Skip to Content

Cybersecurity & Standards, Free Expression, Government Surveillance, Privacy & Data

The EARN IT Act Puts Us All at Risk

Today, Senators Lindsey Graham (R-South Carolina), Richard Blumenthal (D-Connecticut), and eight other senators introduced the EARN IT Act, a sweeping bill that will have implications for everyone’s safety online and that likely violates the First and Fourth Amendments. The stated goal of the EARN IT Act is to address the online spread of child sexual abuse material (CSAM), but the approach taken in this bill isn’t the way to address this critical issue—and will actually put all internet users, particularly the most vulnerable, at greater risk of harm.

To understand the potential for harm this bill presents, you have to know a bit about its approach to CSAM and about Section 230. Section 230 gives online service providers a shield from liability for content that their users post, link to, or transmit over their services. This is critical to enabling free expression online, since without Section 230’s protections, service providers would face enormous pressure to censor broadly in order to avoid unintentionally hosting illegal material, and would be vulnerable to a “heckler’s veto” in the form of frivolous lawsuits.

The EARN IT Act seeks to dramatically limit this protection. It sets up a commission, chaired by the Attorney General, that will put forth a set of “best practices” to address the spread of CSAM online. Tech companies can either certify that they are following the best practices, in which case they keep their Section 230 shield, or not certify and take their chances in the courts. And taking that chance will be an even bigger gamble than it seems, since the EARN IT Act would also change the threshold at which providers become responsible for CSAM on their system. Currently, providers face federal criminal liability if they know their users are distributing CSAM on their platform, meaning they know for a fact that it is there and don’t act to remove or report it. Under the EARN IT Act, providers would become liable for a new set of federal civil penalties if they just recklessly (rather than knowingly) provide a service that people use to distribute CSAM. This could be interpreted to mean that the provider built a system where it is simply possible for CSAM to exist without their knowledge.

One of the foremost concerns with the bill is its potential impact on the adoption and use of strong end-to-end encryption. Before delving into how the EARN IT Act would impact encryption, it’s important to first offer some historical context around this issue. End-to-end encryption means that only the two endpoints of a communication have access to the contents of that communication. So, you and the person you are messaging can see the unencrypted content, but nobody else can, even the communication provider. The Department of Justice has long pushed for a backdoor that would allow them to access all encrypted communications, essentially prohibiting end-to-end encryption. Security and encryption experts, along with much of the civil society community have argued that such a backdoor would fundamentally compromise the security of internet users, exposing them to more harm. (This debate stretches back decades under the name “Crypto Wars.”) Typically, law enforcement frames this debate as one of online security and privacy versus physical-world safety. That stilted framing simply doesn’t reflect the reality of many peoples lives in this day and age.

The reality is that the online and offline worlds are inextricably entangled now. When we use the internet to conduct huge amounts of our day-to-day lives, it’s no longer reasonable to assume that harm that happens on the internet stays on the internet. This is most obvious with things like financial harms: if someone gets access to your online bank account, you don’t care that they didn’t break into a bank vault, your money is still gone. But our physical safety is increasingly entangled with our online lives too. Policymakers and lawmakers need to be able to communicate securely without fear of eavesdropping, potentially by dangerous nation state attackers. For victims of domestic abuse, prosecutors working organized crime cases, and undercover police, their communications, which may contain information like their location and schedule, are incredibly sensitive and dangerous information. For the LGBT* community, keeping their sexual orientation and gender identity private can be a matter of life or death. For many people, keeping their online information secure and private is part and parcel of staying safe in the physical world. And encryption is one of the strongest, very possibly the strongest safety technology we have; undercutting it will put a lot of people at risk.

So how does EARN IT threaten encryption? The Commission set up by the bill would develop best practices in a number of areas, including identifying and reporting CSAM, and calls for two members with experience in “matters of cryptography, data security, or artificial intelligence,” indicating that encryption will be in the purview of the Commission. Furthermore, the Commission places a lot of power in the hands of the Attorney General, who chairs the Commission. The current administration, and the Attorney General in particular, has shown a strong appetite for prohibiting the development of end-to-end encrypted systems, and it’s very likely they’ll use the new powers to get that prohibition (which they’ve been unsuccessful in getting by outright asking for such a backdoor). There are a few ways the recommendations could accomplish this without ever mentioning the term encryption. For instance, they could state that providers have to monitor all communications for CSAM, which they can’t do in an end-to-end system, so they would have to forgo building or operating existing end-to-end encrypted systems. Even if providers decide not to follow the recommendations, and risk liability instead, they probably still won’t risk deploying end-to-end encryption, because that could run afoul of the new standard of “recklessly” allowing CSAM. So this bill really has the potential to be a “backdoor to a backdoor,” and consequently poses a lot of risk to all internet users, particularly vulnerable and at-risk users.

Now, the problems with the EARN IT Act are unfortunately not limited to the threat to encryption. It also fails to play by the rules of the First and Fourth Amendments of the Constitution. By putting forth “voluntary” recommendations that aren’t really optional (in the sense that companies open themselves up to substantial liability if they don’t implement the best practices to the AG’s satisfaction), the EARN IT Act amounts to government regulation of speech, butting up hard against First Amendment protections. Additionally, if the recommendations mandate any sort of searching for CSAM, this transforms the companies doing the searching into ‘agents of the government’ for purposes of the Fourth Amendment, meaning that anything they find in their warrantless searches will be in violation of the Fourth Amendment and can be suppressed in court by defendants. This will dramatically hamper law enforcement’s ability to actually prosecute the cases they discover.

Child abuse and exploitation are terrible crimes that need to be addressed, and we should all work towards a solution. But the EARN IT Act is not that solution. It won’t help law enforcement handle CSAM, and it will put us all at risk in the process.