New EARN IT Act Creates An Insane New Dilemma: Either Encrypt All Or Spy On All
from the this-seems-counterproductive dept
Last week, as predicted, the Senate Judiciary Committee voted unanimously to replace the original EARN IT Act, with a new one. As part of the markup, they also voted to approve Senator Patrick Leahy’s amendment which some might read to say that EARN IT cannot be used to block encryption — but the reality is a lot more complicated. As I’ll explain, this new bill is terrible in a different way than the old bill: it will create a new dilemma in which internet services will either feel compelled to encrypt everything or in which the only way you’ll be able to use any internet service is if you hand over a ton of personal information to the service provider — potentially putting your privacy at extreme risk.
First lets acknowledge an oddity about this new bill. Both bills involve the creation of a commission to come up with “best practices” in trying to stop “child sexual abuse material” or CSAM (the concept formerly known as child porn). In the old bill, if sites didn’t follow the commission’s best practices, they could lose their Section 230 protections. This resulted in fears that the commission would outlaw encryption as a “best practice.” The new bill retains the commission, but for no recognizable purpose. Instead, it does away with the pretense and just says that a bunch of sites should lose Section 230 protections no matter what. It seems quite odd to first say “we need a commission to determine best practices” and then on a second pass say that before the commission has done anything we’re just going to make massive changes to Section 230 based on… nothing at all. No evidence saying that this would create better outcomes. No evidence that Section 230 is a problem with regards to CSAM. Just… nothing.
Specifically, the new bill makes a change to Section 230 that looks similar to the change that was made with FOSTA, saying that you don’t get 230 protections if you advertise, promote, present, distribute, or solicit CSAM. But here’s the thing: CSAM is already a federal crime and all federal crimes are already exempted from Section 230. On top of that, it’s not as if there are a bunch of cases anyone can trot out as examples of Section 230 getting in the way of CSAM prosecutions. There’s literally no evidence that this is needed or will help — because it won’t.
As we’ve detailed before, the real scandal in all of this is not that internet companies are facilitating CSAM, but that the DOJ has literally ignored its Congressional mandate to go after those engaged in CSAM production and distribution. Congress tasked the DOJ with tackling CSAM and the DOJ has just not done it. The DOJ was required to compile data and set goals to eliminate CSAM… and has just not done it. That’s why it’s bizarre that EARN IT is getting all of the attention rather than an alternative bill from Senators Wyden, Gillibrand, Casey and Brown that would tell the DOJ to actually get serious about doing its job with regards to CSAM, rather than blaming everyone else.
But digging into the details, the real problem here is that, as structured, the new EARN IT Act would be a disaster in trying to achieve the goals the sponsors have set out for it. First off, thanks to the addition of Senator Leahy’s Amendment, some may see the bill as one that effectively requires encryption to avoid liability for CSAM. Even that’s not totally clear, however. While you can read Leahy’s amendment to say that encryption is protected, the actual structure of the final bill punts many issues to state law, and that means having to comply with 50 different state laws. Some, like Illinois, have lower standards for the mens rea regarding CSAM, and the worry is that we won’t know whether or not offering end-to-end encryption would be seen as violating state laws until long and costly cases go through their lengthy process.
Either way, this weird CSAM carveout from Section 230 is somewhat equivalent to the moderator’s dilemma that other attempts to change Section 230 create. Because most of those other reforms put in place a “knowledge” standard, it gives many sites a reason to never look at the content on their platform. In this case, due to the explicit call out saying that encryption isn’t impacted, that would effectively say that if you want to keep 230 protections, you should encrypt absolutely everything. Which, ironically, is the exact opposite of what Attorney General Bill Barr has been asking for.
But, as with the moderator’s dilemma, there’s also a flipside (if you don’t want to ignore everything, then you have to greatly restrict what you allow through). Under the new EARN IT, the flipside is that the government more or less says that you are now responsible for being able to track and identify anyone on your service who is not using encryption — meaning you would need to carefully verify every user of your platform. No more simple signups. No more anonymity. And, incredibly, this would mean that sites would need to collect a ton of data on every user. Want to use this new service? First submit your phone number, driver’s license, etc.
At a time when people are saying they trust big internet companies less and less with their data, why would Senators Graham, Blumenthal, Feinstein, and Hawley (HAWLEY!?!?) be encouraging websites to collect even more (and more intrusive) data on all their users?
Since this is somewhat different than the traditional moderator’s dilemma, it might be called the “censor’s dilemma” or possibly the “middleman’s dilemma,” in that this is even more tied to the government’s demand that websites block certain content entirely, which puts them in the role of a government middleman or censor (which, not coincidentally, would raise serious constitutional issues with the EARN IT Act turning private entities into state censors).
Either way it is difficult to see how these two outcomes are what Congress (or, for that matter, the DOJ) actually wants:
- Much greater encouragement for websites to encrypt everything
- Much greater encouragement for websites to demand much more personal and private information on users.
And yet, thanks to Congress’ standard bungling, that’s what we have with the current EARN IT Act. And while it might be nice if the law actually did encourage more encryption, don’t pin your hopes on that. As noted above, it’s not entirely clear that it really does lead to that outcome, and we might not know until after a whole bunch of litigation. Furthermore, if that is is the end result, it will almost certainly lead to a different kind of backlash and support for even worse laws that seek to blow up encryption through other methods.
In short: the EARN IT Act is bad. At best it might encourage more encryption, but it would also create a whole host of unintended consequences, including much less privacy and no more anonymity on many websites. It’s difficult to see how that accomplishes any of the goals of the bill’s supporters.