EARN IT’s State-law Exemption Would Create Bewildering Set of Conflicting Standards for Online Speech
This post was authored by Ben Horton, a summer 2020 CDT intern.
After de-emphasizing a controversial commission structure and adding a nominally pro-encryption amendment (neither of which go far enough to fix the bill’s problems), the revised EARN IT Act (S.3398) passed unanimously out of the Senate Judiciary Committee a few weeks ago. With less than 48 hours from disclosure of the proposed amendments to the Committee’s consideration of them, there was virtually no time to analyze the implications of the changes before the vote (though we, and others, tried).
Risks of State-by-State Regulation
There are a variety of problems with the bill, from its carve out for federal civil CSAM laws, to retaining an “advisory” commission whose “recommendations” could carry de facto legal force in many jurisdictions. But perhaps the biggest problem is the free rein the bill gives to states to regulate the internet—as Senator Wyden has pointed out, “By allowing any individual state to set laws for internet content, this bill will create massive uncertainty, both for strong encryption and free speech online.”
Although the bill has been described as SESTA-FOSTA for child sexual abuse material (CSAM), it is actually even broader than that. Today, Section 230 preempts state civil and criminal law that would treat online intermediaries as the publishers of third-party content. Two years ago, the sex trafficking amendments to Section 230 allowed states to enforce sex trafficking laws against online intermediaries if “the conduct underlying the claim constitutes a violation” of the federal sex trafficking statute.
Notably, states have not followed through and done much enforcement. There are no published instances of plaintiffs taking advantage of the state law carve out, and the two federal claims (having nearly identical fact patterns) were thrown out because they were garden-variety breach of Terms of Service claims by plaintiffs whose tenuous connection to the issue of sex-trafficking was that they were each allegedly involved in “combatting” sex trafficking on various platforms. Furthermore, there are constitutional issues with the formulation Congress used to enact SESTA-FOSTA.
But the EARN IT Act doesn’t require that the conduct alleged to violate state law also constitutes a crime under federal law: It permits enforcement of any state criminal or civil law “regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material” as defined in federal law. As long as the state law is “regarding” this broad array of potential CSAM crimes, states are given wide authority–including to create novel prohibitions if the EARN IT Act becomes law. But the risk of this broad exemption is clear from analyzing laws that are already on the books and could be used as soon as the EARN IT Act is passed.
For instance, in Arkansas it is illegal for an “owner, operator or employee” of online services to “knowingly fail” to report instances of child pornography on their network to “a law enforcement official.” Because this law has apparently never been enforced (it was passed in 2001, five years after Section 230, which preempts it) it is not clear what “knowingly” means. Does the offender have to know that a specific subscriber transmitted a specific piece of CSAM? Or is it a much broader concept of “knowledge,” for example that some CSAM is present somewhere on their network? To whom, exactly, do these providers report CSAM? How would this law apply to service providers located outside of Arkansas, but which may have users in Arkansas?
Maryland enables law enforcement to request online services take down alleged CSAM, and if the service provider doesn’t comply, law enforcement can obtain a court order to have it taken down without the court confirming the content is actually CSAM. Some states simply have incredibly broad statutes criminalizing the transmission of CSAM, such as Florida: “any person in this state who knew or reasonably should have known that he or she was transmitting child pornography . . . to another person in this state or in another jurisdiction commits a felony of the third degree.”
Finally, some states have laws that prohibit the distribution of “obscene” materials to minors without requiring knowledge of the character of the material or to whom the material is transmitted. For example, Georgia makes it illegal “to make available [obscene material] by allowing access to information stored in a computer” if the defendant has a “good reason to know the character of the material” and “should have known” the user is a minor. State prosecutors could argue that these laws are “regarding” the “solicitation” of CSAM on the theory that many abusers send obscene material to their child victims as part of their abuse.
So what is the risk of allowing states to enforce their criminal and civil laws, especially against these heinous and narrow categories of illegal material? The problem is the effects of EARN IT Act will not fall narrowly on CSAM, any more than the effects of SESTA-FOSTA fell narrowly on sex trafficking. The effect of the EARN IT Act is to increase the overall liability costs of running an online service and to threaten encryption. But haphazardly increasing the liability costs of running an online service ensures one thing: those costs will be haphazardly passed on to users.
Surveillance
The first form of cost-shifting will be increased screening of private messages and surveillance generally. State statutes without “actual knowledge” requirements—like Florida’s—could be interpreted to mean that online services will be liable for CSAM transmitted on their network if they “should have known” it existed. This could lead online services to conclude that they had to proactively screen all messages and posts to ensure there is no CSAM or possible CSAM solicitation occurring on their services.
And by exposing intermediaries to over fifty state and territorial legal frameworks around CSAM, the EARN IT Act creates an environment ripe for jurisdictional clashes—which could also lead to increased surveillance. Because states can enforce their laws to protect victims of crime within their borders, online services will be incentivized to keep tabs on where their users actually are at all times to know what laws apply to which content. Letting online services access your real-time location data may become a de facto legal requirement to use them—or they might simply not offer services in states with broad liability regimes.
Given the DOJ’s long-running public position that online services should “maintain the ability to assist government authorities to obtain content . . . in a comprehensible, readable, and usable format pursuant to court authorization (or any other lawful basis),” increased surveillance is likely a feature, and not a bug, of the proposal. The greater the obligation of online services to police the content of the communications they carry so that law enforcement can access them in comprehensible format, the greater the amount of information potentially available to law enforcement.
Relatedly, we may see a return of age-verification systems. Online services might limit access to minors or block them altogether in response to broad laws like Georgia’s that would open them up to liability if minors accessed any obscene material through their service. And as Riana Pfefferkorn of Stanford’s Center for Internet and Society has pointed out, intermediaries who are liable for “facilitating” CSAM might cut off all minor-to-adult communication to stymie any chance that they are liable for minor-to-predator communication.
As we know from previous congressional forays into age verification laws, the only effective way to create an age-verification system is to require adults to input sensitive personal information—state identification or, more likely, a credit card number (and those aren’t even that successful). Apart from probably being unconstitutional, it also compounds the broken system of excessive data collection this law would create.
Imagine the EARN IT Act passes and leads an online service to decide it has to proactively screen all direct messages for adult-to-minor communications because it is concerned about “facilitating” CSAM. To know who is a minor and who isn’t, it requires everyone to give their credit card information or their state-issued identification information. There is the inevitable data breach and, in addition to all the sensitive data the online service already has, the hackers also have your credit card info and a history of your real-time geographic data.
Censorship
The other form of shifting the cost of EARN IT on to users will be increased takedowns of innocuous and beneficial content—in other words, constitutionally protected speech. If an online service risks liability for carrying content, it will craft over-inclusive policies to prevent that liability. Online services will not just censor what is illegal, they will censor anything that might be illegal in order to shield themselves from liability. After SESTA-FOSTA, Craigslist did not shut down sex trafficking—that was already barred—it shut down its entire classifieds section and all of the legitimate speech that was associated with it.
The state laws discussed above deal with obscene material and CSAM—content that is generally illegal under state and federal law. But, as the Craigslist example shows, over-cautious intermediaries are likely to interpret these categories of content quite broadly.
In addition to communication between minors and adults, even innocent instances of romantic relationships between minors will be suspect. Some states already criminalize “sexting”; intermediaries might bar even relatively innocuous conversations between minors if they are potentially liable. In addition, children’s and young adult literature containing descriptions of relationships between minors, and any attempt to give minors relationship or sexual health advice, even from a faith-based perspective, might be swept up. This is especially concerning for LGBTQ youth, who often rely on the internet for sexual health education that is unavailable from their family or community.
This is not a problem with a partisan skew: algorithms created to take down content that relates to sex and minors will take down as much abstinence advocacy and sermons on the dangers of gay sex as they will progressive sex education. Even communication within families, as long as that communication is happening electronically, could be blocked by intermediaries. If conservatives are worried about social media companies policing conservative speech, they will be in for a rude awakening after the EARN IT Act is passed.
The EARN IT Act was not passed out of committee by evil people who want to break the internet. A mix of incentives led to its unanimous passage, including laudable concerns about CSAM, a desire to increase federal law enforcement power, and concerns over the lack of regulation of online services. But just as SESTA-FOSTA led to over-moderation by intermediaries and threatened the safety, speech, and association rights of those it ostensibly was written to protect, the EARN IT Act will lead to increased surveillance and censorship of the very minors it is supposed to be protecting—and everyone else along with them.
