The STOP CSAM Act Would Make Kids Less Safe

Yesterday, the Senate Judiciary Committee unanimously advanced the STOP CSAM Act of 2025, which aims to combat child sexual abuse material (CSAM) online. But the bill’s approach risks doing the opposite. Instead of making kids safer, it would undermine the very tools that keep their communications secure and their personal lives private.

The Bill Pressures Providers to Break or Abandon Encryption

In addition to expanding existing reporting requirements for CSAM, the STOP CSAM Act creates two new ways providers could be held liable for CSAM on their platforms. First, providers could be held liable for the “reckless promotion, or aiding and abetting” of certain existing anti-CSAM laws, and second, providers could be held liable for the “reckless hosting or storing” of CSAM. The “reckless” standard is a disappointing departure from a more recent version of the bill that required platforms to have “knowledge” of CSAM to be held liable, and it remains seriously flawed. 

Holding providers liable for “reckless” conduct might sound common sense, but in practice, it would place immense pressure on providers to break or abandon encryption and remove important, lawful speech, like sex education and LGBTQ+ advocacy. This is because recklessness is a much lower legal threshold than knowledge. Essentially, providers could be held liable even when they have no knowledge of specific instances of CSAM on their platforms and no ability to detect or remove such content due to encryption. The bill appears to offer some protection for providers of encrypted services, but the protections are wholly inadequate to safeguard encryption.[1]

Encryption Keeps Kids Safe

End-to-end encryption is not an obstacle to children’s safety. In fact, it’s one of the strongest tools we have to protect children online. It shields private chats from prying eyes, whether those eyes belong to stalkers, abusers, or even unscrupulous platforms themselves. It prevents predators from intercepting photos, exploiting school-issued devices, and grooming kids via compromised accounts. And it gives kids secure channels to communicate with parents, peers, and support networks, especially on sensitive issues like mental health, sexuality, and identity. 

The STOP CSAM Act puts that all at risk. By creating legal exposure for providers that cannot access private content due to encryption, the bill effectively tells companies: if you want to avoid lawsuits, break encryption. 

Congress Should Fix the Bill

Congress can and should amend the STOP CSAM Act to better combat CSAM while protecting children and preserving essential civil liberties:

1. Restore the “knowledge” standard.  Liability should attach only when providers have knowledge they are promoting or hosting CSAM.
2. Clarify that providers must have knowledge about specific instances of CSAM to be held liable. General awareness that illegal material may exist somewhere on a platform should not be sufficient to hold providers liable. 
3. Prohibit courts from considering the mere use of encryption to support a finding of liability. The bill currently prohibits encryption from being an independent basis of liability, but this is basically meaningless because encryption will never be the sole basis for liability. Courts should not be encouraged to penalize providers for implementing best practices for privacy and security.

Privacy Is Security

The core problem with the STOP CSAM Act is its false choice: either protect children, or protect privacy. In reality, the two go hand in hand. The more we undermine encryption and incentivize invasive surveillance technologies, the more we expose everyone — especially children — to the threats of stalking, exploitation, and abuse. 

Congress should take a step back and get this right. Kids deserve real protection.

[1] For example, the bill provides that it is a defense if it is “technologically impossible” to comply due to encryption, but this only applies to the offense of “reckless hosting or storing” of CSAM, and not to the offense for “reckless promotion, or aiding and abetting.” And, even where the defense applies, the defense must be proven “at trial” after the costs of litigation have already incurred. This incentivizes providers to preemptively break encryption to avoid litigation costs and the risks of adverse rulings.