21 February 2020

Congress, Not the Attorney General, Should Decide the Future of Encryption

By Alan Z. Rozenshtein 

The debate over end-to-end encryption focuses on the substantive question: Should encryption be restricted to help law enforcement, or do the privacy and security benefits of this technology outweigh its costs? A draft copy of the EARN IT Act, which could deprive platforms that use end-to-end encryption of their immunity from civil suit under Section 230 of the Communications Decency Act for child exploitation materials posted by users, has a set off a new round of debate.

But the encryption debate frequently ignores the vital procedural question: Who should decide? The EARN IT Act puts that question front and center by giving the attorney general the ultimate say in setting the “best practices” that will give Section 230 immunity for child exploitation suits. (And given Attorney General William Barr’s recent statements criticizing end-to-end encryption, it is reasonable to think that he might include forgoing end-to-end encryption in the best practices.) Passing the buck to the attorney general is a bad idea.


As a threshold matter, the attorney general is not the right person to make this decision. Encryption is an issue that implicates many competing values, but the attorney general’s natural focus will be on the subset for which he is responsible: fighting crime. His decision-making will reflect this priority, potentially at the cost of other values. This is not meant to single out the attorney general. It wouldn’t make sense to put sole authority to determine best practices in the hands of the secretary of commerce, whose primary responsibility is the economic competitiveness of U.S. industry, not law enforcement effectiveness. Decisions about encryption should not be delegated to one agency alone.

More fundamentally, the question of whether to permit ubiquitous encryption is the sort of high-level policy decision that is best handled not by the executive branch but by Congress, which best represents the public and its different constituencies and interests. Congress doesn’t have to do the technical heavy lifting; it could, for example, organize an expert committee to offer proposals or even outsource that job to various executive agencies, which could then return competing recommendations. But the legislature shouldn’t shirk its responsibility to make this tough decision. To this extent, critics of the EARN IT Act, such as Stanford’s Rianna Pfefferkorn, are right to call it a “bait and switch,” designed to limit encryption while giving legislators space to deny that’s what they’re doing.

In the meantime, there’s plenty that Congress can do to help fight child exploitation without prematurely wading into the encryption fight. And the easiest way to accomplish that is to explicitly make any child exploitation bill neutral on the issue of encryption. Congress has included neutrality riders before, in CALEA (47 U.S.C. § 1002(b)(3)) and, more recently, in the CLOUD Act (18 U.S.C. § 2523(b)(3)). In the case of the EARN IT Act, for example, Congress could exclude anything related to encryption from the list of best practices.

The decision whether or not to restrict end-to-end encryption is too important to be made indirectly. Congress should ultimately decide—and if it wants to delay that decision, it shouldn't let anyone else do its job in the meantime.

No comments: