Congress’s latest assault on internet freedom

The EARN IT Act is supposed to protect children, but it’s a bonanza for snoops and lawyers

lindsey graham earn
Senator Lindsey Graham (Getty)
Share
Text
Text Size
Small
Medium
Large
Line Spacing
Small
Normal
Large

Another assault on internet freedom and constitutional rights is underway this week as the Senate Judiciary Committee considers the EARN IT Act of 2022.

The bill is presented as a potential solution to internet luring by creating a new National Commission on Online Child Sexual Exploitation Prevention. The nineteen-member commission is tasked with coming up with best practices that internet companies can adapt to allegedly keep children safe from online predators.

Yet tucked in the bill are more changes to Section 230 of the Communications Decency Act, the law that keeps online platforms from being civilly liable…

Another assault on internet freedom and constitutional rights is underway this week as the Senate Judiciary Committee considers the EARN IT Act of 2022.

The bill is presented as a potential solution to internet luring by creating a new National Commission on Online Child Sexual Exploitation Prevention. The nineteen-member commission is tasked with coming up with best practices that internet companies can adapt to allegedly keep children safe from online predators.

Yet tucked in the bill are more changes to Section 230 of the Communications Decency Act, the law that keeps online platforms from being civilly liable for hosting and moderating third-party content.

The first change involves reaffirming that victims of child sexual abuse can civilly sue interactive computer services. “There are tens of millions of photos and videos circulating throughout the internet, showing the most heinous acts of sexual abuse and torture of children,” said Senator Lindsey Graham of South Carolina last week. “The EARN IT Act removes Section 230 blanket liability protection from service providers in the area of child sexual abuse material on their sites.”

The second change to Section 230 specifically targets companies that use end-to-end encryption. EARN IT claims that encryption-using companies will be exempt from civil liability, but the language remains unclear. It appears that EARN IT gives judges too much power in deciding whether companies are protected by “considering evidence of actions or circumstances described in that subparagraph if the evidence is otherwise admissible.” This language raised a howl of alarm from privacy advocates about government empowerment.

“That is pretty dangerous, especially because the bill opens up liability under state laws that might impose only a ‘reckless’ standard,” said TechFreedom’s Ari Cohn in an email. “If a company could be found to be reckless because it offered encryption (and thus did not even have the ability to see what is in the messages), it’s effectively the same thing as holding them liable for offering encryption in the first place.”

EARN IT Act opponents fear the bill is just an attack on end-to-end encryption. Senator Patrick Leahy of Vermont introduced language in 2020 in response to the criticism but it’s not enough.

“Federal policy should incentivize providers to protect their users’ security, not dissuade them from doing so – especially with so much work, school, and other life activities happening online nowadays,” Stanford Internet Observatory Research Scholar Riana Pfefferkorn said. She added, “The way I read the encryption language in the bill, I’m not sure it would preclude liability…you can imagine a lawsuit where the theory of liability isn’t ‘oh, it’s end-to-end encrypted so two people can talk without being monitored’; it’s ‘oh, it doesn’t build in the “ghost user” proposal,’ meaning it doesn’t secretly add law enforcement to the conversation as a third endpoint.”

This appears to be the goal of EARN IT Act supporters. Former Department of Homeland Security assistant secretary of policy Stewart A. Baker wrote at Lawfare in 2020 that the bill will “require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.” He then suggests tech company executives will just ask engineers to balance good security with child protections to avoid the court.

But that isn’t a guarantee, with at least one EARN IT Act opponent opining that the opposite may end up happening. “My greatest concern about the EARN IT Act is that it could cause platforms to be even less proactive about child sex abuse material than they currently are,” US Naval Academy associate cybersecurity law professor Jeff Kosseff wrote to me in an email.

Kosseff explained that large platforms file reports with National Center for Missing and Exploited Children after using programs like PhotoDNA to search for child porn on their systems. “We don’t know precisely what the standard of liability would be, as we’ve had Section 230 in place since 1996, but it is likely that platforms would only be liable if they know or have reason to know of child sex abuse material on their services,” he said. “This could create an unfortunate incentive for platforms to actually be less proactive than they currently are, as they would face substantial liability.”

If that’s the case, then why even present the bill in the first place? This appears to be another example of elected officials empowering bureaucrats to monitor citizens while claiming to solve a problem. Yet the only people the EARN IT Act helps are the lawyers who will file lawsuit after lawsuit against website after website.