Today, the Center for Democracy & Technology and the Internet Society (ISOC) are releasing a joint report that shows how the EARN IT Act (S. 3538/HR 6544) would threaten the security of Internet communications and potentially prompt key players in the Internet ecosystem to block content that is entirely lawful. The bill emerged from the Senate Judiciary Committee in February, 2022 and could either be considered by Congress during the “lame duck” session that began this week or be reintroduced next year.
The “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2022” aims to curb the spread of child sexual abuse material (CSAM) online. This is a goal CDT strongly supports: CSAM is a horror, and the volume of CSAM on the Internet is growing. Nonetheless, CDT and a large cadre of civil society organizations oppose the EARN IT Act because of the adverse effects it would have on the privacy and free expression rights of all users – including children. Instead, CDT favors approaches to moderating content in encrypted environments that will not have those effects.
The EARN IT Act Internet Impact Brief we issued with ISOC adopts a method of legislative analysis that ISOC has pioneered and employed on legislation pending around the world. It first assesses the impact of the legislation on five critical properties that are necessary for the Internet to exist at all, then the impact on other properties that are necessary for the Internet to be healthy and to thrive. It finds that four of the five critical properties would be compromised if the EARN IT Act became law.
As the Internet Impact Brief explains, the approach to CSAM that the EARN IT Act takes threatens the pillars on which the Internet rests. It does this primarily by compromising liability protections in Section 230 of the Communications Act of 1934. As a result, the EARN IT Act permits states to impose criminal and civil liability on internet platforms and infrastructure providers who fail to stop their users from disseminating CSAM, even when the information is encrypted, rendering the intermediary unaware of the fact that CSAM is present.
This could prompt providers of encrypted communication services (e.g. WhatsApp, Signal, and Apple’s Messages service) to cease to offer encrypted services or to compromise the security of those services by building in “backdoor” access for law enforcement, which access could be exploited by malicious actors. It could also prompt infrastructure providers such as Content Delivery Networks and companies that offer cloud storage services, as well as internet service providers (ISPs), to consider blocking categories of encrypted content because they cannot be sure that it is CSAM-free.
The Brief also observes that the encryption “carve out” that was added to the legislation does not remedy the adverse impact of the legislation. If it becomes law, communications would become less secure because encryption would become less pervasive or effective, and more lawful content could be blocked.