Modified EARN IT Act Marked Up; Before Markup, Graham, Cotton, and Blackburn Introduce Encryption Bill (July 2020)

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week. The Wavelength will transition shortly to a subscription product early in 2022. Posts on this site will continue in a fashion.

Note that this was written in July 2020, but I realized two things. I had never posted it to my site, and in light of the resurrection of the EARN IT Act, set to be marked up on 3 February 2022, it has renewed relevance. See also here and here for additional information on this legislation.

The Senate Judiciary Committee met, amended and reported out the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020” (EARN IT Act of 2020) (S.3398), a bill that would change 47 USC 230 (aka Section 230) by narrowing the liability shield and potentially making online platforms liable to criminal and civil actions for having child sexual materials on their platforms. The bill as introduced in March was changed significantly this week when a manager’s amendment was released and then further changed at the markup. The Committee reported out the bill unanimously, sending it to the full Senate.

The Senate Judiciary Committee unanimously reports out a revised bill to remove online child sexual material from Section 230 protection. The bill no longer allows companies to use a safe harbor based on adopting best practices for finding and removing this material. However, before the hearing, the chair of the committee introduced a bill requiring technology companies to decrypt or assist in decrypting data subject to a court order accompanying a search warrant.

Last week, in advance of the first hearing to markup the EARN IT Act of 2020, key Republican stakeholders released a bill that would require device manufacturers, app developers, and online platforms to decrypt data if a federal court issues a warrant based on probable cause. Critics of the EARN IT Act of 2020 claimed the bill would force big technology companies to choose between weakening encryption or losing their liability protection under Section 230. They likely see this most recent bill as another shot across the bow of technology companies, many of which continue to support and use end-to-end encryption even though the United States government and close allies are pressuring them on the issue. However, unlike the EARN IT Act of 2020, this latest bill does not have any Democratic cosponsors.

Senate Judiciary Committee Chair Lindsey Graham (R-SC) and Senators Tom Cotton (R-AR) and Marsha Blackburn (R-TN) introduced the “Lawful Access to Encrypted Data Act” (S.4051) that would require the manufacturers of devices such as smartphones, app makers, and platforms to decrypt a user’s data if a federal court issues a warrant to search a device, app, or operating system.

The assistance covered entities must provide includes:

  • isolating the information authorized to be searched;
  • decrypting or decoding information on the electronic device or remotely stored electronic information that is authorized to be searched, or otherwise providing such information in an intelligible format, unless the independent actions of an unaffiliated entity make it technically impossible to do so; and
  • providing technical support as necessary to ensure effective execution of the warrant for the electronic devices particularly described by the warrant.

The Department of Justice (DOJ) would be able to issue “assistance capability directives” that would require the recipient to prepare or maintain the ability to aid a law enforcement agency that obtained a warrant that needs technical assistance to access data. Recipients of such orders can file a petition in federal court in Washington, DC to modify or set aside the order on only three grounds: it is illegal, it does meet the requirements of the new federal regulatory structure, or “it is technically impossible for the person to make any change to the way the hardware, software, or other property of the person behaves in order to comply with the directive.” If a court rules against the recipient of such an order, it must comply, and if any recipient of such an order does not comply, a court may find it in contempt of court, allowing for a range of punishments until the contempt is cured. The bill also amends the “Foreign Intelligence Surveillance Act” (FISA) to require the same decryption and assistance in FISA activities, which are mostly surveillance of people outside the United States.

The bill would focus on those device manufacturers that sell more than 1 million devices and those platforms and apps with more than 1 million users, meaning obviously companies like Apple, Facebook, Google, and others.

The bill also tasks the DOJ with conducting a prize competition “to incentivize and encourage research and innovation into solutions providing law enforcement access to encrypted data pursuant to legal process”

According to the Graham, Cotton, and Blackburn’s press release, the “[h]ighlights of the “Lawful Access to Encrypted Data Act” are:

  • Enables law enforcement to obtain lawful access to encrypted data.
    • Once a warrant is obtained, the bill would require device manufacturers and service providers to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.
    • In addition, it allows the Attorney General to issue directives to service providers and device manufacturers to report on their ability to comply with court orders, including timelines for implementation.
      • The Attorney General is prohibited from issuing a directive with specific technical steps for implementing the required capabilities.
      • Anyone issued a directive may appeal in federal court to change or set aside the directive.
      • The Government would be responsible for compensating the recipient of a directive for reasonable costs incurred in complying with the directive.
  • Incentivizes technical innovation.
    • Directs the Attorney General to create a prize competition to award participants who create a lawful access solution in an encrypted environment, while maximizing privacy and security.
  • Promotes technical and lawful access training and provides real-time assistance.
    • Funds a grant program within the Justice Department’s National Domestic Communications Assistance Center (NDCAC) to increase digital evidence training for law enforcement and creates a call center for advice and assistance during investigations.

The EARN IT Act of 2020 was introduced in March by Graham, Senate Judiciary Committee Ranking Member Dianne Feinstein (D-CA), and Senators Richard Blumenthal (D-CT) and Josh Hawley (R-MO). If enacted, the EARN IT Act would represent a second piece of legislation to change Section 230 of the Communications Decency Act in the last two years with enactment of “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (P.L. 115-164).

In advance of this week’s markup, Graham and Blumenthal released a manager’s amendment to the EARN IT Act. The bill would still establish a National Commission on Online Child Sexual Exploitation Prevention (Commission) that would design and recommend voluntary “best practices” applicable to technology companies such as Google, Facebook, and many others to address “the online sexual exploitation of children.” However, instead of encouraging technology companies to use these best practices in exchange for continuing to enjoy liability protection, the language creating this safe harbor has been stricken.

Moreover, instead of creating a process under which the DOJ, Department of Homeland Security (DHS), and the Federal Trade Commission (FTC) would accept or reject these standards, as in the original bill, the DOJ would merely have to publish them in the Federal Register. Likewise, the language establishing a fast track process for Congress to codify these best practices has been stricken, too as well as the provisions requiring certain technology companies to certify compliance with the best practices.

Moreover, the revised bill also lacks the safe harbor against lawsuits based on having “child sexual abuse material” on their platform for following the Commission’s best practices. Now the manager’s amendment strikes liability protection under 47 USC 230 for these materials except if a platform is acting as a Good Samaritan in removing these materials. Consequently, should a Facebook or Google fail to find and take down these materials in an expeditious fashion, then they would face federal and state liability to civil and criminal lawsuits.

However, the Committee adopted an amendment offered by Senator Patrick Leahy (D-VT) that would change 47 USC 230 by making clear that the use of end-to-end encryption does not make providers liable for child sexual exploitation laws and abuse material. Specifically, no liability would attach because the provider

  • utilizes full end-to-end encrypted messaging   services,   device   encryption,   or   other   encryption services;
  • does  not  possess  the  information  necessary to decrypt a communication; or
  • fails to take an action that would otherwise  undermine  the  ability  of  the  provider  to  offer  full  end-to-end  encrypted  messaging  services, device encryption, or other encryption services.

© Michael Kans, Michael Kans Blog and, 2019-2022. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Photo by Lena Helfinger from Pexels

Photo by Kammeran Gonzalez-Keola from Pexels

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s