Privacy, Free Expression, and Security Threatened by Graham Proposal

There’s a proposal percolating on Capitol Hill that would radically empower the Attorney General to dictate standards for speech regulation and content moderation—and that would likely prevent online services from providing secure, end-to-end encrypted communications. This bill, the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, is being developed by the chairman of the Senate Judiciary Committee Senator Lindsey Graham (R-SC), reportedly with potential support from Senator Richard Blumenthal (D-CT). The bipartisan nature of the proposal and the support of the chairman make this a serious threat to free expression and privacy. (The bill has not been formally introduced, but a copy of it obtained by Bloomberg is available here.)

The bill would put the Attorney General at the head of a commission that develops “best practices” for preventing online child exploitation, and would amend Section 230 to require online services to certify that they follow these best practices or risk significantly expanded liability if individuals use their services to post or send child sexual abuse material (CSAM). The Attorney General would be able to unilaterally modify the Commission’s best practices and could launch investigations against online services if he has “reason to believe” they have made a false certification. The Attorney General would be able to use Civil Investigative Demands to compel documents and testimony from service providers, who face up to two years in prison under a new criminal provision, if they are found to have knowingly submitted a certification “that contains a false statement.” The bill would also lower the knowledge standards in child exploitation laws, which currently require entities to have actual knowledge that they are distributing CSAM. Under the new, lower standard, intermediaries who do not implement the Attorney General’s best practices would face lawsuits for acting “recklessly.”

Preventing the exploitation of children is an unquestionably important aim. However, there is little evidence that Section 230, which protects intermediaries such as website operators from liability for the information their users post, is a barrier to those efforts: Section 230 has never prevented the Attorney General from bringing any federal criminal charges against intermediaries, including those who violate the federal law prohibiting the knowing distribution of CSAM. Further, intermediaries are already required by federal law, 18 U.S.C. § 2258A, to provide reports of apparent CSAM to the National Center for Missing and Exploited Children (NCMEC) when they find it, and to preserve data to enable law enforcement investigations. If companies are not complying with their reporting obligations, the Attorney General is already empowered to hold them accountable. 

In practice, it would give the Attorney General significant and unaccountable power to regulate speech, control online services, and undermine the privacy and security of all of our communications.

So what is motivating this bill? One likely scenario: It’s an indirect attempt to undercut the secure encryption that many online services use to protect the privacy of their users. The Attorney General has been clear that he sees the efforts by Facebook and other messaging services to improve their platforms’ security by deploying end-to-end encryption to be a threat to law enforcement activity. Under Graham’s EARN IT Act, the Attorney General would be tasked with developing best practices for, among other things, “identifying, categorizing, and reporting material related to child exploitation or child abuse.” The Attorney General could thus decide that it is a “best practice” for online services  to run all content on their platform through a filter to detect CSAM, which would effectively forbid companies from implementing end-to-end encryption. Given the Attorney General’s vocal disapproval of end-to-end encrypted services, it seems highly likely that he would use the coercive power granted to him in this bill to strong-arm companies into dropping end-to-end encryption and monitoring their users’ communications. As we have consistently explained, this would come at a serious cost to our privacy and security online.

Beyond undermining secure communications, the bill could also have a dramatic negative impact on constitutional rights. Section 230’s liability protections have been essential to the development of the internet as a medium for free expression and access to information. The intermediaries who host, transmit, link to, and otherwise facilitate our speech online simply cannot afford the risk in enabling millions, or even just thousands, of individuals to upload whatever speech they like. By making liability protections conditional, the EARN IT Act presents a false choice to service providers: implement the Attorney General’s best practices or open themselves to criminal and civil liability on allegations of “reckless” behavior under 50+ different state laws. This is really no choice at all—intermediaries of all sizes and types will feel enormous pressure to meet the Attorney General’s expectations.

These “best practices” would cover a range of activities, including “coordinating with law enforcement agencies and other industry participants to preserve, remove from view, and report” CSAM,  “retention of evidence and attribution or user identification data,” “implementing a rating system to categorize the severity of images,” “employing age limits and age verification systems,” and “employing age ratings.”  Some of these categories immediately raise First Amendment issues around the rating or labeling of content and the imposition of age verification requirements to restrict access to lawful adult-oriented speech. Moreover, age verification for access to lawful pornography has nothing to do with preventing the spread of CSAM, which is flatly illegal for anyone to create, possess, or distribute. “Best practices” around the age-appropriateness of lawful content go well beyond the EARN IT Act’s nominal focus on CSAM. And government officials cannot coerce private actors into engaging in censorship that the government could not directly compel.   

The bill could also raise serious search and seizure issues under the Fourth Amendment. The proposed structure—of the Attorney General creating “best practices” for private actors to “coordinate with law enforcement,” “report material,” and “retain evidence,” and being empowered to penalize entities that do not follow these practices—may convert these private actors into “agents of the government” for Fourth Amendment purposes. This was the case in US v Ackerman, the 10th Circuit opinion (authored in 2016 by now-Justice Neil Gorsuch), in which the court found that NCMEC was acting as either a governmental entity or at least an agent of the government when it examined CSAM images reported to it by an online service provider and forwarded those to law enforcement agents. (When NCMEC conducted more in-depth searching of communications that had been reported to it without obtaining a warrant, the 10th Circuit concluded that it had violated Ackerman’s 4th Amendment rights.) 

If Congress passes an effective mandate for intermediaries to follow a set of practices dictated by the Attorney General regarding searching the contents of private communications and reporting them to law enforcement, backed by the threat of criminal prosecution if the Attorney General determines that the intermediary falsely certified their compliance with these practices, it could transform thousands of technical intermediaries into agents of the government—and, ironically, render all of the information collected in such a manner inadmissable in court for being obtained without a warrant in violation of the Fourth Amendment.

In sum, the EARN IT Act is a bill that presents itself as a reasonable effort to create best practices to fight truly abhorrent exploitation of children. But in practice, it would give the Attorney General significant and unaccountable power to regulate speech, control online services, and undermine the privacy and security of all of our communications.