Late one night nearly a decade ago, an anonymous source contacted journalist Bastian Obermayer: “Hello. This is John doe. Interested in data? I’m happy to share.” This cryptic message was the start of the Panama Papers investigation, the Pulitzer Prize-winning series of exposés based on a trove of leaked documents from the Panamanian law firm Mossack Fonseca revealing tax fraud and other financial misdeeds of the rich and powerful.
If not for encryption, however, the Panama Papers may never have been published. The source, concerned about threats to their life if their identity were revealed, insisted on using encrypted channels to talk to reporters and share data. The hundreds of journalists who collaborated on the investigation through the International Consortium of Investigative Journalists also relied on encryption to protect their source and collaborate remotely on a global scale.
But now a trio of bad internet bills before Congress threatens the very journalists who rely on encryption to safely and securely communicate with confidential sources for important reporting on national security, local news, corporate malfeasance, and more.
The EARN IT Act, the STOP CSAM Act, and the Kids Online Safety Act, or KOSA — all with the worthy goal of protecting children online — each would make it legally risky for tech companies to offer end-to-end encryption. That's the form of encryption in which only the sender and intended recipient can read a message, and which offers some of the strongest protections for both journalists and sources.
If any of these bills pass, platforms may stop offering encryption altogether. That would make everyone — including journalists and their sources — less safe when they communicate online.
When the EARN IT Act was introduced in a past Congress, for example, the popular encrypted messaging service Signal wrote that it may not be able to operate in the U.S. if the bill became law. EARN IT has morphed from its original form since then, but its threat to encryption remains. Not only would EARN IT allow states to hold platforms liable for offering encrypted services under state law, but the bill specifically says that the use of encryption can be one piece of evidence to prove a platform’s liability.
Similarly, STOP CSAM also creates a legal nightmare for platforms that offer encryption, as the ACLU explained in a letter joined by Freedom of the Press Foundation (FPF) and dozens of other groups. The bill encourages platforms to scan their services for child sexual abuse material, or CSAM, by opening them up to liability for hosting CSAM even if they lack actual knowledge of the CSAM on their service. (Federal law already makes it illegal to help spread CSAM knowingly.) As the ACLU explains, a platform could be found liable merely because a court decides it was reckless to offer end-to-end encryption knowing that it can be used to spread CSAM.
Finally, PEN America and others have sounded the alarm about how KOSA would “result in the disappearance or degradation of end-to-end encrypted services” by forcing platforms to choose between filtering content to comply with the law or offering encryption. KOSA requires platforms to take action against content that the government says is “harmful” to kids, such as content likely to make them anxious or depressed. Not only does this provision raise serious First Amendment concerns, but it also encourages platforms to weaken or stop offering encryption entirely, so they can comply with their new duty to identify “harmful” content and stop it from reaching kids.
Protecting children from CSAM and other online harms is important. But it’s ironic that in bills meant to protect children, Congress could heedlessly and unnecessarily undermine the end-to-end encryption that is one of the strongest protections for online security and privacy, including for children.
Hindering encryption is bad for kids, reporters, and the public. Quite simply, without the confidentiality that end-to-end encryption provides, the next whistleblower with Panama Papers-level information probably won’t be “happy to share.”