The Effect of International Proposals for Monitoring Obligations on End-To-End Encryption
European and U.S. policymakers have proposed imposing monitoring obligations on Internet intermediaries to improve online safety. Despite their best efforts, these proposals risk undermining users’ privacy by eliminating the use of end-to-end encryption. Therefore, policymakers should not pursue them.
Introduction
In 2022, three separate government bodies published draft legislative proposals with the same goal: to protect members of their nation’s public while they are online. First, the U.S. Senate Judiciary Committee published the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act of 2022 in January, a bill targeting child predation and criminal activity related to child sexual abuse material (CSAM) online. In March, the United Kingdom government introduced the Online Safety Bill, which requires search engines, social media firms, and other user-created content services to seek and remove a variety of online content through compelled monitoring obligations. And in May, the European Commission followed with its legislative proposal, focusing on protecting children from criminal activity and exploitation online.
The EARN IT Act, the Online Safety Bill, and the EU scanning proposal create monitoring obligations for online services to scan all content, including photos, private messages, and cloud files. While these bills have noble goals, each proposal would pressure Internet companies to prohibit end-to-end encryption (E2EE), a process that maximizes users’ privacy, free expression, and security online.
Rather than impose monitoring obligations on online services, policymakers should instead:
- exclude encrypted services from monitoring obligations,
- increase resources for national law enforcement agencies to find and prosecute criminal activity related to CSAM, and
- improve reporting from and coordination with online services to better enable national law enforcement agencies to track, remove, and prosecute illegal activity in a timelier fashion.
In 2021, online services in the United States issued 29.1 million CyberTipline reports of apparent CSAM to the National Center for Missing and Exploited Children. Reports such as these ensure that enforcement entities can find perpetrators and shield individuals from harm, and online services can identify and remove illegal content online. Law enforcement legislation that predates the rise and evolution of social media—such as the European Union’s Child Sexual Abuse Directive—could not predict or properly encompass how online crime and illegal activity has evolved. For that reason, future legislation needs to make it easier to find and prosecute bad actors and keep people safe, but any method of doing so cannot risk the online safety E2EE provides.
Read the full report. (PDF)
