Senator Blumenthal, After Years Of Denial, Admits He's Targeting Encryption With EARN IT
from the he-just-came-out-and-said-it dept
Senator Richard Blumenthal has now admitted that EARN IT is targeting encryption, something he denied for two years, and then just out and said it.
Since the very beginning many of us have pointed out that the EARN IT Act will undermine encryption (as well as other parts of the internet). Senator Richard Blumenthal, the lead sponsor on the bill, has insisted over and over again that the bill has nothing to do with encryption. Right after the original bill came out, when people called this out, Blumenthal flat out said "this bill says nothing about encryption" and later claimed that "Big Tech is using encryption as a subterfuge to oppose this bill."
That's been his line ever since -- insisting the bill has nothing to do with encryption. And to "show" that it wasn't about encryption, back in 2020, he agreed to a very weak amendment from Senator Leahy that had some language about encryption, even though as we pointed out at the time, that amendment still created a problem for encryption.
The newest version of EARN IT replaced Leahy's already weak amendment with one that is a more direct attack on encryption. But it has allowed slimy "anti-porn" groups like NCOSE to falsely claim that it has "dealt with the concerns about encryption." Except, as we detailed, the language of the bill now makes encryption a liability for any web service, as it explicitly says that use of encryption can be used as evidence that a website does not properly deal with child sexual abuse material.
But still, through it all, Blumenthal kept lying through his teeth, insisting that the bill wasn't targeting encryption. Until yesterday when he finally admitted it straight up to Washington Post reporter Cat Zakrzewski. In her larger story about EARN IT, I'm not sure why Zakrewski buried this point all the way down near the bottom, because this is the story. Blumenthal is asked about the encryption bit and he admits that the bill is targeting encryption:
Blumenthal said in an interview that lawmakers incorporated these concerns into revisions, which prevent the implementation of encryption from being the sole evidence of a company’s liability for child porn. But he said lawmakers wouldn’t offer a blanket exemption to using encryption as evidence arguing companies might use it as a “get-out-of-jail-free card.”
In other words, he knows that the bill targets encryption despite two whole years of blatant denials. To go from "this bill makes no mention of encryption" to "we don't want companies using encryption as a 'get-out-of-jail-free card'" is an admission that this bill is absolutely about encryption. And if that's the case, why have their been no hearings about the impact this would have on encryption and national security? Because, that seems like a key point that should be discussed, especially with Blumenthal admitting this thing that he denied for two whole years.
During today's markup, Blumenthal also made some nonsense comments about encryption:
The treatment of encryption in this statute is the result of hours, days, of consultation involving the very wise and significant counsel from Sen. Leahy who offered the original encryption amendment and said at the time that his amendment would not protect tech companies for being held liable for doing anything that would give rise to liability today for using encryption to further illegal activity. That's the key distinction here. Doesn't prohibit the use of encryption, doesn't create liability for using encryption, but the misuse of encryption to further illegal activity is what gives rise to liability here.
This is, beyond being nonsense word salad, just utterly ridiculous. No one ever said the bill "prohibited" encryption, but that it would make it a massive liability. And he's absolutely wrong that it "doesn't create liability for using encryption" because it literally does exactly that in saying that encryption can be used as evidence of liability.
The claim that it's only the "misuse of encryption" shows that Senator Blumenthal (1) has no clue what he's talking about and (2) needs to hire staffers who actually do understand this stuff, because that's not how this works. Once you say it's the "misuse of encryption" you've sunk encryption. Because now every lawsuit will just claim that any use of encryption is misuse and the end result is that you need to go through a massive litigation process to determine if your use of encryption is okay or not.
That's the whole reason why things like Section 230 are important, because they avoid having every company have to spend over a million dollars to prove that the technical decision they made were okay and not a "misuse." But now if they have to spent a million dollars every time someone sues them for their use of encryption, then it makes it ridiculously costly -- and risky -- to use encryption.
So, Blumenthal is either too stupid to understand how all of this actually works, or as he seems to have admitted to the reporter despite two years of denial, he doesn't believe companies should be allowed to use encryption.
EARN IT is an attack on encryption, full stop. Senator Blumenthal has finally admitted that, and anyone who believes in basic privacy and security should take notice.
Oh, and as a side note, remember back in 2020 when Blumenthal flipped out at Zoom for not offering full end-to-end encryption? Under this bill, Zoom would be at risk either way. Blumenthal is threatening them if they use encryption and if they don't. It's almost as if Richard Blumenthal doesn't know what he's talking about regarding encryption.
Filed Under: earn it, encryption, liability, richard blumenthal