Is the government 'sneakily' trying to change encryption rules?

A post now circulating on Instagram warns that pending legislation moving through Congress could allow the government to view anyone’s text messages and listen to phone conversations. 

The March 17 post, which received at least 5,000 likes, said, "While all COVID-19 news has been going on, the U.S. Government has been sneakily trying to remove end-to-end encryption, and it’s been working its way through Congress. If this passes, the government will be able to see all of your messages and listen to all of your calls, essentially removing all privacy from your conversations." 

The caption of the post refers to the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020. The post says: 

"EARN IT Act threatens end-to-end encryption. 

"While we’re all distracted by stockpiling latex gloves and toilet paper, there’s a bill tiptoeing through the US Congress that could inflict the backdoor virus that law enforcement agencies have been trying to inflict on encryption for years.

"At least, that’s the interpretation of digital rights advocates who say that the proposed EARN IT Act could harm free speech and data security."

The bill in question was introduced in March 2020 and given a hearing by the Senate Judiciary Committee on March 11. 

Here are some key elements of the bill, according to sponsors and media reports: 

• The bill amends section 230 of the Communications Decency Act, which generally protects tech companies by saying they are not responsible for what users of their products upload. 

• It establishes a national commission to develop best practices to identify and report child exploitation. This commission would consist of the heads of the Justice and Homeland Security departments and the Federal Trade Commission, plus 16 other members appointed by Congress, and the guidelines would be subject to further approvals

• If child predators are caught on their systems, tech companies can either comply with these practices or abide by their own practices, as long as they’re approved by the commission. 

• The bill allows victims the chance to sue tech companies that don’t comply with practices approved by the commission. 

The impetus for the bill is data showing the volume of child sexual abuse files. Reporting from the New York Times and research collected from the National Center for Missing and Exploited Children CyberTipline show that in 2019, there were 16.9 million reports of problematic material, covering 69.1 million photos, videos and files of child sexual abuse, according to the Senate Judiciary Committee. 

Encryption is the process of encoding or scrambling a form of communication, such as an email or a text message, so that a key is needed in order to unscramble it, said Hannah Quay-de la Vallee, a senior technologist with the Center for Democracy and Technology, a group that supports civil liberties on the internet. This key — think of it as an extra-long password — is used to protect the data that is stored in a particular message.

In encrypted systems that are not "end to end," the tech platform that carries the message holds the keys to encode and decode the message. When two users message each other, Vallee said, "the first user sends the message to a platform — that is one encrypted stream — and the platform re-encrypts it, sends it to the second user, the receiver of the message, and that’s a separate encryption stream." 

But an "end to end" encryption system means that the two users exchanging the message have their own keys.  

End-to-end systems are more secure because only the two people communicating have keys, not the third-party tech platform over which their messages travel.

But that set-up limits a tech platform’s ability to monitor messages for evidence of abuse or exploitation. 

Featured Fact-check

Donald Trump

stated on March 22, 2024 in a Truth Social post

The New York civil fraud judgment against Trump and a plan to seize Trump-owned property “is simply a 'taking.' Much like what is done in communist countries."

The EARN IT Act’s primary sponsor, Sen. Lindsey Graham, R-S.C., argues that the bill won’t stop end-to-end encryption. In a press release, he called encryption "a serious issue in the enforcement of child sexual-abuse material laws."

In Graham’s view, passage of the bill means that tech companies will be forced to address child exploitation occurring on their networks. He argues that this is a narrow intervention and dismisses assertions that it is a slippery slope to wider government access to private data.

"Our goal is bring these companies to the table and give them a choice: Prevent the exploitation of children online and stop the proliferation of child sexual abuse material, or face the same liability as every other industry in America," Graham said in the release. 

The post is partially accurate in spotlighting the tech industry’s concerns surrounding the EARN IT Act.

The bill would require tech companies to provide the government access to certain information falling under the law, specifically that related to child exploitation.

Whether to give the government so-called backdoor access to customer messages and uploads is a long-running debate, going back to at least the 1990s. Historically, it has pitted law enforcement against technology companies and advocates for civil liberties.

Groups representing the tech sector have generally expressed concern about how much power the government should have to access user data in the name of pursuing lawbreakers. Dean Garfield, CEO of the Information Technology Industry Council, released a statement in 2015 responding to the government's attempts to circumvent encryption technology. 

"We deeply appreciate law enforcement's and the national security community’s work to protect us," he said, "but weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys," such as hackers.

The post leaves out important context about the status and scope of the bill.

For starters, there is no evidence that Congress is  "sneakily" advancing it during the coronavirus crisis, when lawmakers are expected to be away from the Capitol for safety reasons, except to pass urgent coronavirus legislation. Neither a committee nor the full Senate has voted on the bill yet, and the Senate will not meet again until at least April 20.

The portion of the post that says "the government will be able to see all of your messages and listen to all of your calls" — is also an exaggeration.

The bill in its current form is aimed at preventing the online sexual exploitation of children. It is not a green light for the government to spy on Americans willy nilly. While critics of the bill see it as a slippery slope — and there may be legitimate concern that the law could be abused — the post doesn’t mention any of the limits on the government’s powers.

Charlie Mitchell, editor of Inside Cybersecurity and the author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," said the government has for years made its case for securing access to encrypted communications using the most dire scenario — putting a stop to child predators. 

The tech sector tends to argue that once a backdoor is created, it could be exploited for other purposes.

Quay-de la Vallee acknowledged that there is nothing in the EARN IT Act that explicitly limits end-to-end encryption. But it may have that practical effect, she said, since the bill would establish guidelines that require companies to scan communications for illegal materials.

"If companies would have to do this scanning, in order to get this legal protection, then seemingly they’re doing this on behalf of the U.S. government, and that makes them agents of the government. This means that anything they found is now subject to Fourth Amendment unreasonable-search concerns," she said. 

The post said, "While all COVID-19 news has been going on, the U.S. Government has been sneakily trying to remove end-to-end encryption" which means "the government will be able to see all of your messages and listen to all of your calls."

If the EARN IT Act passed — which is not imminent — it would make it easier for law enforcement to demand information from technology companies about certain users of their services. But the bill is receiving public scrutiny and proceeding through Congress in a typical way, so it’s not accurate to describe it as sneaky.

The post is also misleading about the official scope of the act. Far from green-lighting government intrusion into "all" messages and calls, any such requests would have to be premised on a link to suspected child exploitation. 

Whether that limitation would hold in practice is hotly debated between civil libertarians and law enforcement.

The post contains an element of truth, but leaves out important context that would give a different impression, so we rate it Mostly False.