The Revised EARN IT Act Proposes a Better Process for Encryption Policy
In January, Sens. Richard Blumenthal and Lindsey Graham circulated an early draft of the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020. Blumenthal and Graham’s proposal would strip companies of the immunity that platforms receive under Section 230 of the Communications Decency Act in the case of child-exploitation materials posted by users, unless the companies complied with to-be-determined “best practices.” Because encryption can stymie attempts to prevent, investigate and prosecute child-exploitation offenses—and because Attorney General William Barr has criticized encryption on these grounds—internet-freedom advocates strongly criticized the draft as an attack on encryption. I myself criticized the draft bill on process grounds, arguing that it gave the attorney general too much power and that Congress should make the ultimate policy call about the future of encryption.
On March 5, the EARN IT Act was formally introduced in the Senate—after major revisions to the original draft. This new version is unlikely to win over encryption advocates, who have already harshly attacked it. But the revision is a major improvement over the initial draft and comes very close to putting forward a reasonable process for making decisions about the role of encryption in American society. In particular, the new version strengthens the process for addressing encryption at three levels: the commission that proposes best practices, the executive branch agencies that approve those best practices and the Congress that enacts them into law.
The EARN IT Act would set up a 19-member commission (Section 3(c)) to develop best practices that companies would have to adopt to get immunity. Three spots would be reserved for the attorney general, the secretary of homeland security and the chairman of the Federal Trade Commission (FTC). The other 16 members, to be chosen by the heads of each party in the House and Senate, would include four representatives from law enforcement, four from the community of child-exploitation victims, two legal experts, two technology experts and four representatives from technology companies. The support of 14 members would be required to approve any best practices. This means that, acting as a bloc, the companies along with the legal and technological experts could block any best practices—although Eric Goldman argues that there’s no guarantee that this group will in fact vote as a bloc.
Although the structure of the commission is better than it was in the previous version, it could still be improved substantially. For example, under the current proposal, the attorney general would serve as the commission chair and thus would have substantial process and agenda-setting powers; given this advantage, perhaps only two, rather than four, of the commission members should also come from law enforcement. In addition, the existing qualifications for the technology experts make encryption expertise optional; given the stakes, high-level expertise in encryption should be mandatory, at least for one of the experts. No doubt there are additional tweaks that could—and, as the bill goes through markup, will—be made to the makeup and operation of the commission.
Once the commission makes its recommendation on best practices, the recommendation must be approved by the attorney general, the secretary of homeland security and the FTC chairman (Section 4(b)(1)). This is substantially better than the approval process in the previous draft. First, the attorney general can no longer act alone but must get the approval of two other agencies—in particular the FTC, which has, at least in the past, favored encryption. Second, in the previous bill the attorney general could modify the recommendations for any reason, rendering the commission merely advisory. But here the attorney general, along with the other two agency heads, must accept or reject the recommendations outright.
Finally, before any recommendation goes into practice, Congress must enact it (Section 4(c)). This is a major change from the previous draft, which provided that the recommendations would enter into force unless Congress affirmatively rejected them. Under the new draft, Congress, not the executive branch, will have the last word on the future of encryption. (Some observers have criticized the fast-track procedures the act sets out for approval of the considerations as meant to stifle debate, but fast-track procedures have proved to be an effective way to increase the chances that Congress acts on high-priority legislation.)
If the immediate reaction to the EARN IT Act is any indication, encryption advocates will fight hard against it. And that is an understandable reaction for those who think that any retreat from ubiquitous encryption will be disastrous for privacy, security and freedom. But if, like me, you think this is an issue with serious but uncertain costs and benefits on both sides, then the best thing to do is to build a good decision-making process by which to address the issue, and then to trust that this process will lead to the best decision that could reasonably be made amid immense complexity and uncertainty. That’s the most we can ever hope for when addressing hard policy problems in a democracy. The EARN IT Act’s focus on involving civil society, multiple parts of the executive branch and Congress is a major step forward in dealing with an issue as difficult as encryption.