CDT predicts that it will invite prolonged litigation over whether potential liability is “because of” the provider’s use of encryption (if so, the case is barred) or because of some other reason (if so, no bar).[3] CDT told CyberScoop that the “consistent threat of litigation … will be a strong disincentive against providing [end-to-end encryption] and continuing to have to defend that decision in court.” With potentially wide variation in state CSAM laws, “the worry,” as Techdirt says, “is that we won't know whether or not offering end-to-end encryption would be seen as violating state laws until long and costly cases go through their lengthy process.” The Internet Society’s Joe Hall agreed, telling CyberScoop that the amendment is “a fig leaf of protection for strong encryption” that leaves providers “to fight it out in court, which is far from cementing protection and clarity for encryption, the bedrock of our lives on the internet and in the real world.” I couldn’t have said it better.
It’s not clear how many cases against providers would actually be precluded by Leahy’s amendment. Plaintiffs and state AGs could readily come up with other grounds besides encryption on which to premise liability for an encrypted service (at least as a pretext, even if encryption is really the ultimate reason they’re mad). CDT also points out that the Leahy amendment doesn’t stop the AG-headed commission from recommending anti-encryption best practices (as any commission with Bill Barr at the helm will likely do). That would’ve been a freebie for Leahy to throw in, especially with the commission’s fangs removed anyway.
I also think the Leahy amendment doesn’t go far enough. The carve-out’s section header is about “cybersecurity protections” not giving rise to liability. But the text is only about encryption. What about other kinds of cybersecurity protection? Those should not give rise to liability either; federal policy should incentivize providers to protect their users’ security, not dissuade them from doing so – especially now that COVID-19 has moved so many Americans’ work, school, and other life activities online. What about mechanisms for accessing otherwise-encrypted information that technically “don’t touch the encryption,” such as the ghost user proposal, client-side scanning, or the custom version of iOS that the FBI tried to force Apple to create in the 2016 “Apple vs. FBI” showdown? The way I read the Leahy amendment, I’m not sure it would preclude liability if a provider fails to take measures such as those.
The Leahy amendment is certainly better than nothing, and the language is more thorough than it could be. But it’s not the silver bullet that some are holding it out as in terms of answering critics’ concerns about how EARN IT could potentially discourage encryption and harm cybersecurity.
