On February 10, the widely criticized 2022 EARN IT Act was considered by the Senate Judiciary Committee after the equally controversial 2020 EARN IT Act didn’t make it to the Senate. Both the 2020 and 2022 EARN IT Acts claim that they intend to crack down on “Child Sexual Abuse Material” or CSAM, but how they intend to do so strip websites of important legal protections. While this bill has received an abundance of critical coverage, little, if any, delves into the nuts and bolts of what this bill actually specifies in addition to its exact implications.
To summarize, the bill proposes that child exploitation law be an exception to 47 USC 230, which protects platforms from being liable for imperfect moderation of user-posted content. It then proposes that various uses of encryption be explicitly defined as not being an independent basis for legal liability (effectively, not making it so that you can get sued for using encryption). It then goes back on that, adding an exception to the encryption no-liability section for child sexual abuse material, making it so that various uses of encryption leave you open to civil or criminal prosecution on the basis of hosting child sexual abuse material, regardless of whether such material actually exists on your site.
While the bill is lengthy, the area of concern is mainly limited to section 5, which amends Section 230(e) of the Communications Act of 1934, or 47 USC 230(e), to add an exception to the protections offered by 47 USC 230(c). An extremely important piece of legislation for the modern internet, 47 USC 230(c) effectively prevents internet content providers and services from being legally responsible for offensive or illegal content posted by users as long as the service makes a “good faith” effort to remove or restrict access to the objectionable content. Since users posting such content is effectively unavoidable at the scale of medium to large platforms, such legislation is essential to prevent platforms from being harangued by an onslaught of lawsuits for any objectionable content they fail to filter out, regardless of what efforts they make.
Under the 2022 EARN IT Act, the use of end-to-end encryption, or any of the other encryption techniques outlined in the bill, would make you civilly or criminally liable for child sexual exploitation material on your platform, opening an avenue around Section 230 protections.
This would allow encryption services to be bombarded with lawsuits if their content filtering was anything other than perfect, which is bound to happen with such a difficult problem as automated content filtering. (The finer points of automated content filtering are a lengthy enough topic that it deserves its own article or three, so I will not be discussing it here.) More importantly, the sole act of using end-to-end encryption, or solely not possessing the means to decrypt communication on your platform, would make you civilly or criminally liable regardless of whether there is actual child abuse content on your platform.
To get into the specifics of how this is implied in the bill, Section 5 of the 2022 EARN IT Act, in effect, adds child exploitation charges to the list of exceptions to the protection of 47 USC 230. Section 230(e)(1) already outlines an exception for enforcement of federal criminal law, which it explicitly defines as including child exploitation. It would at first appear that the only material addition to the list of exceptions is “[A]ny claim in a civil action brought against a provider of an interactive computer service… regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material…” Upon closer examination, the devil lies in the details, especially the proposed creation of 47 USC 230(e)(7), which specifies the following: “Notwithstanding paragraph (6), none of the following actions or circumstances shall serve as an independent basis for liability of a provider of an interactive computer service….”
“The following actions or circumstances” that are excluded from being an independent basis for liability includes end-to-end encryption, but the important part is the first three words. “Notwithstanding paragraph (6)” specifies that the charges outlined in paragraph 6 are exempt from protection against encryption being an independent basis for liability.
To top it off, the senators promoting the bill seem to be unable to provide concrete examples of how it will help achieve its stated purpose of combating child sexual abuse material. Senators Blumenthal and Graham published a myth vs. fact sheet that fails to dispel most of the listed myths and supplies vague promises construed as “facts” that list no concrete actions that will be taken. It even appears to contradict itself at times, saying “the Commission [created by the EARN IT Act] cannot set rules or standards,” before immediately saying that one of the Commission’s roles is “to issue reports on the latest best practices in stopping online child sexual exploitation.” The information sheet also claims “specific protections were included in the bill to explicitly state that a court should not consider offering encryption or privacy services as an independent basis for legal liability,” but at the same time fails to acknowledge the exception in those protections that would allow for services employing encryption to be prosecuted regardless of whether the services contain any child pornography.
Thanks for the explanation. The particulars may be a bit technical, but this bill could hurt nearly everyone on the internet.
Thanks for reading my article! I know it’s a bit technical, but part of my goal in writing this article was to be one of very few news sources that actually cites the text of the bill, which is hard to do while keeping it readable.