There are gut-churning tales of online child sexual abuse material (CSAM).
Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section: a man had “expressed excitement for his soon-to-arrive ‘new material,’ sharing an in-utero picture of his unborn child with an online network of abusers.”
Now that the EARN-IT Act has crept closer to a full Senate hearing, we’re that much closer to finding out whether the bill can really help stem the flood of online CSAM, whether it’s a barely veiled attack on online privacy and end-to-end encryption, or all of the above.
During Thursday’s hearing on the bill, which they’d amended the day before, the proposed law’s co-sponsors stressed that it’s not a wooden stake to stick in encryption’s heart. Senator Richard Blumenthal claimed that the bill “is not about encryption and it never will be.” The other co-sponsor, Senator Lindsey Graham, said that his goal “is not to outlaw encryption”. Well, at least not at this point, maybe: he called that “a debate for another day.”
The critics of the proposed law aren’t swallowing it.
The day before the hearing, the co-sponsors amended the act to make it appear, at least, to be more of a nudge than a cudgel. As explained by the Electronic Frontier Foundation (EFF)— – a staunch critic of the bill – the new version now gives state legislatures the power to regulate the internet in the quest to battle CSAM, as opposed to a 19-person federal commission.
Nonetheless, it still threatens encryption, its critics say, albeit less blatantly.
In its first iteration, the EARN-IT Act proposed a commission to come up with best practices to battle CSAM. That commission would have been controlled by Attorney General William Barr. Given how often Barr has said that he thinks that encrypted services should be compelled to create backdoors for police, it was easy to see the legislation as an embodiment of a threat from Graham and other senators to regulate encryption in lieu of tech companies willingly creating those backdoors.
A reminder of what Graham threatened in December 2019, while grilling Facebook and Apple:
You’re going to find a way to do this or we’re going to go do it for you. We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.
But the Manager’s Amendment that was approved by the Senate Judiciary Committee didn’t eliminate the threat to encryption. Rather, as the EFF put it, the approved amendment instead “empowers over 50 jurisdictions to follow Barr’s lead in banning encryption.”
The amended bill also includes protections that purportedly keep the states from focusing on encryption. An amendment from Senator Patrick Leahy prohibits holding companies liable because they use “end-to-end encryption, device encryption, or other encryption services.”
That’s an improvement, but the threat to encryption hasn’t disappeared. The bill still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device, before they get encrypted and sent along to their recipient. Known as client-side scanning, the approach would allow some messages to be selected and sent to the government, thereby sidestepping the protections of end-to-end encryption.
Section 230
The latest draft of the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act is still tinkering with a legal framework that’s already been tinkered with anyway: Section 230 of the Communications Decency Act (CDA).
In 2018, Congress passed the Fight Online Sex Trafficking Act (FOSTA) bill, with a carve-out meant to make it easier to prosecute online sex traffickers. Critics lambasted FOSTA for flattening the differences between sites that sell trafficked victims and sites that support victims who’ve escaped their captors, as well as for failing to differentiate between consensual and non-consensual sex work. Its passage led to Craigslist personals and some subreddits getting yanked and carried no real protection for victims of trafficking.
Similar to FOSTA, the EARN-IT Act would create a carve-out in Section 230 for fighting CSAM.
See you in court?
Under the changes made last week, the best practices created by the National Commission on Child Sexual Exploitation would be advisory. Does that mean that your liability won’t increase if you aren’t able to decrypt data? Not necessarily, given that complying with best practices won’t automatically trigger Section 230 immunity.
In short, service providers who do everything “right,” by forwarding secrecy properly and by properly using ephemeral keys (i.e., temporary, single-use keys discarded after use), can’t count on being able to say, “sorry, we’ve doing end-to-end encryption, can’t help.”
Instead, they’ll wind up having to defend themselves in court, according to the American Civil Liberties Union (ACLU):
The previous version of the bill suggested that if online platforms want to keep their Section 230 immunity, they would need to ‘earn it,’ by following the dictates of an unelected government commission. But the new text doesn’t even give them a chance. The bill’s sponsors simply dropped the ‘earn’ from EARN IT. Website owners—especially those that enable encryption—just can’t ‘earn’ their immunity from liability for user content under the new bill. They’ll just have to defend themselves in court, as soon as a single state prosecutor, or even just a lawyer in private practice, decides that offering end-to-end encryption was a sign of indifference towards crimes against children.
Where does this leave CSAM victims?
“We’re going to act,” Graham said. “This committee’s going to act.”
And so it did. Whether the amended act will help stop the spread of CSAM is another question, however. Wyden had urged the committee to table the bill so lawmakers could have more time to vet the proposal, to determine whether it would in fact do more harm than good.
Last week, Wyden was still calling for Congress to pass legislation that would, instead, boost funding and modernize IT systems for the National Center for Missing and Exploited Children.
His take on the EARN-IT Act:
By allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.