I’ve previously covered the First Amendment concerns that I have with the newly-introduced EARN IT Act bill. I also have due-process concerns about the bill’s “best practices” requirement. The Fifth Amendment protects (among other things) your right to due process with respect to the federal government. Similarly, the Fourteenth Amendment gives you due-process protections with respect to the states.
Due process covers multiple concepts, but here the key ones to understand are the interrelated concepts of “vagueness” and “notice.” As the Supreme Court recently explained, “the twin concerns underlying [the] vagueness doctrine” are “providing notice and preventing arbitrary enforcement.” United States v. Beckles, 580 U.S. __, __ (2017). “Vagueness” is succinctly explained in Fight of the Century, the terrific new book of essays commemorating the ACLU’s 100th anniversary. A criminal law will be held void for vagueness “if an ordinary person cannot understand what conduct it prohibits and it authorizes or encourages arbitrary and discriminatory enforcement.” You are expected to obey the law, and that means you must have notice of what the law prohibits, so that you can conform your conduct accordingly. If it’s too vague, you’re not on fair notice of what’s required or forbidden. Notice is also important for those charged with enforcement of our laws, not just those charged with obeying them: the police, too, must be on notice of what conduct is permitted and what is prohibited, so that they can do their job accurately and let law-abiding citizens alone.
I have previously mentioned that FOSTA, which in 2018 abrogated providers’ Section 230 immunity for sex trafficking on their services, is being challenged in court under the First Amendment for (among other things) overbreadth. That lawsuit is also challenging FOSTA for violating the Fifth Amendment’s Due Process Clause because of its vague, undefined terms (such as “promotion” or “facilitation” of sex trafficking). You can see how overbreadth and vagueness are related: a law may prohibit a lot of constitutionally-protected expression in part because it is so vague that it’s not even clear what is and isn’t forbidden by the law.
The EARN IT Act likewise has a due-process problem because it creates the possibility of criminal enforcement on the basis of impermissibly vague language. The bill contemplates that the Commission would come up with best practices that would (as I read it) then be codified by Congress as binding law. A provider’s failure to either (1) certify compliance with those best practices, or (2) implement unspecified “reasonable measures” to prevent the service from being used to exploit minors, would open up the provider to criminal prosecution under applicable state law. If a provider’s officer certifies compliance with the best practices, knowing the certification “contains a false statement,” then the EARN IT Act says the certifying officer shall either be fined, go to federal prison for up to two years, or both.
If a provider certifies to the Attorney General that it “has implemented, and is in compliance with,” the best practices, it remains immune from state criminal liability for CSAM. The question is, how can the provider and the certifying officer be on notice of what compliance or non-compliance means? If the provider, and the certifying officer, know what measures the provider has taken, and they certify based on their belief that those measures are compliant, but it turns out the Attorney General (whom the bill empowers to investigate suspected noncompliance) disagrees – doesn’t that (1) put the provider at risk of having its Section 230 immunity for CSAM stripped away and being criminally prosecuted by one or more states, and (2) put the certifying officer at risk of federal criminal prosecution and serving felony prison time?
Understandably, providers might be hard-pressed to find an officer willing to go to prison over a set of vague “best practices.” If a provider decides not to certify compliance with the best practices, its only remaining avenue to retain Section 230 immunity and avoid exposure to potential state criminal prosecution is implementing “reasonable measures.” But that’s the same problem: how can the provider be on notice of what’s “reasonable” or “unreasonable,” when that’s undefined? The bill allows state prosecutors to arbitrarily or discriminatorily enforce their particular definition of what is or isn’t “reasonable” (for example, providing end-to-end encryption, or allowing adult family members to “friend” their minor relatives on a social media service even though so many victims are related to their abusers). That’s unconstitutional.
The only way I can see to avoid a vagueness problem with the “best practices” is if they are very specific and detailed – that is, if they spell out for providers how they must surveil their users and censor the users’ online activity. That seems not only undesirable (from a, like, civil liberties and human rights point of view), but impossible, given the many different product types, business models, product designs, etc. out there. (Not to mention that telling providers how to design their services conflicts with Section 1002(b) of CALEA. I can’t post about EARN IT without bringing up CALEA.)
Certainly last week’s 11 voluntary principles for fighting CSAM, which I discussed in a recent blog post, would be unconstitutionally vague if they were to become law. I’ve heard some rumors that the EARN IT “best practices” are a fait accompli, already written in secret by the DOJ and ready to go the moment the bill gets enacted. I’ve even heard it suggested that the pre-prepared best practices are the 11 voluntary principles. (I’m a bit skeptical, because the entire point of EARN IT is “to establish a National Commission” to come up with those best practices, but OK, let’s run with it, just for illustrative purposes. And if that first rumor is correct, I look forward to seeing what pre-written “best practices” the DOJ and Congress are too cowardly to put into an actual bill that would have to be debated and voted on in public, in front of all the congressmembers’ constituents. Kindly work up the courage to stab the American public in the front, not the back, and to look us in the eye when you do it, Senators.)
So, assuming the 11 principles will end up being the “best practices,” let’s take Principle 7 as an example. It reads, “Companies seek to adopt enhanced safety measures with the aim of protecting children, in particular from peers or adults seeking to engage in harmful sexual activity with children; such measures may include considering whether users are children.” For context, the document explains that the risks to children online include “contact risks (where a child participates in risky communication, possibly unwittingly or unwillingly).”
If Principle 7 were turned into a “best practice,” it would be void for vagueness. It doesn’t provide notice of what’s required or prohibited, and Attorney General Barr could arbitrarily or discriminatorily enforce it against providers whose product design he doesn’t like (such as Facebook and its plans for end-to-end encryption across its messaging products). Do you think you understand what Principle 7 requires a provider to do, or not to do? Do you think an ordinary provider would understand? As of last week’s debut of the 11 principles, six major tech companies had endorsed them. How many of them would be willing to bet the company – or at least their officer’s liberty – that they understand what Principle 7 requires them to do? Probably none.
Under EARN IT, if the providers refused to certify that they comply with Principle 7, then in order to keep Section 230 immunity from criminal prosecution under state law, they’d have to adopt other “reasonable measures” to achieve the goal of preventing minors from being groomed or enticed online. What are “reasonable measures”? Again, the bill does not put providers on notice of what is required or prohibited. What would, say, the anti-encryption Manhattan District Attorney consider “reasonable”? Again, as written, the EARN IT Act leaves that open for him to enforce in an arbitrary or discriminatory manner.
In sum, the EARN IT Act is void for vagueness under the Fifth Amendment’s Due Process Clause. As I’ve said before, this unconstitutional bill must not pass.
* * *
Tech companies get constitutional rights too. I’m sure that won’t go over well with some people reading this, because the first thing it likely brings to mind is Citizens United. But constitutional protections for companies also protect your ability to exercise your own constitutional rights online: to speak, to converse with others, to search for information, for others to find the information that you put out there. Without those protections for tech providers, the government could arbitrarily force your favorite social media platform, indeed your ISP, to shut down, for violating some vaguely-worded prohibition. It could force a search engine to show search results only for webpages whose content the government approves of, and remove search results whose message the government doesn’t like. That’s why you should care that the EARN IT Act would violate not only your constitutional rights, but also those of big tech companies: because violations of their rights affect yours too. Want to tell your congressperson you oppose this bill? Digital rights orgs Fight for the Future and EFF both have ways for you to take action.