A Backdoor Attempt to Require Backdoors to Encryption

Few things frustrate law enforcement quite the same way encryption does. Authorities complain the technology makes it impossible for them to decipher the communications of criminals and terrorists, so they argue tech companies offering encrypted products and services should provide a way for government to access encrypted information when they need it. Tech companies, backed by many in civil society, counter that encryption is a powerful tool for privacy and security, and weakening it would create far more problems than it would solve.

High-profile cases such as the San Bernardino terrorist attack, when the FBI demanded that Apple unlock a shooter’s password-protected iPhone, periodically garner support for law enforcement’s perspective. And the rapid rise of messaging apps that use end-to-end encryption — systems that allow senders and recipients, but not service providers, to read encrypted messages — only serves to heighten the tension. Yet technology companies, standing with the Fourth Amendment on their side, have held their ground.

Against this backdrop, having been thwarted repeatedly in court, law enforcement advocates now appear to be trying to get what they want surreptitiously, though legislation introduced by Sens. Lindsey Graham (R-S.C.), Richard Blumenthal (D-Conn.), Josh Hawley (R-Mo.), and Dianne Feinstein (D-Calif.). Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, the bill ostensibly aims to prevent child exploitation online. It does so by requiring internet companies to take “reasonable measures” to keep their platforms safe, or risk losing a longstanding legal shield, Section 230 of the Communications Decency Act, which states that online services are not responsible for content their users post. But the EARN IT Act’s language and provisions, plus Sen. Graham’s recent remarks on encryption, signal it is more likely a furtive attempt to force tech companies to not provide end-to-end encryption to their users.

Section 230 immunity has allowed many online services to thrive which otherwise could not exist, including social media sites and e-commerce sites, thereby forming the foundation of the internet economy. But the EARN IT Act would strip this immunity away from companies that don’t abide by a prescribed list of best practices for stopping child exploitation, which a National Commission on Online Child Exploitation Prevention would devise. Attorney General William Barr would then have authority to add his own ideas.

Given Barr’s stance on encryption — namely, that tech companies should create mechanisms, often referred to as “backdoors” — many tech companies and privacy and security advocates are rightly concerned about the effects the EARN IT Act would have on encryption. If Congress passes the EARN IT Act in its current form, the committee and Attorney General Barr could simply declare that companies that use end-to-end encryption are not following best practices to prevent child exploitation. Tech companies would then face a choice between giving up end-to-end encryption and giving up Section 230 immunity.

What law enforcement, the intelligence community, and Sen. Graham fail to take into account are the immense benefits of encryption. Encryption protects consumers’ privacy and is especially important for vulnerable populations like abuse victims, the LGBTQ community, journalists and their sources, military service members, and activists living under oppressive regimes around the world. Pitting encryption against public safety ignores the fact that, for these people and many others, encryption improves their physical safety by keeping their data secure.

Encryption also keeps businesses’ data secure — including their customers’ data — mitigating the effects of data breaches, and strong encryption makes U.S. companies more competitive. Privacy- and security-minded consumers choose products and services that enable end-to-end encryption. If the U.S. government limits it, not only will American consumers face higher costs as businesses grapple with higher security risks, but American companies will lose business to more secure foreign companies.

Unfortunately, there’s no way to create “backdoors” to encryption that only allow in good actors like law enforcement. Any mechanism that would give law enforcement access to encrypted information would weaken encryption and reduce overall security for law-abiding citizens and businesses, while doing little to impede serious criminals, who could obtain more securely encrypted products and services from other countries.

Section 230 has recently come under fire from many directions: Both Republicans and Democrats, presidential candidates, the Department of Justice, foreign lawmakers, and even celebrities have called the law into question. But while it may be legitimate to debate changes to Section 230, the law remains an important foundation of the internet economy, and threatening to knock it out from under companies — as the EARN IT Act would do — is not good policy. Neither is mixing together two completely separate policy issues — encryption and Section 230 — and hiding one behind the other. If lawmakers want to limit encryption, then they should come out with a bill to do precisely that and try to defend it on its own merits. The EARN IT Act is not that bill. It’s a bait-and-switch that carries potential negative consequences for the data privacy and security of American citizens and businesses.

Ashley Johnson is a research analyst at the Information Technology and Innovation Foundation, the leading think tank for science and technology policy.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.