The Battle over Encryption

There has been a tug-of-war between the US government and tech companies on the issue of encryption since the Clinton administration. The latest attack on encryption is the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies).

In the 1990s the battle over encryption started because of the development of Pretty Good Privacy (PGP) software that developed end-to-end encryption. The Clinton administration proposed a ‘Clipper Chip’ which provided a backdoor at ISPs so that law enforcement could decrypt messages when necessary. That idea was quashed by a coalition from the right and left that didn’t want the government spying on private communications.

The idea of killing encryption died down because most big web platforms chose transport layer encryption. In this commonly used encryption method, a web company will encrypt traffic transmitted across its platform. This stops messages from being read by anybody in the middle of a transmission. Most big web companies, with the notable exception of Apple, will allow law enforcement to have access to the content of a transport layer encrypted message, because the web company can decrypt any message by reversing the encryption technology they use.

The encryption conversation flared up again in 2013 when Edward Snowden released proof that the NSA and other intelligence agencies were routinely decrypting traffic on platforms like Google, Facebook, Microsoft, and Yahoo. This meant that the government was routinely decrypting messages sent across the web without going through the normal processes of issuing a subpoena for cases that warranted investigation. According to Snowden, the government was decrypting almost everything sent over the big public platforms.

This led to a renewed interest in end-to-end encryption. This differs from transport layer encryption in that messages are encrypted at the end-user level instead of by the big web company. In end-to-end encryption, a message is encrypted on a sender’s device, sent to the recipient in an unreadable format, and then decoded on the recipient’s device. There are several ways to make this work, but none of the methods can be read by anybody else, including the big web companies that might be transmitting the messages. Law enforcement can still figure out the content of messages, but they have to work hard at it and gain access to both the sender and the receiver’s devices.

The general public has been pressuring the big web companies to incorporate end-to-end encryption in normal communication, and a number of them have considered doing so. Google pledged to incorporate end-to-end decryption in Gmail a few years ago but still hasn’t done so. There are platforms like Wicker and Signal that allow for end-to-end encryption, but the major platforms have not yet implemented it.

The EARN IT Act would tackle end-to-end encryption by tying encryption methods to the Section 230 protections that are key to operating big web platforms. Section 230 was created as law in the Telecommunications Act of 1996 and says that online services can’t be held responsible for end-user content they didn’t create. This is what allows Facebook, Twitter, Reddit, and Google to host content created by end-users that might violate various local laws. Without Section 230 protection, most privacy lawyers say that web companies couldn’t function since they would be sued by those who disagree with content.

The EARN IT Act would remove the blanket immunity from Section 230 and web companies would ‘earn’ Section 230 protections by providing backdoors for government surveillance. The EARN Act has ostensibly good intentions in that it addresses child sexual abuse. Web companies would have to certify annually that they are following whatever guidelines the government determines for monitoring or they would lose their Section 230 immunity. Those guidelines aren’t even listed in the EARN Act and would be determined periodically by a 19-member commission.

The EARN IT Act is a backdoor way to eliminate end-to-end encryption because if Google would lose Section 230 protections if it couldn’t certify that all Gmail can be decrypted. It’s likely such a certification would force web companies to spend a fortune to monitor every message on their platform before it is posted or transmitted – putting the web companies in the uncomfortable position of spying on everything said on their platform. As usual, Congress is trying to achieve something without the courage to outrightly say what they mean. The goal of the EARN Act is to outlaw end-to-end encryption, but it’s instead wrapped up inside a law that says it would fight against child pornography.