Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 2
0:13 – 1:16
CT. Tea. Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. On 03/05/2020, a bipartisan group of 10 US senators introduced the Earn It app, a sweeping bill that will have implications for everyone's safety online. This bill, a well intentioned act to combat child sexual exploitation online, threatens to erode free speech protections on online platforms, poses a serious threat to end to end encryption and secure communications, and may jeopardize prosecution of child sexual exploitation. Here to discuss some of the implications this new bill may have, Armada as army policy counsel, Hannah Quaid de Lavalle, senior technologist, and Liz Woolery, deputy director of the Free Expression Project for the Center of Democracy and Technology. Ladies, thank you so much for being here today. First off, for those who don't know, could you explain what the earn it act is and what it hopes to accomplish?
Speaker 0
1:18 – 2:58
Sure. The primary thing that the earn it act does is that it makes a website's liability for what its users post contingent on that website abiding by a set of to be determined best practices that specifically target child sexual abuse material. So right now, websites of of all shapes and sizes that host user generated content, so that's Facebook, Twitter, YouTube, the local newspaper that has a comment section. Those websites are all protected for being held liable or responsible for what their users post under a law known as section two thirty. Section two thirty is great, because it really provides a level playing field. Small startups that don't have the legal or financial resources to review every single word a user post can have a chance of competing against the big guys. But under the earn it act, however, this isn't gonna be the case because websites of all these different sizes are gonna be required to certify that they adhere to this set of to be determined best practices. And those best practices are gonna be put together by a team of of, a commission of 19 people, I believe, led by the attorney general. And, the commission is really kind of stacked stacked with law enforcement and government interest. If earn it is passed, these people will be the ones who dictate a set of best practices that all companies must follow unless they wanna risk opening themselves up to being sued and brought to court for, something that one of their their thousands or millions or billions of of users said, which under normal circumstances, under section two thirty, wouldn't necessarily be the case.
Speaker 2
2:58 – 3:04
So these companies would essentially have to earn the protection of two, section two thirty. Is that correct?
Speaker 0
3:05 – 3:18
That's correct. That's where the name comes from is that, these companies will have to earn that, that protection from liability by certifying that they have adhered to this set of best practices.
Speaker 2
3:18 – 3:29
We've heard about the Ernie Act, being a threat to end to end encryption. So, Hannah, could you explain, more about, the implications this will cause if if the Ernie Act is passed?
Speaker 3
3:30 – 5:38
So, to understand how the earning act could threaten end to end encryption, you sort of have to know what end to end encryption is. And end to end encryption basically means encryption where decryption is only possible for the people on the two endpoints of the conversation. So if I send Jamal a message, I can read it, Jamal can read it, and nobody else can. And a lot of current messaging systems that are not end to end encrypted, the platform that we're messaging over also actually has the capability to read that. So, if I were to send a message to Jamal over the platform Messenger or whatever, I could read it. Jamal could read it, but also the Messenger platform itself could decrypt it and read it. Now the reason that EarnIt in particular so end to end encryption, where only Jamal and I can read it, obviously, has a lot of security benefits. Right? I don't have to worry about bad actors on the platform. I don't have to worry about, if they get hacked and my message gets leaked to the the wider world. But because the messaging platform itself can't lead the message, that means that they can't do things like scanning. Right? They can't check all of their messages to make sure that those messages don't contain illegal material. They can't check all of those messages for the presence of CSAM. So if one of the best practices in the IRNIT Act says something like scan all messages for the presence of CSAM, well, that means that they have to be able to access all those messages. Right? So the platforms then can't use end to end encryption. They have to use sort of a weaker form of encryption where they themselves can access the message. Now that, of course, then opens that up to all of the security threats that I mentioned before. What if there's a bad actor on that platform? What if they get hacked? What if even they get bought and sold and the message gets passed around and now somebody else owns it with a very different privacy policy than the original platform? So it's a pretty serious weakening of the overall security of the message system.
Speaker 2
5:39 – 5:50
So with end to end encryption, what is there any realm where we could potentially have a backdoor that only certain actors or government, officials could access?
Speaker 3
5:52 – 7:35
Yeah. That would be great. Right? Like, if we could say only super trusted people can access this backdoor, but the reality is that doesn't tend to be how it works. It's incredibly hard to secure a backdoor to the point that no bad actor could ever use it, because it's sort of an obvious weakness in the system. Right? Like, if it's an end to end system, you have to target one of the endpoints. But if you know that there's a backdoor in the system, that would let you access basically all of the messages on that platform, well, that's the place where an attacker is gonna focus their efforts. Right? Right. Right. And, historically, like, it's just incredibly difficult to protect a backdoor. I mean, there was a, initiative in the nineties, I believe, called the clipper chip, which was essentially exactly what we're talking about. It was a backdoor that you know, the idea was governments could access it, but nobody else could. What ultimately happened is researchers found a hole in that backdoor that would have made it accessible to basically any attacker. And that was, you know, a lot of very smart minds working on that. It's really, really hard to do correctly. And that's setting aside all of the issues of just it's pretty hard also in government to just prevent sort of purpose purpose expansion. Right? So you have this backdoor that you wanna use for scanning for CSAM, for child exploitation material. Well, how do you then make sure that doesn't get repurposed for copyright? Right? Which is the thing that, you know, we might have a really different opinion about the pros and cons of scanning for copyright versus scanning for CSAM. But once you have that backdoor, it becomes pretty difficult to ensure that it doesn't get repurposed for other things, even legally.
Speaker 2
7:37 – 7:53
And on speaking on repurposing, Mana, I wanted to check with you and see, if these backdoors were to open, could this possibly be a way for governments to surveil, to surveil another arena such as maybe immigration or or anything like that?
Speaker 1
7:54 – 8:20
It's a good question. And I think that builds off of what Hannah just said. Once law enforcement has access to something, in this case, a backdoor, there is this risk that, it gets repurposed, or, you know, there's mission creep, that law enforcement will find other uses, for this new access. So, yes, this is a very real concern, that you just pointed out.
Speaker 2
8:22 – 8:26
And how does the IRNIT Act threaten prosecutions of sexual exploitation, Lana?
Speaker 1
8:28 – 16:24
Yeah. So this is the the Fourth Amendment issue that a number of advocates have raised, with respect to, this proposal. The IRN IT Act, in short, risks turning private companies. So the entities that, you know, Liz mentioned, providers of online services like social media platforms, email, cloud storage, etcetera, and to agents of the government for purposes of the Fourth Amendment, which could result in courts suppressing evidence of the child sexual exploitation crimes that the bill seeks to target. Which means So, the whole purpose of this bill is to encourage and do scores, whatever word you wanna use, to make companies, earn their section two thirty, protection, by identifying and taking down CFANS. The whole purpose of this is to facilitate, the protection of children and prosecuting those who create, distribute, and receive CSAM. CSAM is child sexual exploitation material. And the Fourth Amendment risk here, is that the very purpose behind this bill could backfire because of its structure. And, to explain this a little better, I need to take a couple steps back. So under existing federal law, providers must report any CSAM that they find on their platforms to the National Center for Missing and Exploited Children, also known as NCMEC. NCMEC reviews these reports and passes them onward to law enforcement. And this current statute says if providers know about CSAM, they have to report it. And, this mens Reyes standard of having actual knowledge is really significant. And what's happening right now in industry, even though the knowledge standard is just knowing, a lot of providers have voluntarily undertaken processes, to identify, to facilitate the identification and reporting of CSAMs. So they use filtering tools, to automatically find and report CSAMs that might be on their platforms. But there's no obligation for them to do this because, this federal law says they only have to have actual knowledge of the CSAM on their platforms. And this voluntary component is super important in the Fourth Amendment context. The Fourth Amendment protects people, against unreasonable searches and seizures by the government. For a search to be reasonable, it usually requires a warrant supported by probable cause. This is why, the police, get a warrant prior to entering your home or get a warrant prior to searching and seizing, the contents of your email, or chat communication. Private companies, however, are not governed, by the Fourth Amendment. It doesn't apply to them. However, a private entity can be transformed into an agent of the government, and it's a certain debt issue occurs at the direction of the government, not because the private company is the one choosing to do it. And if a private entity becomes an agent of the government, the Fourth Amendment applies to them. If there's no warrant secured prior to the search, the search becomes unreasonable. And the remedy in that situation is exclusion. So the product of the search likely couldn't be used in a prosecution. So in this case, if the government tells providers to go look for CFAM, providers won't get a warrant. The evidence collected as a product of that search will be excluded and it'll make it more difficult or likely will be excluded. And it'll make it more difficult to hold, the people who harm children responsible. And this is a really long way to do this process of defending the defendant in CSAN prosecutions. So, I mentioned that providers currently voluntarily scan for CSAN. They report that material to NCMEC and then NCMEC coordinates with law enforcement. Defendants have tried in the past to challenge what providers are currently doing and have thus far been unsuccessful because courts look at the current statute and point out that there's no obligation for providers to run these searches. They're acting as a private entity. However, with respect to NCMEC, the defendant was able to successfully contend on what NCMEC does and how Congress has intervened in granting it certain statutized powers makes NCMEC either a government entity or a government agent. And this case is The United States to be Ackerman. And in that case, the defendant allegedly sent CSAM using his AOL account. AOL flagged that email via its filter that it voluntarily used, or it implemented, sent the report to NECMEC without looking at the email. A NECMEC analyst opened that email, looked at the attachments, affirmed that they received them and sent it off to law enforcement. And the defendant then argued that NCMEC, a nonprofit, fashioned through a statutory framework that produces this special relationship between NCMEC and law enforcement was a government entity requiring a warrant to search the contents of that email. And the defendant was successful, and this has made the work that NCMEC does in that case the more difficult, but not impossible. So this is a real threat, and we're concerned that the Earn It Act will have the effect of transforming private companies into agents of the government because of the bill's coercive structure, as Liz explained at the top of this podcast. First, the bill condition Section two thirty shields against lawsuits, prosecutions for CFAM, unless providers comply with a set of these best practices, or, certify that they comply with these best practices, or they implement, unspecified reasonable measures, aimed at achieving that same goal. This alternative of implementing reasonable measures is not really a choice as providers would still have to go litigate in court the question of whether or not its measures are reasonable. So providers will feel immense pressure to comply with the best practices and self certify. And as Hannah and Liz both mentioned, these best practices will undoubtedly include some filtering requirements. So what providers are doing now, filtering through time stamp, looking for CSAM. The second thing the bill does, that's coercive and has the effect, we think, of potentially transforming these providers into agents of the government is the bill reduces the mens rea for providers' liability, from actual knowledge to recklessness. So, providers would become liable for a new set of, civil penalties if they just recklessly rather than knowingly provide a service that people can use to distribute CSAM. And this will have the effect of coercing providers, into looking for CSAM. So, it's possible that a court evaluating ERNIT when a defendant challenges, if ERNIT is passed and, you know, several years have, have passed since it's been implemented and, a defendant can challenge this law, it's possible that a court evaluating this could determine that this structure has the effect of government telling the provider to run the search and then put the prosecution of a wrongdoer in jeopardy because of that remedy I mentioned that the evidence could be excluded. So at the very least, this is a very fine line that Congress is walking and it's part of why we're alarmed by the bill.
Speaker 2
16:26 – 16:42
Wow. That is extremely alarming. I if this goes out to the larger group, is there a way to protect our privacy as Americans while also working to fight this childhood this child sexual exploitation online? How do we how do we work through that?
Speaker 0
16:42 – 17:50
So one of the challenges with, kind of with legislating in this space is that there's actually a pretty significant hurdle to informed policymaking. There's not a lot of, available kind of information, with respect to how, how referrals work from coming from the tech companies to law enforcement, and and then kind of Nick mix involvement in that. In particular, there's not a lot of insight into the number of kind of successes or failures, that have happened or end up happening as a result of of these investigations. So it's really difficult to kind of get a good idea of the actual landscape in which we are working right now. So one of the things that, CT would would strongly encourage is, just kind of general, efforts to increase accountability and transparency, from all of the the entities involved here. Because until we have a much better insight into the reality of fighting, CSM materials online, what works and what doesn't. It's gonna be difficult, if not impossible, to, engage in informed policy making.
Speaker 3
17:51 – 19:35
Yeah. Definitely agree with everything Liz said. I think that there are also ways to even make our existing system more effective. Right? So one of the things that has been raised by some of the folks behind Ernie is that tech companies are really there's some inconsistency in how they handle this. Right? There are tech companies that seem to be handling it pretty well, tech companies that are not so much. So there's a lot of room for tech companies to expand the way that they support law enforcement without actually changing anything that they're doing on the back end. Right? So being clear with law enforcement about what they do have access to and what they are able to provide law enforcement. So that's things like metadata, like when a message was sent, you know, even who it was sent to, not necessarily the content, who it was sent to, when it was sent, even things like location data, which obviously can be important for, like, active, cases. So there's definitely room for tech companies to just build out their interface with law enforcement more effectively. There's also things that people are working on on the technical side, like increased, more effective reporting structures. Still allowing reporting to happen if one of the the participants in a conversation wants to report something, make that happen more effectively and make that something that companies and then later law enforcement are able to act on more effectively. There's some protocols in place called message franking, which is the kind of idea that you can report in an end to end system with still being able to, like, trace some of things about that report, which could then be important later for prosecution. So there's certainly things that are happening in the space already without, you know, threatening things like end to end encryption or raising, you know, first or fourth amendment concern.
Speaker 0
19:37 – 20:17
One other thing I will mention is the need for additional resources, particularly financial resources, in this space. You know, we have heard that sometimes tech companies are hearing when when they are sending referrals to law enforcement agencies that the law enforcement agencies themselves don't have adequate resources to respond to these referrals in a in a timely manner. And when we're talking about child sexual abuse materials, timeliness is is really key and really critical. So whatever we can do to to increase the resources, that are are necessary to to make the the existing efforts actually effective, is another another approach.
Speaker 2
20:21 – 20:37
Thank you so much for joining us here today. To learn more about CDT's work on encryption, free speech online, or security and surveillance, please feel free to visit us at cdt.org and check us out on Twitter, Facebook, and LinkedIn at SymDemTech. Thank you so much for
Speaker 1
20:40 – 20:40
joining.