to create a “backdoor” to their encryption that would allow the government to bypass it. One of the bill’s main sponsors, Senator Lindsey Graham, has said that he intends for it to end encryption like this for all websites. He has said that “We’re not going to go blind and let this abuse go forward in the name of any other freedom,” in reference to Facebook’s plans to institute end-to-end encryption of their messaging app.

Essentially, if two people on Telegram are texting, it is as though they are both going into a locked house to talk where only they have the keys. These keys would be unique to this particular house. A “backdoor” would be an unlocked entrance to every house that anyone who knew about it could get through and listen to the conversations people are having. There are two serious problems with this proposal: first, the government will be able to see, without any warrant and without checking with the site owners, any information from users; second, since there is no way to guarantee that only the government ever finds out about such a backdoor, it would be possible for anyone who finds the backdoor to access all of your personal information online. Privacy on the internet would quickly disappear.

Now it is important to remember that this recommendation to build backdoors in all websites is not a necessary condition of the EARN-IT Act. Perhaps the principle of it being possible for the government to take away our privacy on the internet is objectionable but it is not necessary that anyone actually lose their free speech. Such an abridgment of our right to privacy would occur only if the committee ultimately decided to include backdoors in its recommendations. One of the bill’s other sponsors, Senator Richard Blumenthal, has said this would not be the case. But, there is not anything stopping the committee from making such a recommendation either, which is where the trouble lies. If the committee acts in good faith, doing what is right, respecting our right to privacy, there will be no problem.

But, of course, politicians and governmental committees do not always act in good faith. The PATRIOT Act was enacted in the wake of 9/11 ostensibly to fight terrorism. As we all know, there was a darker side to this act, including the creation of a number of programs that allowed widespread wiretapping of ordinary citizens, among other violations of people’s rights. None of these harms were actual until they were. “Power corrupts, and absolute power corrupts absolutely” is such a common quotation as to become proverbial. All the committee of the EARN-IT Act has to do to end privacy on the internet is to make a simple recommendation and to threaten companies with the loss of Section 230 immunity. And, since without Section 230 immunity site owners could face serious jail time, sites would either have to manually check every post, every text, every image going through their servers (a virtual impossibility with the scale of internet content sharing) or would have to end encryption as instructed.

The internet is a wonderful and horrible thing, much like the human beings who compose it. The ability to communicate with anyone, around the world is an amazing thing. And to be able to do so privately is even more amazing. But, this amazing technology can, like every technology, be used for both good and for evil. Are we willing to sacrifice our ability to communicate privately online to wholly eliminate child sexual abuse on the internet? What value does privacy really have? The proposal and passage of bills like the EARN-IT Act threaten some of our most fundamental rights, both to speech and to privacy. Like the PATRIOT Act before it, it coats this dangerous abridgement of our rights in a veneer of justice, telling us that the cost to our freedom is worth it to right some wrong. As Graham would have it, we cannot “let this abuse go forward in the name of any other freedom.” But we can, and we must. If privacy is to be a true right, then it cannot be “earned.” The EARN-IT Act would have our right to privacy reduced in this way and so cannot be supported unless the powers of the proposed committee are harshly limited. Our rights are unalienable. The right for the government to limit our rights is not. If one of us, the citizens or the government, needs to “earn” their rights, it is them, not us.