Last year, Apple announced a controversial plan to install photo scanning software in every device. Apple has long been seen as a pro-privacy company—billboards emblazoned with the slogan “What happens on your iPhone, stays on your iPhone” were common sights in 2019. A global coalition pushed back, and the company paused the plan.
Now, Congress wants to force Apple’s hand—along with essentially every company that allows users to store or share messages or content—and essentially mandate such scanning.
While Apple’s plan would have put the privacy and security of its users at risk, the EARN IT Act compromises security and free speech for everyone. The bill would create serious legal risk for business that hosts content—messages, photos stored in the cloud, online backups—and, potentially, even cloud-hosting sites like those using Amazon Web Services, unless they use government-approved scanning tools.
The bill’s proponents claim that this isn’t a problem for any service as long as it is scanning files, and then reporting Child Sexual Abuse Material (CSAM) to law enforcement. Internet companies are already required to report suspected CSAM if they come across it, and they report on a massive scale that comes with a lot of mistakes. Facebook is often held up as a positive example by lawmakers, but while new scanning techniques there have produced many millions of reports, many of them are apparently inaccurate. Federal law enforcement has frequently (mis)used the massive number of reports to suggest there has been a huge uptick in CSAM images. They won’t stop there.
Nor will the demands stop at the U.S. border. Once U.S. law enforcement agencies are accustomed to getting a constant stream of reports back from nearly every company hosting or sending content online, other democracies—and then authoritarian regimes—will demand the same tools, and use them to root out dissent. The rules envisioned by EARN IT sponsors don’t leave room for any company, small or large, to use uncompromised encryption and protect user privacy.
The bill would also create an unelected federal “commission” headed by the Attorney General and the Secretary of Homeland Security, and dominated by law enforcement personnel. . This commission would be responsible for setting best practices for tech companies to follow. It’s very likely some states will use that as a basis to create laws enforcing scanning and reporting, upon pain of criminal prosecution and costly civil litigation. Because online companies operate in every state, they’ll be required to follow whichever state law is harshest.
Apples and Oranges (and Amazon)
In fact, the lawmakers behind this bill have already made the plan clear: in a “Myths and Facts” document about the bill, lawmakers take aim at Amazon, of all companies, for its limited reporting of CSAM:
According to NCMEC’s 2020 statistics on reports of the online exploitation of children, while Facebook issued over 20 million reports that year, in contrast Amazon (which hosts a significant percentage of global commerce and web infrastructure) reported 2,235 cases.
As Techdirt’s Mike Masnick put it, that’s because Amazon and Facebook are in completely different businesses. Facebook’s larger number of reports is consistent with its business model of sharing content between users. Meanwhile, Amazon is in the entirely separate web hosting business. Apple, which is also not in the social media business, will no doubt also be in lawmakers’ crosshairs.
In a 2019 Senate Judiciary Committee hearing on encryption, Senator Graham—a coauthor of the EARN IT Act—told representatives from Apple and Facebook that encryption was not going to block them from access: “You’re going to find a way to do this or we’re going to go do it for you.” Former Attorney General Bill Barr, who would have headed the commission under the previous administration, specifically clashed with Apple on its encryption and noted he was searching for a legislative solution to allow investigators access to encrypted materials. The EARN IT Act, originally introduced when Barr was still Attorney General, is just that.
EARN IT doesn’t specifically attack encryption, but that’s because it doesn’t have to. Instead, it allows encryption to be used as evidence against a company in order to find it liable for hosting CSAM.
The end result is clear: state laws will make companies liable if they don’t scan and report user content for CSAM, which they can’t do unless they break encryption. Apple will likely fold, as will many other companies, in order to protect themselves. EARN IT would thus coerce sites, platforms, and services to do this sort of scanning, not just on messages, but on practically all online content, encrypted or not. Companies that handle online content would have to weigh the benefit to their users of securely encrypting their content against the legal risk of doing so, and encryption becomes a much harder ask when it might put a company’s bottom line at risk.
All of the concerns around Apple’s device scanning are magnified in the EARN It Act. Signal—one of the best examples of secure, private, end-to-end encrypted messaging—stated in 2020 that they may not be able to operate in the U.S. if EARN IT becomes law. But end-to-end encryption isn’t just for messages—it secures much of the internet, keeping you and what you do online private and safe. You can’t have a secure internet where all its content is also screened, because you can’t have end-to-end encryption alongside mass scanning requirements. This isn’t just an attack on encryption—it’s an attack on the fundamental security of the internet. As experts have said before, this sort of scanning is in direct conflict with privacy and security.
If EARN IT becomes law, what happens on your iPhone won’t stay on your iPhone. It will be scanned by a government-approved tool like everything posted on Facebook. And what happens on your website, in your cloud backups, behind your DMs, and pretty much everywhere else online—will be right behind it.