http://cyberlaw.stanford.edu/blog/2022/02/earn-it-act-back-and-it%E2%80%99s-more-dangerous-ever Skip to Navigation | Stanford Law School Utility menu * Home * Blog * Multimedia * Press * Get Involved * Contact Us Home The Center for Internet and Society at Stanford Law School is a leader in the study of the law and policy around the Internet and other emerging technologies. Search form Search [ ] [Go] * About Us + People + Get Involved o CIS RSS Feeds o Work with Us o Become a Student at Stanford Law School o Take a Class at Stanford Law School o Become an Affiliate o Make a Financial Gift + Privacy Policy + Find Us * Focus Areas + Architecture & Public Policy + Cybersecurity + Electronic Surveillance + Fourth Amendment + Intermediary Liability + Open Government + Privacy * Experts + By Focus Area + By Name * Our Work + Projects o Documentary Film Program # Documentary Film Program Advisory Board # Documentary Film Program: Frequently Asked Questions o Fair Use Project + Cases/Proceedings + Topics * Publications + Academic Writing + White Papers and Reports + Regulatory Filings + Litigation Briefs + Books + Other Writing * Events Blogs Archive Browse by Month [- Any - ] And [ ] Browse by Focus Area [- Any - ] Browse by Topic [- Any - ] Browse by Author [- Any - ] [Apply] Get Involved Follow Us * facebook * twitter * youtube * flickr Subscribe to email updates email address [ ] [Go] Subscribe to RSS feeds Attend an event Donate to CIS Other ways to get involved Home >> Blog >> The EARN IT Act Is Back, and It's More Dangerous Than Ever * share * print The EARN IT Act Is Back, and It's More Dangerous Than Ever By Riana Pfefferkorn on February 4, 2022 at 1:23 pm This is the latest entry in my lengthy archive of writing, talks, and interviews about the EARN IT Act: * Blog posts at the CIS blog: part 1, part 2, part 3, part 4, part 5, part 6, part 7, part 8 * Articles for Brookings TechStream: part 1, part 2 * Talks at the DEFCON Crypto & Privacy Village and the University of Waterloo * Interviews on the Decipher Security Podcast and ExpressVPN blog On January 31, Senator Richard Blumenthal, together with 18 co-sponsors from both parties, reintroduced the EARN IT Act. Two days later, the House reintroduced its version too. Last introduced in 2020, the EARN IT Act would, if passed, pare back online service providers' broad immunity under a federal law called Section 230, exposing them to civil lawsuits and state-level criminal charges for the child sexual abuse material (CSAM) posted by their users. At first blush, that might sound like a good thing, which is why it will be hard for members of Congress to resist - who could ever vote against child safety? But make no mistake: this was a dangerous bill two years ago, and because it's doubled down on its anti-encryption stance, it's even more dangerous now. Protecting children online is a laudable and urgent goal. However, the EARN IT Act would do little to protect child sex abuse victims - to the contrary, it risks making it even harder to track down and convict offenders. And by discouraging providers from using encryption to protect the privacy and security of users (including children), while simultaneously encouraging them to over-censor their users' perfectly legal speech, EARN IT would do a lot of damage to innocent internet users who have broken no law. EARN IT 2022 Is the Worst of Both (Senate and House) Worlds There have already been some excellent write-ups this week about the resurrection of this zombie bill and the menace it still poses. If you only have time to read one thing, make it Casey Newton's Platformer newsletter, which provides a cogent and succinct overview of everything you need to know. Then check out Mike Masnick's three-part deep dive at Techdirt: one on how EARN IT risks exacerbating the online child exploitation problem, another on how EARN IT is far worse than the last law that amended Section 230, and a third meticulously picking apart a "myths vs. facts" document the bill's sponsors released that (surprise!) peddles more myth than fact, as Mike explains with palpable exasperation. The Internet Society, ACLU, CDT, and EFF, all longtime opponents of EARN IT, have also weighed in (and EFF provides an action item for contacting your elected representatives to tell them to oppose EARN IT). For me, this week's reintroduction of EARN IT is deja vu all over again. As the link round-up at the top of this post shows, I spent most of 2020 explaining why EARN IT was a terrible bill that would have numerous downsides without ameliorating the complicated problem of child safety online. All of that is still true today, because the bill hasn't changed. The new Senate bill is a near-replica of Senate bill text from July 2020, whose many problems I documented here. The only real change is the replacement of that bill's already-tepid language attempting to protect encryption, with language from the September 2020 House version of the bill. The House language, as I wrote here, is even weaker: it discourages providers from offering encryption by exposing them to liability for doing so (as long as complainants can gin up some other pretext for suing), and by permitting evidence of their encryption features to be used against them in court. That is, the only change since July 2020 has made the bill worse. To get my in-depth explanation of EARN IT 2022, you need only read those two previous writings of mine about EARN IT 2020, which together cover the entirety of the new zombie bill. Again, they're here (about the bill overall) and here (about the weak-sauce encryption language). It's certainly convenient for me that I don't have to do any new analysis. But it's also maddening that the bill hasn't gotten any better, when its backers had over a year and a half to fix the problems that I and others identified the last time around. (Or, preferably, to just let it fail instead of bringing it back from the dead.) That's So Much Reading! What's the TL;DR, Again? To recap, here's why the EARN IT Act would harm online speech, privacy, and security without achieving its child-safety goal: * Fear-Driven Censorship of Legal Speech. Contrary to the outright lies in the EARN IT sponsors' "myths vs. facts" document, nobody, literally nobody, is claiming there's some First Amendment right to CSAM that EARN IT impairs. The real issue is censorship of legal speech that is constitutionally protected. By threatening tech companies with significant litigation exposure for doing an imperfect job of fighting CSAM on their services, EARN IT will result in companies overzealously censoring lots of perfectly legal user speech just in case anything that could potentially be deemed CSAM might be lurking in there, or even shutting down part or all of their services entirely. They'd throw the First Amendment-protected baby out with the unprotected CSAM bathwater. (The same thing happened with online censorship after Congress passed the SESTA/FOSTA law, on which EARN IT is modeled, which carved out sex trafficking offenses from Section 230.) [More here .] * Making Law Enforcement Investigations Harder. Meanwhile, increased vigilance by providers will push CSAM traders off law-abiding platforms and onto offshore sites (that don't follow U.S. law) and the dark web, where they're harder to track down. (This, too, happened after SESTA/FOSTA: even as platforms censored legal speech, sex trafficking offenders and victims got harder for investigators to find.) [More here.] * Undermining User Privacy & Security. EARN IT would, as said, discourage the use of encryption, which is vital to protecting the privacy and data security of children and adults alike (yes, children deserve privacy too). Punishing companies for strong data protection practices is an utterly mindboggling public policy choice in the midst of an ongoing cybersecurity crisis, which has only grown worse since mid-2020 (think SolarWinds, Colonial Pipeline, Log4j, the ransomware pandemic...). As I've pointed out before, members of Congress (including EARN IT's main sponsors) have this unfortunate tendency to bemoan that tech companies aren't doing enough to protect users' privacy, then get mad at them for using strong encryption to do just that. Sen. Blumenthal in particular is a study in contradiction: while pushing his anti-encryption EARN IT bill the first time around, he was simultaneously infuriated by Zoom's lack of true end-to-end encryption. [More here.] * Privacy Intrusions That Will Let Offenders Walk Free. The bill threatens online privacy by railroading tech companies into surveilling their users even more than they do already. As Techdirt points out, the "myths vs. facts" document lays bare that the bill's ulterior motive is to goad providers into scanning all user data on their services on pain of criminal liability. In so doing, EARN IT risks upsetting the tightrope that federal CSAM law constantly walks to avoid converting private companies into government agents whose warrantless surveillance of their users would render evidence against CSAM defendants inadmissible in court, making convictions harder to obtain. The bill totally backfires if fewer CSAM offenders are brought to justice because of EARN IT's heavy-handed pressure on providers. [More here.] Even if you don't care about the hits to free speech and personal privacy and cybersecurity, the fact that this bill will hurt child safety efforts - by making CSAM investigations harder and making it likelier that CSAM defendants would walk free - should be reason enough to oppose the EARN IT Act. These are the wholly predictable consequences if EARN IT (like SESTA/FOSTA before it) tinkers with Section 230. And Section 230 isn't the problem here anyway. EARN IT Is a Solution in Search of a Problem - and Section 230 Isn't It I've written before about how Section 230 works, why lawmakers keep threatening to amend it (see also), and why it's the wrong vehicle for improving child safety online. And yet the renewed EARN IT Act still pretends that Section 230 is to blame. Don't be fooled: amending Section 230 will not suddenly solve the complex challenge of fighting CSAM online, a struggle whose complexity I've documented in my research on online service providers' trust and safety efforts. In announcing the new bill, Sen. Blumenthal claimed that EARN IT "is very simply about whether tech companies should be held responsible ... when they refuse to report or remove [CSAM] hosted on their platforms." But the truth behind the clouds of FUD that he and other congressmembers keep spouting is this: Section 230 already does not keep tech companies from being held accountable if they aren't reporting or removing CSAM. That's because providers' immunity under Section 230 for their users' bad acts has never extended to federal criminal law. Section 230(e) explicitly says so, even expressly mentioning federal law relating to child sexual exploitation. That body of law forbids everybody from the possession or transmission of CSAM (in a statute called Section 2252A), and it also requires providers to report CSAM they know about on their services (another statute, Section 2258A). That means if providers are "refusing to report or remove" CSAM they find, they're breaking two laws - and Section 230 already doesn't shield either violation. To all appearances, providers are complying with their legal obligations. They already report huge volumes of CSAM, to the tune of tens of millions of reports a year - and detection efforts only keep improving. Plus, as far as I can tell from my research, the Department of Justice (which enforces federal criminal law) has never brought a single case against any online service provider for violating their reporting duties under Section 2258A. Millions of reports, ongoing improvements, no prosecutions for noncompliance: it sure doesn't sound like there's an epidemic of knowing failure to remove or report CSAM. So where's the problem? Yet Sen. Blumenthal and his cosponsors aren't satisfied. He claims tens of millions of reports a year aren't enough, and that there are no consequences if providers "look the other way." Those are the exact things - the duty to report, and consequences if you don't - that Section 2258A covers. If EARN IT's sponsors believe Section 2258A isn't getting the job done, then why does Section 230 need to be amended?! Section 230 already doesn't let providers off the hook for 2258A violations. Changing Section 230 won't increase providers' obligations under 2258A. Section 230 is not the problem here. Whatever The Problem Is, EARN IT Doesn't Solve It So what is the problem, exactly? It's not really clear, what with the bill sponsors' FUD in the way. Below is a table that suggests some options I brainstormed for what the actual problem is. Then I'll suggest some potential responses that Congress or other stakeholders could make to address that problem. (I'm just spitballing ideas, not recommending all those measures be taken.) And then I'll list what EARN IT actually does, to illustrate how the bill fails to address the problem, no matter how the problem is framed. Let's start with what Sen. Blumenthal seems to think is the problem, even though, as said, the high volume of reports and lack of 2258A prosecutions suggest that this framing of the problem does not actually reflect reality. But let's just assume it does and go from there. +-------------------------------------------------------------------+ |If online | |Then a possible |EARN IT's | |service |And the problem is... |response(s) would |actual | |providers... | |be... |response: | |------------+--------------------+------------------+--------------| | | |Conduct a | | | | |congressional | | | | |investigation to | | | | |determine the | | | | |extent of the | | | | |problem | | | | | | | | | |Hold a hearing to | | | | |ask DOJ why it has| | | | |never once brought| | | | |a 2258A | | | | |prosecution | | | | | | | | | |DOJ prosecutes all| | | | |those providers | | | | |for illegally | | | | |hosting CSAM under| | | | |2252A as well as | | | | |violating 2258A's | | | | |reporting | | | | |requirements | | | |Large-scale, | |Amend Section | | |widespread, |Amend 2258A(e) to |230 instead of| | |pervasive |increase penalties|enforcing | |DON'T report|noncompliance by |for noncompliance |existing law | |CSAM, in |numerous providers | | | |violation of|that knowingly host |Amend Dodd-Frank |Don't demand | |18 U.S.C. SS |CSAM without |to include 2258A |that DOJ | |2258A |removing or |compliance in |explain why | | |reporting it (NOT |corporate |they aren't | | |just occasional |disclosure |doing their | | |isolated incidents) |requirements (akin|job | | | |to Form SD) | | | | | | | | | |Encourage FTC | | | | |investigation of | | | | |noncompliant | | | | |companies for | | | | |unfair or | | | | |deceptive business| | | | |practices | | | | | | | | | |Encourage private | | | | |plaintiffs to file| | | | |securities-fraud | | | | |class actions | | | | |against | | | | |publicly-traded | | | | |providers for | | | | |misleading | | | | |investors by | | | | |secretly violating| | | | |federal reporting | | | | |duties | | |------------+--------------------+------------------+--------------| | | |Conduct a | | | | |congressional | | | | |investigation to | | | |Occasional, isolated|determine the |Amend Section | | |instances of failure|extent of the |230 instead of| | |to report by |problem |enforcing | | |multiple providers, | |existing law | |DON'T report|OR repeated failure |Hold a hearing to | | |CSAM, in |to report by a |ask DOJ why it has|Don't demand | |violation of|particular rogue |never once brought|that DOJ | |2258A |provider (NOT a |a 2258A |explain why | | |large-scale problem |prosecution |they aren't | | |across the whole | |doing their | | |tech industry) |DOJ prosecutes |job | | | |those isolated | | | | |violations or the | | | | |particular rogue | | | | |provider | | |------------+--------------------+------------------+--------------| | | | |Amend Section | | |DOJ investigations |Hold hearings to |230 | |DON'T report|for 2258A violations|have DOJ explain | | |CSAM, in |are consistently |why their |Don't demand | |violation of|resolved without |investigations |that DOJ | |2258A |charges or fines and|never result in |explain why | | |do not become public|charges |they aren't | | | | |doing their | | | | |job | |------------+--------------------+------------------+--------------| | | |Tell DOJ to move | | | | |for courts to | | | | |unseal all sealed | | | | |records in 2258A | | | | |cases | | | | | | | | | |Require DOJ to | | | |DOJ has criminally |report data on all| | | |charged providers |2258A prosecutions| | | |for violations and |since 2258A's | | |DON'T report|obtained |enactment | | |CSAM, in |court-imposed fines | |Amend Section | |violation of|under 2258A(e), but |Amend 2258A to |230 | |2258A |all court records of|require regular | | | |2258A prosecutions |reporting to | | | |are under seal (and |Congress by DOJ of| | | |thus don't turn up |enforcement | | | |in searches) |statistics | | | | | | | | | |Investigate | | | | |whether providers | | | | |(especially | | | | |publicly-traded | | | | |ones) kept 2258A | | | | |fines a secret | | |------------+--------------------+------------------+--------------| | | |Hold a hearing to | | | | |ask DOJ why it has|Amend Section | | |Complete lack of |never once brought|230 | | |enforcement by DOJ |a 2258A | | |DON'T report|means there are no |prosecution |Don't demand | |CSAM, in |consequences for | |that DOJ | |violation of|providers' |Amend 2258A by |explain why | |2258A |violations, |adding a private |they aren't | | |depriving victims of|right of action so|doing their | | |justice |that victims can |job | | | |do the work that | | | | |DOJ isn't doing | | |------------+--------------------+------------------+--------------| | | |Debate whether to | | | | |insert a firm | | | |CSAM isn't being |timeframe into | | | |taken down promptly |2258A(a)(1)(A)(i) | | |DO report |enough or reported | | | |CSAM to |to NCMEC "as soon as|Hold a hearing to |Amend Section | |NCMEC's |reasonably possible"|ask ICS providers |230 | |CyberTipline|as required by 2258A|of various sizes | | | |(a)(1)(A)(i) |why delays happen | | | | |and whether a | | | | |specific timeframe| | | | |is feasible | | |------------+--------------------+------------------+--------------| | | | |Amend Section | | | |Hold a hearing to |230 to induce | | | |ask NCMEC what it |providers to | | | |would take to |make even more| |DO report |The volume of |process all the |reports NCMEC | |CSAM to |reports is so high |reports they |can't keep up | |NCMEC's |that NCMEC is |already get |with | |CyberTipline|overwhelmed | | | | | |Appropriate those |Give zero | | | |additional |additional | | | |resources to NCMEC|resources to | | | | |NCMEC | |------------+--------------------+------------------+--------------| | | |Order GAO to | | | | |conduct a study on| | | | |what happens to |Earmark $1 | | |DOJ doesn't act on |CyberTips passed |million for IT| | |the reports |by NCMEC to DOJ |improvements | |DO report |providers make, and | | | |CSAM to |doesn't make its own|Hold a hearing to |Don't demand | |NCMEC's |mandatory reports to|ask DOJ why it |that DOJ | |CyberTipline|Congress about |isn't acting on |explain why | | |internet crimes |tips or filing its|they aren't | | |against children |required reports |doing their | | | | |job | | | |Appropriate | | | | |additional | | | | |resources to DOJ | | |------------+--------------------+------------------+--------------| | |Federal law | |Amend Section | | |enforcement is | |230, | | |failing child sex |Hold a hearing on |effectively | |DO report |abuse victims: the |the FBI's failure |delegating | |CSAM to |FBI turned a blind |to protect |enforcement | |NCMEC's |eye to Larry |children (this did|for child | |CyberTipline|Nassar's abuse of |happen in |sexual abuse | | |dozens of child |September 2021) |to states and | | |gymnasts for years | |victims | | | | |themselves | +-------------------------------------------------------------------+ No matter what the problem with online CSAM is, EARN IT isn't going to fix it. It's only going to make things worse, both for child victims and for everyone who uses the internet. The truth about EARN IT is that either there isn't a serious noncompliance problem among providers that's pervasive enough to merit a new law, but Congress just can't resist using Section 230 as a political punching bag to harm all internet users in the name of sticking it to Big Tech... or there is a problem, but the DOJ is asleep at the wheel - and EARN IT is a concession that Congress no longer expects them to do their jobs. Either option should be shameful and embarrassing for the bill's supporters to admit. Instead, this horrible legislation, if it passes, will be hailed as a bipartisan victory that shows Congress can still come together across the aisle to get things done. Apparently, harming Americans' rights online while making CSAM prosecutions harder is something both parties can agree on, even in an election year. This bill is being fast-tracked to shove it through both houses of Congress as quickly as possible, and I'm deeply afraid that this time it will succeed where its predecessor didn't. There's still time, though, to stop it. Whether it passes or not, remember who supports EARN IT when you go to the polls in November. Focus Areas: Cybersecurity Electronic Surveillance Fourth Amendment Intermediary Liability Privacy Related Projects: Crypto Policy Project * Privacy Policy * About Us * Focus Areas * Experts * Our Work * Publications * Events * Home * Blog * Multimedia * Press * Get Involved * Contact Us Built by New Signature, powered by Drupal Creative Commons LicenseThis work is licensed under a Creative Commons Attribution 3.0 Unported License.