Senators Graham, Blumenthal, Hawley, Feinstein introduced the EARN IT Act last week and the Senate Judiciary Committee held a hearing on the bill this morning. The goal of the EARN IT Act is to “encourage the tech industry to take online child sexual exploitation seriously.” The senators have identified a real problem that needs to be addressed at the policy level. Stopping the distribution of child sexual abuse material (CSAM) and child sexual exploitation (CSE) content should be a top priorirty for both law enforcement officials and technology companies. Without close cooperation between these two stakeholders, ending the scourge of abusive and exploitative material will be impossible.
It is also important to keep in mind the tough position platform providers are in when it comes to policing user-generated content (UGC) and private communications. Technology companies must strike a difficult balance between false positives (i.e., taking down and reporting content that is not actually CSAM) and false negatives (i.e., leaving up and not reporting dangerous or harmful content). The former restricts users’ privacy and their ability to express themselves while the latter risks harming vulnerable populations. Given these considerations, new legislation in this area must be carefully considered.
The bill makes Section 230 immunity conditional on interactive computer service (ICS) providers affirmatively certifying that they are in compliance with “best practices” as determined by a newly-created National Commission on Online Child Exploitation Prevention. While its intent is hard to argue with, the EARN IT Act would fail to achieve its goal of protecting children online due to its flawed approach. At the same time, the law would cripple innovative business models and centralize power in the attorney general’s office. Many observers have noted that Attorney General William Barr has been pushing for these powers for some time now and critics say the bill is “effectively a backdoor to a backdoor” on encryption. If that’s really what this law is about, then the co-sponsors should be explicit about it and allow for public discussion about the costs and benefits of encryption.
Furthermore, conditioning Section 230 immunity on following a vague “best practices” standard would constitute a de facto mandate on the tech industry and therefore violate the spirit of the Fourth Amendment. Section 230 immunity is so essential to the viability of business models involving user-generated content (UGC) that any conditions put on that protection are not optional for ICS providers in any practical sense. Large companies will endure billions of dollars in compliance cost and tolerate extremely high rates of false positives in order to meet whatever best practices the Commission dictates. Many startups simply won’t allow user-generated content at all. The suggested best practices will in fact be requirements for companies that host any UGC.
In addition, lowering the standard of evidence for violating 18 U.S. Code § 2252 (“Certain activities relating to material involving the sexual exploitation of minors”) from needing to show “actual knowledge” of CSAM/CSE material to only “recklessness” would make the new legal liability too broad. Depending on how the courts and enforcement officials interpret “recklessness,” ICS providers could be held liable for being innovative in how they approach policing and reporting CSAM content on their platforms (if they do not also narrowly meet the required best practices set forth by the Commission). Attempts by ICS providers to protect user privacy might also conflict with some of these yet-to-be-determined guidelines.
A real solution to the CSAM/CSE problem would be for Congress to approve the full funding that it had previously authorized for state and regional investigations. According to DOJ data, “Annual funding for state and regional investigations was authorized at $60 million, but only about half of that is regularly approved.”
Under-resourcing of agencies and under-commitment to fixing this issue has been an increasing problem in recent years. The Trump Administration reappropriated funding from the Department of Homeland Security’s cybercrime budget for immigration enforcement. The DOJ has failed to produce three of the five biennial reports on CSAM/CSE since it was first required to do so by Congress in 2008. It is unclear what passing new legislation would accomplish if law enforcement already doesn’t have the resources to respond to the increasing number of CSAM/CSE reports. The EARN IT Act is far too flawed to move forward in its current state and legislators have much more pressing priorities at the moment given the ongoing public health emergency and unfolding economic crisis.