By Riana Pfefferkorn on February 4, 2022 at 1:23 pm
This is the latest entry in my lengthy archive of writing, talks, and interviews about the EARN IT Act:
- Blog posts at the CIS blog: part 1, part 2, part 3, part 4, part 5, part 6, part 7, part 8
- Articles for Brookings TechStream: part 1, part 2
- Talks at the DEFCON Crypto & Privacy Village and the University of Waterloo
- Interviews on the Decipher Security Podcast and ExpressVPN blog
On January 31, Senator Richard Blumenthal, together with 18 co-sponsors from both parties, reintroduced the EARN IT Act. Two days later, the House reintroduced its version too. Last introduced in 2020, the EARN IT Act would, if passed, pare back online service providers’ broad immunity under a federal law called Section 230, exposing them to civil lawsuits and state-level criminal charges for the child sexual abuse material (CSAM) posted by their users.
At first blush, that might sound like a good thing, which is why it will be hard for members of Congress to resist – who could ever vote against child safety? But make no mistake: this was a dangerous bill two years ago, and because it’s doubled down on its anti-encryption stance, it’s even more dangerous now.
Protecting children online is a laudable and urgent goal. However, the EARN IT Act would do little to protect child sex abuse victims – to the contrary, it risks making it even harder to track down and convict offenders. And by discouraging providers from using encryption to protect the privacy and security of users (including children), while simultaneously encouraging them to over-censor their users’ perfectly legal speech, EARN IT would do a lot of damage to innocent internet users who have broken no law.
EARN IT 2022 Is the Worst of Both (Senate and House) Worlds
There have already been some excellent write-ups this week about the resurrection of this zombie bill and the menace it still poses. If you only have time to read one thing, make it Casey Newton’s Platformer newsletter, which provides a cogent and succinct overview of everything you need to know. Then check out Mike Masnick’s three-part deep dive at Techdirt: one on how EARN IT risks exacerbating the online child exploitation problem, another on how EARN IT is far worse than the last law that amended Section 230, and a third meticulously picking apart a “myths vs. facts” document the bill’s sponsors released that (surprise!) peddles more myth than fact, as Mike explains with palpable exasperation. The Internet Society, ACLU, CDT, and EFF, all longtime opponents of EARN IT, have also weighed in (and EFF provides an action item for contacting your elected representatives to tell them to oppose EARN IT).
For me, this week’s reintroduction of EARN IT is déjà vu all over again. As the link round-up at the top of this post shows, I spent most of 2020 explaining why EARN IT was a terrible bill that would have numerous downsides without ameliorating the complicated problem of child safety online. All of that is still true today, because the bill hasn’t changed.
The new Senate bill is a near-replica of Senate bill text from July 2020, whose many problems I documented here. The only real change is the replacement of that bill’s already-tepid language attempting to protect encryption, with language from the September 2020 House version of the bill. The House language, as I wrote here, is even weaker: it discourages providers from offering encryption by exposing them to liability for doing so (as long as complainants can gin up some other pretext for suing), and by permitting evidence of their encryption features to be used against them in court. That is, the only change since July 2020 has made the bill worse.
To get my in-depth explanation of EARN IT 2022, you need only read those two previous writings of mine about EARN IT 2020, which together cover the entirety of the new zombie bill. Again, they’re here (about the bill overall) and here (about the weak-sauce encryption language). It’s certainly convenient for me that I don’t have to do any new analysis. But it’s also maddening that the bill hasn’t gotten any better, when its backers had over a year and a half to fix the problems that I and others identified the last time around. (Or, preferably, to just let it fail instead of bringing it back from the dead.)
That’s So Much Reading! What’s the TL;DR, Again?
To recap, here’s why the EARN IT Act would harm online speech, privacy, and security without achieving its child-safety goal:
- Fear-Driven Censorship of Legal Speech. Contrary to the outright lies in the EARN IT sponsors’ “myths vs. facts” document, nobody, literally nobody, is claiming there’s some First Amendment right to CSAM that EARN IT impairs. The real issue is censorship of legal speech that is constitutionally protected. By threatening tech companies with significant litigation exposure for doing an imperfect job of fighting CSAM on their services, EARN IT will result in companies overzealously censoring lots of perfectly legal user speech just in case anything that could potentially be deemed CSAM might be lurking in there, or even shutting down part or all of their services entirely. They’d throw the First Amendment-protected baby out with the unprotected CSAM bathwater. (The same thing happened with online censorship after Congress passed the SESTA/FOSTA law, on which EARN IT is modeled, which carved out sex trafficking offenses from Section 230.) [More here.]
- Making Law Enforcement Investigations Harder. Meanwhile, increased vigilance by providers will push CSAM traders off law-abiding platforms and onto offshore sites (that don’t follow U.S. law) and the dark web, where they’re harder to track down. (This, too, happened after SESTA/FOSTA: even as platforms censored legal speech, sex trafficking offenders and victims got harder for investigators to find.) [More here.]
- Undermining User Privacy & Security. EARN IT would, as said, discourage the use of encryption, which is vital to protecting the privacy and data security of children and adults alike (yes, children deserve privacy too). Punishing companies for strong data protection practices is an utterly mindboggling public policy choice in the midst of an ongoing cybersecurity crisis, which has only grown worse since mid-2020 (think SolarWinds, Colonial Pipeline, Log4j, the ransomware pandemic…). As I’ve pointed out before, members of Congress (including EARN IT’s main sponsors) have this unfortunate tendency to bemoan that tech companies aren’t doing enough to protect users’ privacy, then get mad at them for using strong encryption to do just that. Sen. Blumenthal in particular is a study in contradiction: while pushing his anti-encryption EARN IT bill the first time around, he was simultaneously infuriated by Zoom’s lack of true end-to-end encryption. [More here.]
- Privacy Intrusions That Will Let Offenders Walk Free. The bill threatens online privacy by railroading tech companies into surveilling their users even more than they do already. As Techdirt points out, the “myths vs. facts” document lays bare that the bill’s ulterior motive is to goad providers into scanning all user data on their services on pain of criminal liability. In so doing, EARN IT risks upsetting the tightrope that federal CSAM law constantly walks to avoid converting private companies into government agents whose warrantless surveillance of their users would render evidence against CSAM defendants inadmissible in court, making convictions harder to obtain. The bill totally backfires if fewer CSAM offenders are brought to justice because of EARN IT’s heavy-handed pressure on providers. [More here.]
Even if you don’t care about the hits to free speech and personal privacy and cybersecurity, the fact that this bill will hurt child safety efforts – by making CSAM investigations harder and making it likelier that CSAM defendants would walk free – should be reason enough to oppose the EARN IT Act. These are the wholly predictable consequences if EARN IT (like SESTA/FOSTA before it) tinkers with Section 230. And Section 230 isn’t the problem here anyway.
EARN IT Is a Solution in Search of a Problem – and Section 230 Isn’t It
I’ve written before about how Section 230 works, why lawmakers keep threatening to amend it (see also), and why it’s the wrong vehicle for improving child safety online. And yet the renewed EARN IT Act still pretends that Section 230 is to blame. Don’t be fooled: amending Section 230 will not suddenly solve the complex challenge of fighting CSAM online, a struggle whose complexity I’ve documented in my research on online service providers’ trust and safety efforts.
In announcing the new bill, Sen. Blumenthal claimed that EARN IT “is very simply about whether tech companies should be held responsible … when they refuse to report or remove [CSAM] hosted on their platforms.” But the truth behind the clouds of FUD that he and other congressmembers keep spouting is this: Section 230 already does not keep tech companies from being held accountable if they aren’t reporting or removing CSAM.
That’s because providers’ immunity under Section 230 for their users’ bad acts has never extended to federal criminal law. Section 230(e) explicitly says so, even expressly mentioning federal law relating to child sexual exploitation. That body of law forbids everybody from the possession or transmission of CSAM (in a statute called Section 2252A), and it also requires providers to report CSAM they know about on their services (another statute, Section 2258A). That means if providers are “refusing to report or remove” CSAM they find, they’re breaking two laws – and Section 230 already doesn’t shield either violation.
To all appearances, providers are complying with their legal obligations. They already report huge volumes of CSAM, to the tune of tens of millions of reports a year – and detection efforts only keep improving. Plus, as far as I can tell from my research, the Department of Justice (which enforces federal criminal law) has never brought a single case against any online service provider for violating their reporting duties under Section 2258A. Millions of reports, ongoing improvements, no prosecutions for noncompliance: it sure doesn’t sound like there’s an epidemic of knowing failure to remove or report CSAM. So where’s the problem?
Yet Sen. Blumenthal and his cosponsors aren’t satisfied. He claims tens of millions of reports a year aren’t enough, and that there are no consequences if providers “look the other way.” Those are the exact things – the duty to report, and consequences if you don’t – that Section 2258A covers. If EARN IT’s sponsors believe Section 2258A isn’t getting the job done, then why does Section 230 need to be amended?!
Section 230 already doesn’t let providers off the hook for 2258A violations. Changing Section 230 won’t increase providers’ obligations under 2258A. Section 230 is not the problem here.
Whatever The Problem Is, EARN IT Doesn’t Solve It
So what is the problem, exactly? It’s not really clear, what with the bill sponsors’ FUD in the way. Below is a table that suggests some options I brainstormed for what the actual problem is. Then I’ll suggest some potential responses that Congress or other stakeholders could make to address that problem. (I’m just spitballing ideas, not recommending all those measures be taken.) And then I’ll list what EARN IT actually does, to illustrate how the bill fails to address the problem, no matter how the problem is framed.
Let’s start with what Sen. Blumenthal seems to think is the problem, even though, as said, the high volume of reports and lack of 2258A prosecutions suggest that this framing of the problem does not actually reflect reality. But let’s just assume it does and go from there.
|
If online service providers… |
And the problem is… |
Then a possible response(s) would be… |
EARN IT’s actual response: |
|
DON’T report CSAM, in violation of 18 U.S.C. § 2258A |
Large-scale, widespread, pervasive noncompliance by numerous providers that knowingly host CSAM without removing or reporting it (NOT just occasional isolated incidents) |
Conduct a congressional investigation to determine the extent of the problem Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution DOJ prosecutes all those providers for illegally hosting CSAM under 2252A as well as violating 2258A’s reporting requirements Amend 2258A(e) to increase penalties for noncompliance Amend Dodd-Frank to include 2258A compliance in corporate disclosure requirements (akin to Form SD) Encourage FTC investigation of noncompliant companies for unfair or deceptive business practices Encourage private plaintiffs to file securities-fraud class actions against publicly-traded providers for misleading investors by secretly violating federal reporting duties |
Amend Section 230 instead of enforcing existing law Don’t demand that DOJ explain why they aren’t doing their job |
|
DON’T report CSAM, in violation of 2258A |
Occasional, isolated instances of failure to report by multiple providers, OR repeated failure to report by a particular rogue provider (NOT a large-scale problem across the whole tech industry) |
Conduct a congressional investigation to determine the extent of the problem Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution DOJ prosecutes those isolated violations or the particular rogue provider |
Amend Section 230 instead of enforcing existing law Don’t demand that DOJ explain why they aren’t doing their job |
|
DON’T report CSAM, in violation of 2258A |
DOJ investigations for 2258A violations are consistently resolved without charges or fines and do not become public |
Hold hearings to have DOJ explain why their investigations never result in charges |
Amend Section 230 Don’t demand that DOJ explain why they aren’t doing their job |
|
DON’T report CSAM, in violation of 2258A |
DOJ has criminally charged providers for violations and obtained court-imposed fines under 2258A(e), but all court records of 2258A prosecutions are under seal (and thus don’t turn up in searches) |
Tell DOJ to move for courts to unseal all sealed records in 2258A cases Require DOJ to report data on all 2258A prosecutions since 2258A’s enactment Amend 2258A to require regular reporting to Congress by DOJ of enforcement statistics Investigate whether providers (especially publicly-traded ones) kept 2258A fines a secret |
Amend Section 230 |
|
DON’T report CSAM, in violation of 2258A |
Complete lack of enforcement by DOJ means there are no consequences for providers’ violations, depriving victims of justice |
Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution Amend 2258A by adding a private right of action so that victims can do the work that DOJ isn’t doing |
Amend Section 230 Don’t demand that DOJ explain why they aren’t doing their job |
|
DO report CSAM to NCMEC’s CyberTipline |
CSAM isn’t being taken down promptly enough or reported to NCMEC “as soon as reasonably possible” as required by 2258A(a)(1)(A)(i) |
Debate whether to insert a firm timeframe into 2258A(a)(1)(A)(i) Hold a hearing to ask ICS providers of various sizes why delays happen and whether a specific timeframe is feasible |
Amend Section 230 |
|
DO report CSAM to NCMEC’s CyberTipline |
The volume of reports is so high that NCMEC is overwhelmed |
Hold a hearing to ask NCMEC what it would take to process all the reports they already get Appropriate those additional resources to NCMEC |
Amend Section 230 to induce providers to make even more reports NCMEC can’t keep up with Give zero additional resources to NCMEC |
|
DO report CSAM to NCMEC’s CyberTipline |
DOJ doesn’t act on the reports providers make, and doesn’t make its own mandatory reports to Congress about internet crimes against children |
Order GAO to conduct a study on what happens to CyberTips passed by NCMEC to DOJ Hold a hearing to ask DOJ why it isn’t acting on tips or filing its required reports Appropriate additional resources to DOJ |
Earmark $1 million for IT improvements Don’t demand that DOJ explain why they aren’t doing their job |
|
DO report CSAM to NCMEC’s CyberTipline |
Federal law enforcement is failing child sex abuse victims: the FBI turned a blind eye to Larry Nassar’s abuse of dozens of child gymnasts for years |
Hold a hearing on the FBI’s failure to protect children (this did happen in September 2021) |
Amend Section 230, effectively delegating enforcement for child sexual abuse to states and victims themselves |
No matter what the problem with online CSAM is, EARN IT isn’t going to fix it. It’s only going to make things worse, both for child victims and for everyone who uses the internet. The truth about EARN IT is that either there isn’t a serious noncompliance problem among providers that’s pervasive enough to merit a new law, but Congress just can’t resist using Section 230 as a political punching bag to harm all internet users in the name of sticking it to Big Tech… or there is a problem, but the DOJ is asleep at the wheel – and EARN IT is a concession that Congress no longer expects them to do their jobs.
Either option should be shameful and embarrassing for the bill’s supporters to admit. Instead, this horrible legislation, if it passes, will be hailed as a bipartisan victory that shows Congress can still come together across the aisle to get things done. Apparently, harming Americans’ rights online while making CSAM prosecutions harder is something both parties can agree on, even in an election year.
This bill is being fast-tracked to shove it through both houses of Congress as quickly as possible, and I’m deeply afraid that this time it will succeed where its predecessor didn’t. There’s still time, though, to stop it. Whether it passes or not, remember who supports EARN IT when you go to the polls in November.