The Revised EARN IT Act is Still Awful

About a month ago, the Senate Judiciary Committee passed Senator Lindsey Graham’s (R-S.C.) EARN IT Act, S. 3398, setting up a potential full Senate vote. With very few legislative days left on the Senate’s calendar between now and November’s elections, it is highly possible that Senator Graham may try to quickly pass his bill. Although the bill is marketed as combatting child sexual abuse materials (CSAM) online, the bill was — and, even after being amended, remains — a thinly veiled assault on encryption.

You can read my objections to the original bill HERE, but the basic contours of the bill were that it would:

  • Establish a new National Commission on Online Child Sexual Exploitation Prevention, which is beholden to the Attorney General and mostly staffed by law enforcement representatives.
  • The Commission would set “best practice” standards for platforms to “voluntarily” abide by in order to aid law enforcement efforts to combat CSAM.
  • If websites failed to abide by these standards, which would likely have included using end-to-end encryption of data and communications on their platform, they would have lost their liability protections under Section 230 of the Communications Decency Act (CDA).

EARN IT did get amended substantially in committee by amendment, including removing the ability of the Commission to enforce their guidelines by stripping companies of their CDA 230 liability protections and thus making their guidelines more truly voluntary. However, the new language actually assaults CDA 230 more directly, by straight-up removing companies’ liability protections in cases involving CSAM.

This might seem reasonable on the surface, except that companies were already legally obliged to remove and report all CSAM activity (and any other illegal content, for that matter) that they find on their platforms to law enforcement. What Section 230 immunity provides is that the people who post this awful material are responsible to be prosecuted for it, and not the platform.

By removing this protection, what EARN IT’s new structure creates, as Techdirt’s Mike Masnick points out, is an odd dilemma that serves no one well. On the one hand, Senator Patrick Leahy (D-Ore.) also successfully amended the bill to explicitly forbid holding companies liable merely for the use of secure encryption. Thus, companies might feel incentivized to increase their use of strong encryption as a safe haven – basically, if they can’t see it, they can’t be expected to censor it. This is pretty obviously not what AG Barr or the DoJ want. On the other hand, companies which do not employ strong encryption would need to massively increase their vetting of subscribers and intrusive data collection from them in order to allow users to continue posting their own content to the site.

Furthermore, EARN IT continues to imperil encryption itself, in spite of Sen. Leahy’s excellent attempt. Unfortunately, many experts have warned that Leahy’s amendment will functionally not prohibit states from pursuing litigation against platforms as long as the use of encryption isn’t the main pretext for the suit. Depending on the state’s law, merely not being able to see what’s being sent by users through encrypted channels might be enough to qualify as “recklessness” in harboring unlawful content. Since internet services must obviously cross state lines, companies will be incentivized to adhere to whichever state’s standard puts them most at risk of litigation.

Also, although Leahy’s amendment attempts to shield encryption itself, Stanford cybersecurity expert Riana Pfefferkorn notes that it leaves the door open for companies to be held liable for refusing to implement other privacy-invading practices, such as “client-side scanning” (in which companies would scan all uploaded content before it becomes hidden by encryption) or a “ghost user” mandate (where the government may be granted invisible access to an otherwise secure communication).

All this is to say that the new and ostensibly “improved” EARN IT Act that may see a vote in the Senate is still a troubling bill, one which may have even been made worse than the original. The bill doesn’t address any of the existing shortcomings in the government’s enforcement of the copious laws against child exploitation, but manages to threaten innocent internet users’ online privacy, security, and freedom of expression all at once. This legislation is poorly designed at best and cynically manipulative at worst, and hopefully will not be allowed to progress any further.