We are digital rights advocates from the Electronic Frontier Foundation opposing the EARN IT Act, supporting CDA 230, and opposing backdoors to encryption. Ask Us Anything!

Hi, /u/EFForg. Thanks for doing an AMA!

It's despicable that while most Americans are focused on other areas of importance, this bill is being considered for legislative action.
1. What do you think can be done to help draw attention to this bill before it's too late?
2. What can concerned citizens do that will have the most impact on getting the bill rejected?

Hi! We really think this is an important issue and are glad you and others are here thinking and talking about it. The best thing you can do to draw attention and to have the most impact is to email your House Reps and your Senators. We have an action you can use here, but you can also raise this issue at local Townhalls or other events with your local elected officials.

At the same time, we don’t feel like this issue has been buried or ignored. It has continued to get press and social media attention. Since this is a time of great crisis around the world, it’s not surprising that Americans and everyone have a lot of things on their minds. We certainly don’t blame journalists or the public for dividing their attention.

This bill itself has been around for a while and so we don’t feel that its drafters are opportunistic in their timing. We do hope that the Congress will conclude, at the very least, that there are other things it should be dealing with first!

A bill like this seems to pop up every year (CISPA, SOPA, PIPA) and it always seems the largest tech companies with the widest reach always wait until the very last minute to bring attention to this. Why are tech companies so reluctant to speak up sooner and what can average citizens do to educate others on these issues to a non-technical audience?

It’s hard for us to speak for technology companies. But we know that they have many policy issues that they care about, and sometimes those are the ones that take precedence over the ones we care about. We stand with tech companies when they stand with their users, but sometimes they don’t have their users’ best interests at heart. More generally, we encourage average citizens to read the news, follow EFF :), and engage with their members of Congress through emails/letters/phone calls and town halls.

When will the senate judiciary committee bring up the EARN IT ACT? Do you know if the house plans to bring up the EARN IT ACT AND HOW LIKELY WILL IT BECOME LAW? 3 questions

These are three great questions! We don’t yet know if the Senate Judiciary Committee will mark-up EARN IT, but if they do, it will be noticed on their website here: https://www.judiciary.senate.gov/. As far as we know, the House has no plans to bring the bill up, but of course, that can change. That’s why it’s super important for everyone to contact their House Rep and their Senators and tell them they oppose this bill - that’s what helps us prevent it from becoming law. You can use our action alert here (and feel free to tell your friends): https://act.eff.org/action/protect-our-speech-and-security-online-reject-the-graham-blumenthal-bill

What are your thoughts on the significance of EARN IT to Signal in particular? Are there broader lessons to be learned?

Signal itself has some thoughts about EARN IT, so we encourage you to take a look at their thoughts: https://signal.org/blog/earn-it/

That is a frustratingly evasive response.What does the EFF think?

We share Signal's concerns!

My own sense is that this represents a case of the potential for policy to undermine technology when that technology is centralized, so a broader lesson would be "don't be centralized, who knows what the policy future holds." Do you agree with that? If EARN IT passes, will the EFF still recommend that supporters use Signal? (Would Signal moving out of the US help)?

The issue of companies being required in secret to undermine encryption is also one that we care a lot about—the prospect has come up in Australia and the U.K. recently—but it hasn’t been a focus of the EARN IT debate. We hope that, if EARN IT passes, none of the Commission recommendations would call on tech companies to do anything secretly or non-transparently. In fact, requiring a company to lie about its encrypted products would be yet another reason the law was unconstitutional. Under the First Amendment, these companies should continue to be able to explain forthrightly what they do or don’t do. At the very least, any changes should be communicated to users so they can decide whether to continue using the product.

How would this bill stop me from using an e2e encryption service like signal?

The bill does not try to regulate your own use of encryption tools. It might, however, create legal incentives that cause developers of some communication tools to change or withdraw those tools (or shut down or move their companies). We don’t know yet how each company would respond, but we fear that the Commission recommendations under EARN IT could create legal incentives for some companies or services to shut down. For more on Signal’s own thoughts about these risks, please see https://signal.org/blog/earn-it/

How will adopting decentralization and blockchain change our ongoing infringements on privacy?

What can be done to prevent ignorant decision makers from having influence in the technology sector?

Decentralization is near and dear to our hearts and we’re happy to see the enthusiasm people continue to have for re-decentralizing the Internet. We’ve seen that decentralization comes with engineering tradeoffs of various kinds, and so far centralized services in most areas seem to be offering the combination of features that’s most appealing to users in most areas. Hopefully that can change, but our enthusiasm for decentralization alone probably won’t be enough to carry through such a major shift. Congress has the constitutional power to pass laws that impact interstate commerce, which encompasses quite a lot of the technology sector. We try to educate lawmakers on many aspects of technology and the Internet, and we would suggest that all of you, as constituents, make sure you contact your elected officials when you think they get it wrong. Members and senators want to hear from people back home about how proposed laws would impact their industries. We also urge technologists to do public interest work for part of their careers! For example, you can apply for a TechCongress fellowship: https://www.techcongress.io/. Or work for a non-profit like EFF! :)

Are you worried that the current unrest in the US will take away attention from this bill such that it will pass with less opposition?

We’re very concerned about this bill, or something similar, passing. We’ve seen quite a lot of threats to Section 230 recently, including the President’s recent Executive Order. (Our thoughts on that Executive Order are here: https://www.eff.org/deeplinks/2020/05/dangers-trumps-executive-order-explained. Several lawmakers have been vocal about their desire to change Section 230 in various ways, and we don’t expect this threat to go away.

Congress certainly has many pressing issues to consider right now. We hope that Congress does not rush to enact this law, and the best way to prevent that is to take action: https://act.eff.org/action/protect-our-speech-and-security-online-reject-the-graham-blumenthal-bill

What, in your opinion, is the best way to prevent the use of technology for the sexual exploitation of children, which is what the EARN IT act aims to do, without compromising one's data and infringing one's privacy?

We hesitate to suggest outlawing the use of technology for certain purposes, which would likely create constitutional problems. We understand that platforms may be able to creatively do more in the way they voluntarily manage their services. EARN IT, however, would effectively require platforms to be managed in certain ways, which is problematic for practical and constitutional reasons. And while we’re not experts in child safety, we do agree with members of Congress and advocates who believe resources would be better spent in prosecuting perpetrators, helping victims, and minimizing the risk that someone will become a perpetrator or a victim.

Hi, EFF. Thanks so much for being here!

I was struck by this passage in your excellent article:

Although the bill doesn’t use the word “encryption” in its text, it gives government officials like Attorney General William Barr the power to compel online service providers to break encryption or be exposed to potentially crushing legal liability.

Past attempts to outlaw real encryption were up-front about it, making it a central point of their efforts. Now, it seems like these authoritarian-leaning forces are trying to disguise the effect of their dangerous bills.

I suppose in some ways, it's a testament to the success of groups like you, and individuals such as ourselves, to beat back these attempts.

1) Do you think that future anti-democratic efforts will be similarly nuanced and deceitful? Any good tips on how to best see through future attempts to disguise the harmful nature of new proposals?

And,

2) What would you say to skeptics who claim that since the pernicious measures we fear aren't spelled out literally in the bill's text, that we're overreacting to a "common-sense" proposal that will be overseen by sober, Constitution-loving law enforcement officials (who've never, ever engaged in overreach in the past, 'natch)?

PS: who's participating from your side in this IAMA? You guys are usually pretty good as far as highlighting who we're talking to, so don't be shy! 😆

1) Previous efforts in the crypto wars have used, for example, the specter of drug dealers (like the Clipper Chip debate in the ‘90s) and terrorists (like Apple v. FBI in 2016) to push for backdoors to encrypted data. It hasn’t worked yet, though we have no reason to believe the DOJ will stop using these tactics in the future.

We’ve also seen how liability rules affect Internet intermediaries’ incentives, which can be subtle and somewhat far removed from the ultimate consequences for online speech and privacy. Since so much of our online life is intermediated or hosted by companies nowadays, the companies’ practices and policies, often heavily influenced by legal rules about what the companies can be held liable for. (That can include issues with Section 230, as well as Section 512 of the Digital Millennium Copyright Act and other laws.) In the speech context we put up a piece a couple of years ago at https://www.eff.org/free-speech-weak-link that points out how many different people are typically involved in letting a speaker reach an audience. If the legal rules change in ways that make those intermediaries more wary, their behavior can have major consequences for Internet users. EARN IT is one example of legislation that proposes to erode the Section 230 system in order to change platforms’ behavior in broad ways, yet without directly legally commanding platforms to do specific things.

The indirect nature of these incentives makes it trickier to talk about and analyze this stuff!

2) Skeptics have defended the bill by pointing out that it can’t be about encryption since the word “encryption” does not appear in the text. We think that’s unpersuasive in light of the broad power granted to the Department of Justice, and Attorney General Barr’s explicitly stated goal of gaining access to encrypted communications.

PS - EFFers helping with answering questions today include Sophia Cope (Senior Staff Attorney), Gennie Gebhart (Associate Director of Research), India McKinney (Director of Federal Affairs), and Seth Schoen (Senior Staff Technologist).

Would this bill affect running encrypted Matrix servers in the US?

Would this bill affect self-hosting encrypted chat servers?

Does this bill in any way affect usage of Tor and other privacy tools in making ISPs punish users or flag people to be more closely monitored?

If self-hosting instances of Friendica and Pixelfed in the US, does this affect the user hosting it and members of that instance?

These specific implications are complicated to predict, first because the bill creates such an open-ended process for writing the actual detailed rules, and second because the legal calculus for a particular service will depend on exactly what that service does and what appetite it has for different kinds of risk.

People who are operating all of these things have good reason to be concerned about this legislation. It could certainly apply to all different kinds of platforms that put people in touch with one another, not just major tech companies. Smaller services also depend on the liability protections of Section 230!

What is the EFF doing to spread greater awareness of these critical issues? Are there plans for advertising campaigns and coordination with other civil rights groups? Meetings with lawmakers?

Our action alert is here: https://act.eff.org/action/protect-our-speech-and-security-online-reject-the-graham-blumenthal-bill

We have also written several blog posts: https://www.eff.org/deeplinks/2020/03/earn-it-act-violates-constitution https://www.eff.org/deeplinks/2020/03/earn-it-bill-governments-not-so-secret-plan-scan-every-message-online https://www.eff.org/deeplinks/2020/03/graham-blumenthal-bill-attack-online-speech-and-security https://www.eff.org/deeplinks/2020/06/sex-worker-rights-advocates-raise-alarms-about-earn-it

We met with a few Senate offices in person in March before the COVID19 pandemic shut down meetings, and we continue to communicate with offices via email. Protecting CDA 230 and keeping encryption strong are a core part of EFF’s mission, so will continue to do outreach on this issue.

How will the EARN IT Act affect free and open-source software? Such as Matrix and Riot.im?

If the free/open-source project is self-hosted and accepts third-party contributions, the managers of that project would be subject to EARN IT. Or if a platform like GitHub hosts software from others, that platform would also be subject to EARN IT.

Developers of secure communications tools have expressed the concern that some communications software projects that also provide a service to help their users reach each other might also arguably have things to worry about in EARN IT, particularly if the developers themselves host some of that infrastructure.

Hi u/EFForg, thanks for doing this AMA and fighting the good fight when it comes to digital rights and privacy.

Two questions:

1. In light of current events, what can people do to protect themselves if they choose to protest in person or online, especially in regards to their data? You’ve created an excellent pocket guide for protecting privacy at the border – is there a similar resource you could share for protests?

2. Your team has considerable experience in dealing with digital rights issues. In your eyes, how have the matters of encryption, surveillance, and censorship at a government level changed, perhaps for the worse, in recent years?

Thanks again for your work. I encourage all those who are able to donate to EFF and ACLU (with whom EFF has partnered on many important cases).

Thank you! We’re just about to wrap up, but we didn’t want to leave you hanging without our newly updated Surveillance Self-Defense guide for attending protests: https://ssd.eff.org/en/module/attending-protest

Can Senator Wyden of Oregon put a block on the EARN IT act once it comes to the senate floor. If Senator Wyden can, how long can the block last before the senate can override the block?

Senator Wyden can put a hold on the bill. But, if the Senate has 60 votes to invoke cloture, they can move past that hold.

If you had to predict, what do you think is more likely to happen over the next few years: Congress and the Pres eventually pass a law addressing encrypted devices and law enforcement searches, or this problem is left to the courts?

If history is any guide, the government will try to use both the courts and Congress to weaken encryption. EFF will continue to fight for users’ security in both courts and Congress.

I honestly do no know much about this however will it be a widespread thing that affects everyone? or could companies decide to not abide to this and keep their more user centric privacy view or does it give the companies the option to go with these more invasive practices?

The EARN IT bill would put more conditions on when technology companies can benefit from the protections of an existing law that limits platforms’ liability for what their users post: https://en.wikipedia.org/wiki/Section_230_of_the_Communications_Decency_Act. This law has been extremely important for free speech online: it underlies the structure of our modern Internet and allows online services to host diverse forums for users’ speech. Companies could decide NOT to comply with the Commission's “recommendations” that EARN IT requires. But they would then lose Section 230 protection and thus be exposed to more legal liability. In that context, companies might be incentivized to broadly censor your content or simply not host it.

Well, I'll throw a slightly different question:

I currently work in the realm of (mostly political) fundraising. Is that something the EFF might be in need of?

Just looking for other ways to help in the fight for Privacy laws...

You can take a look at https://www.eff.org/about/opportunities to see when we have job opportunities here at EFF. Thanks for your interest!

Thank you for being here. What are some key talking points that we can use to educate friends and family on the significance of this Act?

The points and arguments in this post might help: https://www.eff.org/deeplinks/2020/03/earn-it-bill-governments-not-so-secret-plan-scan-every-message-online

Any alternatives to monitor/detect CSAM on end-to-end services that don't pose threats to cybersecurity? (Seeing that third-party access, lawful hacking and other "workarounds" all weaken security of end-to-end)

There are efforts to detect abusive patterns via metadata (https://ssd.eff.org/en/module/why-metadata-matters), like Facebook Messenger’s new Safety Alerts (https://www.wired.com/story/facebook-messenger-safety-alerts-encryption/). Law enforcement also has a lot of other tools at its disposal - it doesn’t need to read our messages (https://slate.com/technology/2015/07/encryption-back-doors-arent-necessary-were-already-in-a-golden-age-of-surveillance.html).