15 votes

EARN IT letter to my representative

I'm currently writing a letter to my state Senator about their support for the EARN IT bill. I would appreciate if you guys would proof read it and give suggestions or corrections.

Letter Here

[Person]

I am a [state] resident and a student who has grown up on the internet. I love the freedom given by such a vast encyclopedia of knowledge, entertainment, and possibility. This freedom does have its issues though. Child abuse and child pornography are despicable problems that plague the internet and the world. They need to be addressed, but I don't believe the EARN IT Act is the right solution to the problem, as it will actively harm encryption and the privacy of everyone

The proposal recommends "retention of evidence and attribution or user identification data relating to child exploitation or child sexual abuse, including such retention by subcontractors". This essentially makes encryption on messaging platforms impossible without backdoors. Not only would the messages have to be saved for evidence, but there would have to be a method that the company uses to reveal the contents of the message, this method being the backdoor. If they cannot do so, they would be subject to fines.

Encryption is championed by nearly all experts in technology for privacy of messages and security of information, such as banking details. Why ignore the experts? They feel the same about child exploitation as you do, so they must have good reason to value encryption over a measure that is possible to reduce it.

Regardless of the security issues of the EARN IT Act, I also have a concern about its constitutionality that needs to be addressed. The Fourth Amendment provides "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

It can be reasonably inferred that the author, if he had lived in 2020, would have included mention of technology in this. "Papers" refers to not only documents, but also letters, as they were a primary means of communication. Now, that means is online messaging. Many have suggested that the act could lead to government scanning of messages in order to prevent child sexual abuse material. While doing so would likely diminish the amount being distributed through platforms owned by large businesses, it would likely shift to other mediums such as the dark web. Such scanning would infringe upon the Fourth Amendment rights of every US citizen as it would be a unreasonable (since there is no reason to scan everyone indiscriminately) search of my "papers".

7 comments

  1. [3]
    just_a_salmon
    Link
    I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the...

    I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the average American significantly less safe— some examples are breaking into online banking sessions, getting blackmail material or sensitive financial information from cloud storage services, or the risk to the personal data of members of the intelligence community with how foreign intelligence services will capitalize— and how the unintended consequences of the bill defeat (almost) every single one of its goals.*

    If you’re talking to an older person, you might also have to explain how many services previously managed via mail are now done online, and how easy it is to detect mail theft compared to how hard it is to realize that someone has downloaded weakly encrypted data that they can now not only crack at their leisure, but also crack it in a reasonable time frame.

    The dark web angle is good, but you need to assume that your congresscritter thinks that the Internet is a series of tubes. Instead of explicitly invoking the dark web, you could explain just how easy it is to set up a messaging service or forum on a server without a DNS record (analogous to an unlisted phone number) and just not tell the government that it exists. I’d also recommend explaining that if the law passes, the only people using the good encryption would be criminals and how the government would be just as incapable of breaking it then as they are now. If your congresscritter is a republican, a “only bad guys would have guns” analogy would be useful, it’s just that now only the bad guys’ encrypted data is uncrackable due to their general desire to not be caught, and wasn’t the whole point to make bad guys’ encrypted data crackable?

    Another problem is proliferation. Good encryption is everywhere, available in textbooks (and not just new textbooks), and has been taught to almost every computer science student that manages to get a half-decent education. This is another argument that a gun analogy would fit.

    Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.

    You could end with statements from encryption experts on how backdoors ultimately wreck any confidence in the encryption, and how math does not bow to the dictates of legislation.

    One nitpick:

    it will actively harm encryption

    This phrase isn’t helpful. I can’t quite put the words together to explain why, but it needs to go.

    * the one goal it succeeds in achieving is making it easier to find illicit data hosted on third-party services. But of course, this will just drive criminals to become technically savvy enough to use good encryption, which as stated above, is very easy to get ahold of.

    10 votes
    1. [2]
      Keegan
      Link Parent
      I actually had the opposite problem in my first draft so I'll try to put some more of those ideas back in. Great point. Could bring up voter registration and the like. I figured I'd go with the...

      I think you’re too focused on the technical and legal issues from a subject matter expert’s point of view, and not the human impact. It would be better to focus more on how the bill makes the average American significantly less safe

      I actually had the opposite problem in my first draft so I'll try to put some more of those ideas back in.

      explain how many services previously managed via mail are now done online

      Great point. Could bring up voter registration and the like.

      Instead of explicitly invoking the dark web, you could explain just how easy it is to set up a messaging service or forum on a server without a DNS record (analogous to an unlisted phone number) and just not tell the government that it exists.

      I figured I'd go with the dark web angle since it's a buzzword for "illegal part of the internet" that quite a few non-tech people know. Who knows how much politicians actually research for this stuff though.

      Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.

      Yeah that's very important. They don't explicitly say backdoors, but it is implied that it would happen.

      4 votes
      1. just_a_salmon
        Link Parent
        Now that I’ve written that, I’m starting to think that this might not be the case. But if backdoors aren’t explicitly excluded, it may end up being enforced that way. I’ll make a discussion topic...

        Again, this all hinges on successfully arguing that EARN IT unavoidably means encryption backdoors.

        Now that I’ve written that, I’m starting to think that this might not be the case. But if backdoors aren’t explicitly excluded, it may end up being enforced that way. I’ll make a discussion topic in the morning.

        Now if only the damn Wasatch Fault Line would let me sleep.

        4 votes
  2. patience_limited
    (edited )
    Link
    One argument you might mention is that EARN IT burdens Internet service providers and other tech companies with legal duties they can't comply with (yet?) and stay in business. The proposed...

    One argument you might mention is that EARN IT burdens Internet service providers and other tech companies with legal duties they can't comply with (yet?) and stay in business.

    The proposed Article 230 changes make providers liable for illegal material in transit or hosted with their services. Doing so forces them to try developing in-transit scanning technologies which may never work, and to take responsibility for law enforcement duties that the government is only permitted to exercise with a warrant.

    It's a terrible idea that could drive citizens and businesses away from using U.S.-regulated services wherever possible. This damages American competitiveness, and constitutes a potential national security threat as we can't protect data that isn't governed here.

    Schneier mentions a couple of sources, but the meat of the argument is here:

    I’m going to be a bit more blunt about this than I usually would be, but only because I think the following statement is accurate. The real goal here is to make it financially impossible for providers to deploy encryption.

    End-to-end encryption systems make [child pornography] scanning more challenging: this is because photo scanning systems are essentially a form of mass surveillance — one that’s deployed for a good cause — and end-to-end encryption is explicitly designed to prevent mass surveillance. So photo scanning while also allowing encryption is a fundamentally hard problem, one that providers don’t yet know how to solve.

    All of this brings us to EARN IT. The new bill, out of Lindsey Graham’s Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don’t yet know how to solve the problem — and the techniques to do it are basically at the research stage of R&D — it’s likely that “stop using encryption” is really the preferred goal.

    EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.

    Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

    So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.

    The whole Cryptography Engineering blog post is worth reading - it's a brief, lucid, accessible argument.

    Also, there's a subtle First Amendment issue at stake - the criminalization of the use of math. As /u/just_a_salmon mentioned, cryptographic methods are published everywhere, the tools are nearly ubiquitous. Even if effective end-to-end encryption supported by providers is abolished, would-be criminals can still encrypt their files - the "if guns are criminalized, only criminals will have guns" argument, except with uncontrollable strings of equations and algorithms.

    Lawfare attempts to argue that the proposed composition of the Senate-sponsored committee gives adequate voice to all stakeholders. As the above blog post mentions, the committee may have zero experts on security. By the numbers, it's easy for the Attorney General, legal experts and legislators to overrule the technical, civil society, and industry constituents. In effect, this is voting on the value of π - favoring a convenient law without regard to reality.

    I don't have specific suggestions for ways you can incorporate this information in your letter. Personally, I appreciate that you're taking thought, time, and effort. To be totally cynical, your representative is probably already hearing from lobbyists and party whips about how to vote. It's likely that your message won't be read at all, just added to a tally of citizen voices for/against.

    4 votes
  3. [2]
    cfabbro
    Link
    I'm not American, so can't really give any constructive criticism on anything you have said related to the bill itself, but your letter and argument against it reads very well IMO. So the only...

    I'm not American, so can't really give any constructive criticism on anything you have said related to the bill itself, but your letter and argument against it reads very well IMO. So the only thing I can really think of to suggest would be to hand write the letter instead of just printing it on your computer or emailing it, as supposedly that makes it far more likely to actually be read once it arrives (by an intern at the very least, anyways).

    3 votes
    1. Keegan
      Link Parent
      Thanks for the suggestion. I originally found out my representative is in support of the bill from this Reddit post, which led me to find an online form to submit a comment, and I was going to...

      Thanks for the suggestion. I originally found out my representative is in support of the bill from this Reddit post, which led me to find an online form to submit a comment, and I was going to submit there. Your suggestion does make much more sense though, as it requires more thinking to read handwriting than text, and it sticks with you more. It's also harder to ignore physical mail than words on a screen.

      2 votes
  4. determinism
    Link
    Here is my representative's form letter response to my own advocacy against the bill.

    Here is my representative's form letter response to my own advocacy against the bill.

    Thank you for contacting me about the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act.

    We have a collective responsibility to protect our children from harm. This includes ensuring that they are not sexually exploited on the internet and other social media platforms. Though we have strong laws on the books for those who commit sex crimes against children, more can be done to ensure that our children are protected. Collectively, we should do everything that we can to ensure that individuals that sexually exploit the most vulnerable in our society are held accountable for their actions. That includes technology companies, which have a responsibility to protect children by screening for and removing abusive content from their websites and reporting individuals who violate the law on their platforms to law enforcement.

    The EARN IT Act would create incentives for companies to earn liability protection for violations of laws related to online child sexual abuse material and ensure tech companies are using best practices to prevent child exploitation. As a parent and grandparent, I take seriously the responsibility of safeguarding all children. Nothing is more tragic than the victimization of a child, and protecting our children from sexual crimes will always be a top priority for me.

    Should any legislation dealing with child pornography on the internet or child abuse come before the Senate, I will keep your thoughts in mind.

    Thank you again for getting in touch with me.

    Sincerely,
    Sherrod Brown

    United States Senator

    3 votes