from the it's-a-bad-bill,-senators dept
We’ve already talked about the many problems with the EARN IT Act, how the defenders of the bill are confused about many basic concepts, how the bill will making children less safe and how the bill is significantly worse than FOSTA. I’m working on most posts about other problems with the bill, but it really appears that many in the Senate simply don’t care.
Tomorrow they’ll be doing a markup of the bill where it will almost certainly pass out of the Judiciary Committee, at which point it could be put up for a floor vote at any time. Why the Judiciary Committee is going straight to a markup, rather than holding hearings with actual experts, I cannot explain, but that’s the process.
But for now at least over 60 human rights and public interest groups have signed onto a detailed letter from CDT outlining many of the problems in the bill, and asking the Senate to take a step back before rushing through such a dangerous bill.
Looking to the past as prelude to the future, the only time that Congress has limited Section 230 protections was in the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 (SESTA/FOSTA). That law purported to protect victims of sex trafficking by eliminating providers? Section 230 liability shield for ?facilitating? sex trafficking by users. According to a 2021 study by the US Government Accountability Office, however, the law has been rarely used to combat sex trafficking.
Instead, it has forced sex workers, whether voluntarily engaging in sex work or forced into sex trafficking against their will, offline and into harm?s way. It has also chilled their online expression generally, including the sharing of health and safety information, and speech wholly unrelated to sex work. Moreover, these burdens fell most heavily on smaller platforms that either served as allies and created spaces for the LGBTQ and sex worker communities or simply could not withstand the legal risks and compliance costs of SESTA/FOSTA. Congress risks repeating this mistake by rushing to pass this misguided legislation, which also limits Section 230 protections.
It also discusses the attacks on encryption hidden deep within the bill.
End-to-end encryption ensures the privacy and security of sensitive communications such that only the sender and receiver can view them. This security is relied upon by journalists, Congress, the military, domestic violence survivors, union organizers, and anyone who seeks to keep their communications secure from malicious hackers. Everyone who communicates with others on the internet should be able to do so privately. But by opening the door to sweeping liability under state laws, the EARN IT Act would strongly disincentivize providers from providing strong encryption. Section 5(7)(A) of EARN IT states that provision of encrypted services shall not ?serve as an independent basis for liability of a provider? under the expanded set of state criminal and civil laws for which providers would face liability under EARN IT. Further, Section 5(7)(B) specifies that courts will remain able to consider information about whether and how a provider employs end-to-end encryption as evidence in cases brought under EARN IT. This language, originally proposed in last session?s House companion bill, takes the form of a protection for encryption, but in practice it will do the opposite: courts could consider the offering of end-to-end encrypted services as evidence to prove that a provider is complicit in child exploitation crimes. While prosecutors and plaintiffs could not claim that providing encryption, alone, was enough to constitute a violation of state CSAM laws, they would be able to point to the use of encryption as evidence in support of claims that providers were acting recklessly or negligently. Even the mere threat that use of encryption could be used as evidence against a provider in a criminal prosecution will serve as a strong disincentive to deploying encrypted services in the first place.
Additionally, EARN IT sets up a law enforcement-heavy and Attorney General-led Commission charged with producing a list of voluntary ?best practices? that providers should adopt to address CSAM on their services. The Commission is free to, and likely will, recommend against the offering of end-to-end encryption, and recommend providers adopt techniques that ultimately weaken the cybersecurity of their products. While these ?best practices? would be voluntary, they could result in reputational harm to providers if they choose not to comply. There is also a risk that refusal to comply could be considered as evidence in support of a provider?s liability, and inform how judges evaluate these cases. States may even amend their laws to mandate the adoption of these supposed best practices. For many companies, the lack of clarity and fear of liability, in addition to potential public shaming, will likely disincentivize them from offering strong encryption, at a time when we should be encouraging the opposite.
There’s a lot more in the letter, and the Copia Institute is proud to be one of the dozens of signatories, along with the ACLU, EFF, Wikimedia, Mozilla, Human Rights Campaign, PEN America and many, many more organizations.