CDT Leads Broad Civil Society Coalition Urging Senate to Drop EARN IT Act

Today, the Center for Democracy & Technology is joining 132 LGBTQ+ and other human rights organizations in urging Congress to oppose the latest iteration of the flawed EARN IT Act. It strongly threatens encryption & free speech while making it harder to protect children from online abuse.

The text of this broad coalition letter has been pasted below. Here’s the PDF version for the full list of signatories + additional context.

***

Re: Opposition to the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2023 (EARN IT Act)

Dear Chairman Durbin, Ranking Member Graham, and members of the Committee:

The undersigned organizations write to express our strong opposition to the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2023 (EARN IT, S.1207). We support curbing the scourge of child exploitation online. However, EARN IT will instead make it harder for law enforcement to protect children. It will also result in online censorship that will disproportionately impact marginalized communities. In addition, EARN IT will jeopardize access to encrypted services, undermining a critical foundation of security, confidentiality, and safety on the internet. Dozens of organizations and experts have repeatedly warned this committee of these risks when this bill has been previously considered, and those same risks remain. We urge you to oppose this bill.

Section 230 of the Communications Act of 1934 (as amended, 47 U.S.C. § 230) generally shields online intermediaries from liability for the content users convey on their services. Section 230’s liability shield applies to smaller and start-up companies that are interactive computer service providers, not just a handful of large companies like Google and Meta. In addition, it protects both consumer-facing intermediaries like social media companies and infrastructure intermediaries that are crucial to running the internet and are not aware of the content that flows through their systems. Since its enactment, Section 230 has fueled innovation online, allowing millions of U.S.-based internet intermediaries to emerge over the last few decades. Section 230 also helps to promote free expression online, which is further supported by the use of strong end-to-end encryption. 

Section 230 has never been a bar to federal criminal prosecution of intermediaries, and current federal law imposes criminal liability on intermediaries who have knowledge that they are distributing child sexual abuse material (CSAM). Current law also requires intermediaries to report these images, resulting in millions of reports to the National Center for Missing and Exploited Children every year. EARN IT would vastly expand the liability risk of hosting or facilitating user-generated content by permitting states to impose criminal liability when intermediaries are “reckless” or “negligent” in keeping CSAM off their platforms; EARN IT also exposes them to civil liability under state laws with similar requirements with respect to the provider’s mental state but subject to much lower standards of proof. These changes will threaten our ability to speak freely and securely online, and threaten the very prosecutions the bill seeks to enable.

The EARN IT Act Threatens Free Expression

EARN IT would repeal intermediaries’ Section 230 liability shield for any state criminal and civil law prohibiting the “distribution” or “presentation” of CSAM. EARN IT requires no specific or minimum mens rea for state laws, which means states will be free to impose any liability standard they please on platforms, including holding platforms liable for CSAM they did not actually know was present on their services. Nothing in the bill would prevent a state from passing a law in the future holding a provider criminally responsible under a “reckless” or “negligence” standard. At least one state, Florida, already imposes a lower standard for liability on CSAM distribution than the federal standard, allowing liability for distributors that did not have actual knowledge that they were transmitting CSAM. 

By opening providers up to significantly expanded liability, the bill would make it far riskier for platforms to host user-generated content. Some states may conclude that an intermediary acted recklessly or negligently, for example, if it knows that its service has been used to convey CSAM in the past and it fails to proactively filter content. Such a standard would threaten free expression for online services that host user-generated content directly, because it would almost certainly cause them to remove constitutionally protected speech that is not CSAM. It would be particularly problematic for internet infrastructure intermediaries like content delivery networks and internet service providers, which are not designed nor meant to assess the content of the traffic they are carrying or helping to transport. 

Facing potential liability under dozens of laws regulating conduct at different standards, some intermediaries may choose to simply forgo hosting user content. Others will try to mitigate the legal risks inherent in the massive expansion of liability under state law enabled by EARN IT by engaging in overbroad censorship of online speech. These providers will remove any content that they suspect could be CSAM or even simply all sexually explicit content, sweeping up large amounts of content that are not CSAM and are constitutionally protected speech. These wide ranging removals of online speech will negatively impact diverse communities in particular, including LGBTQ people, whose posts are disproportionately labeled erroneously as sexually explicit. As a result, LGBTQ people will be less free to express themselves online and less able to use the internet to find community or to organize against anti-LGBTQ legislation and sentiments. Overbroad removals of online speech will also especially impact content carried on platforms ranging from social media apps to video game websites designed for minors and young adults.

Past experience demonstrates that these risks to online free expression are not hypothetical. The only time that Congress has limited Section 230 protections so far was in the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 (SESTA/FOSTA). That law purported to protect victims of sex trafficking by eliminating providers’ Section 230 liability shield for “facilitating” sex trafficking by users. According to a 2021 study by the US Government Accountability Office, however, the law has been rarely used to combat sex trafficking. Instead, it has forced sex workers—whether voluntarily engaging in sex work or forced into sex trafficking against their will—offline and into harm’s way. It has also chilled their online expression, including through platforms’ overbroad removals of speech sharing health and safety information and speech wholly unrelated to sex work. Moreover, these burdens have fallen most heavily on smaller platforms that either served as allies and created spaces for the LGBTQ and sex worker communities or simply could not withstand the legal risks and compliance costs of SESTA/FOSTA. Congress risks repeating this mistake by rushing to pass this misguided legislation, which also limits Section 230 protections.

The EARN IT Act Jeopardizes the Security of Our Communications

End-to-end encryption ensures the privacy and security of sensitive communications by making certain that only the sender and receiver can view them. It does this by ensuring that the keys used to encrypt and decrypt data are known only to the sender and the authorized recipients of the data. Billions of people worldwide rely on encryption to secure their daily activities online, from web browsing to online banking to communicating with friends and family. 

Everyone who communicates with others on the internet should be able to do so privately. However, this security is especially relied upon by journalists, Congress, the military, domestic violence survivors, union organizers, immigrants, and anyone who seeks to keep their communications secure from malicious hackers. Since the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, encryption has become even more important for healthcare workers and pregnant people, who are increasingly at risk of prosecution under state laws that criminalize abortion or sharing information about reproductive healthcare. Police in states where abortion is illegal have already used unencrypted digital evidence for prosecutions. Experts routinely recommend that people seeking abortions use encrypted services, and some women’s healthcare providers say they rely heavily on encrypted forms of communication.  

EARN IT puts Americans, U.S. businesses, and everyone around the world at great risk of harm online by strongly disincentivizing providers from providing strong encryption. It does so in two main ways. 

First, EARN IT would permit states to seek to impose criminal or civil liability on intermediaries who offer encryption, by arguing that the use of encryption is evidence under state law that a service acted recklessly or negligently in failing to identify CSAM. In the face of the risk of civil and criminal liability, many services will decide not to offer encrypted services. 

Although Section 5(7)(A) purports to protect the ability of intermediaries to offer encryption, it actually does the opposite. Section 5(7)(A) states merely that provision of encrypted services shall not “serve as an independent basis for liability of a provider” under the expanded set of state criminal and civil laws for which providers would face liability under EARN IT. (Emphasis added). At the same time, Section 5(7)(B) specifies that courts will remain able to consider information about whether and how an intermediary employs end-to-end encryption as evidence in cases brought under EARN IT. Together, these provisions explicitly allow courts to consider the offering of end-to-end encrypted services as evidence of an intermediary’s guilt of crimes related to CSAM. While prosecutors and plaintiffs could not claim that providing encryption, alone, was enough to prove a violation of state CSAM laws, they would be able to point to the use of encryption as evidence in support of claims that providers were acting recklessly or negligently. 

This risk that encryption could be used as evidence against them in state proceedings will discourage intermediaries from offering it. Small “mom and pop” intermediaries that could be bankrupted by a single lawsuit will be especially deterred from offering encryption. For all intermediaries, the mere threat that use of encryption could be used as evidence against an intermediary in a civil suit or criminal prosecution will serve as a strong disincentive to deploying encrypted services in the first place. 

Second, EARN IT sets up a law enforcement-heavy and Attorney General-led Commission charged with producing a list of voluntary “best practices” that providers should adopt to address CSAM on their services. Given the oft-stated opposition of federal officials to encryption, the Commission could well recommend against offering end-to-end encryption and recommend providers adopt techniques that ultimately weaken their product’s cybersecurity. While these “best practices” would be voluntary, they could cause reputational harm to providers if they choose not to comply. Refusal to comply could also be considered as evidence in support of a provider’s liability, and inform how judges evaluate cases against providers. States may even amend their laws to mandate the adoption of these supposed best practices. The lack of clarity and fear of liability, in addition to potential public shaming, will likely disincentivize many companies from offering strong encryption, at a time when we should be encouraging the opposite.

The EARN IT Act Risks Undermining Child Abuse Prosecutions

Finally, the EARN IT Act risks undermining child abuse prosecutions by transforming providers into agents of the government for purposes of the Fourth Amendment. If a state law has the effect of compelling providers to monitor or filter their users’ content so it can be turned over to the government for criminal prosecution, the provider becomes an agent of the government, and any CSAM it finds could become the fruit of an unconstitutional warrantless search. In that case, the CSAM would properly be suppressed as evidence in a prosecution and the purveyor of it could go free. At least two state laws—those of Illinois and South Carolina—would have that effect.

***

The EARN IT Act would have devastating consequences for everyone’s ability to share and access

information online, and to do so in a secure manner. We urge you to oppose this bill. Congress

should instead consider more tailored approaches to deal with the real harms of CSAM online, and it should commit to conducting a full, independent internet impact assessment to identify potential harms likely to result from any internet-related legislation, such as harms to users’ freedom of expression and privacy, before the legislation is voted upon.

Please direct any questions about this letter to the Center for Democracy & Technology’s EmmaLlansó, Director of the Free Expression Project at [email protected] or the Internet Society’s Natalie Campbell, Senior Director, North American Government and Regulatory Affairs at [email protected].