You may have heard about a new bill working its way through the US congress, the EARN IT act. That’s the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020”. (What does that mean? It means someone really wanted their initials to spell out “EARN IT”.)
EARN IT is a bipartisan bill that claims to be an effort to put a dent in child exploitation online. It’s also managed to catch the attention of the EFF, Schneier, and a variety of news outlets. The overwhelming opinion has been that EARN IT is a terrible idea, will make implementing end-to-end encryption impossible, and violates the First and Fourth Amendments. How does a bill intended to combat child pornography and sex trafficking end up on the EFF bad list? It’s complicated.
First off, we have to cover the Communications Decency Act, and section 230 specifically. So let’s wind back the clock to 1996. The internet was young, but there were already flame wars. Two important court decisions had recently happened, and together they put Internet service providers in an odd place.
The first decision, Cubby vs CompuServe, was a result of a posting in a forum controlled by CompuServe. Cubby, Inc. was the target of what they considered to be defamation, and they brought a lawsuit against CompuServe for hosting the material. The court found in a summary judgement that because CompuServe was unaware of the contents of their forum, they were acting as a distributor, and not liable for the contents of the forums. This would be the equivalent of a bookstore having no liability for the contents of their books.
The other decision, Stratton Oakmont v. Prodigy, took a different path. This case also tested the liability of a service provider. In this case, because Prodigy exercised “editorial control” over bulletin board postings, it was ruled to be acting as a publisher rather than a simple distributor. As a publisher, Prodigy was liable for the postings that were allowed on their services.
These two decisions meant that a service provider took on much more liability by policing user content. Simply allowing every post would be the safer stance, but would predictably result in a terrible experience for the majority of end users. Congressmen Chris Cox and with Ron Wyden, began work on a provision to protect service providers while still allowing them to police what content would be allowed on their platform. Their work became an amendment to Title V of the Telecommunications Act of 1996. While most of the rest of Title V, the Communications Decency Act, was struck down as unconstitutional, Section 230 is still an important bit of law to this day.
Twenty-Six Words That Created the Internet
Section 230 has been called “The Twenty-Six Words That Created the Internet”. For the first time this common sense measure was written out as law: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The statute goes on to say that providers cannot become liable as a result of “any action voluntarily taken in good faith” to police objectionable material. Section 230 can be read as a direct response to Stratton Oakmont v. Prodigy.
These protections do have limits. Two very broad swaths of law are explicitly unaffected by section 230: intellectual property law and federal criminal law. Intellectual property is dealt with in the Digital Millennium Copyright Act (DMCA), and we’ve written about that over the years here on Hackaday.
Section 230, then, provides a very strong defense to service providers facing prosecution at the state level. This was done intentionally, as state law can vary so wildly from state to state. Internet business is fundamentally different from a brick-and-mortar establishment, and section 230 protects online services from the whims of each state.
There is an important point to make here: Even without section 230 protections, a service provider could intentionally operate as a distributor rather than a publisher. We’ll return to this idea later.
The next chapter in the section 230 story is Backpage. Originally started as an internet classifieds section, Backpage quickly became ground zero for a showdown over section 230. Backpage was a lawless place, with users openly advertising prostitution and other related services. Some of the worst stories include kidnapping and slavery and forcing minors into prostitution.
Several states brought cases against Backpage for knowingly allowing advertisements for illegal services, many times involving human-trafficking and underage prostitutes. Section 230 was a large part of their successful defense against these cases. Backpage was finally shut down through two separate efforts. The first was state courts ruling that Backpage “materially contributed to the content of the advertisement[s]”, which goes further than the protected editorial activities set out in section 230. Backpage executives plead guilty to “conspiracy to facilitate prostitution.”
The second effort was a federal case that accused Backpage of interstate prostitution crimes. The interstate nature of the case placed the jurisdiction squarely in federal hands, and since it related to federal criminal law, section 230 didn’t apply.
The Backpage situation led congress to revisit the section 230 question in 2017, and the “Stop Enabling Sex Traffickers Act” (SESTA) was the result. SESTA introduces a new “carve-out” to section 230. Under SESTA, section 230 no longer protects a service from state criminal prosecution if the prosecution is targeting an offense that is also illegal under certain federal laws. SESTA was opposed by Internet freedom groups like the EFF as well as libertarian voices.
It’s not hard to see the downside to SESTA: A website with more traffic than moderators will struggle to keep up with the additional moderation burden. In theory, a malicious campaign could flood a moderated service with illegal content, and any such content that wasn’t moderated could be used in a criminal or civil complaint.
On the other hand, this was already the case under section 230, but with the additional limitation that it had to be a federal criminal case. SESTA opened these cases to state level prosecution and civil cases. (This extra liability is currently being challenged in the courts on constitutional grounds.)
Now that the pertinent history has been covered, we can finally discuss EARN IT, the bill currently under consideration in congress. Before we cover the concerns raised by interested parties, let’s look at the text of the bill itself. First, the National Commission on Online Child Sexual Exploitation Prevention, a 19 member standing commission, is established. Three members of that commission come from federal agencies: The Department of Justice, Homeland Security, and the Federal Trade Commission each send one representative. The other 16 are chosen by the majority and minority leaders of the Senate and House. The representatives appointed by Congress have further listed qualifications, ranging from law enforcement to consumer privacy. The intent here seems to be to get a wide range of opinions represented on the commission.
This commission is tasked with developing and maintaining a set of “best practices” aimed at combating online exploitation. Of interest here is that at least 14 of those 19 members must approve the final guidelines in order for them to become official recommendations. Once a guideline is agreed upon a bill is to be introduced in both the House and Senate. Only once both bodies have voted the best practices into law are they in effect.
So far the bill seems reasonable. We rightly complain when politicians demonstrate their poor understanding of technology and the Internet, particularly when the legislation they produce is odorous or nonsensical as a result. A panel of experts writing best practices could be a welcome change. On the other hand, the makeup of that panel is very much slanted towards law enforcement and government representatives. More security and privacy experts would have been welcome.
The enforcement of EARN IT is where the potential problem lies. Section 6. “Earning Immunity” adds another carve-out to section 230 immunity. This is very similar to the text of SESTA, in that civil cases and State criminal cases are exemptions to the 230 protection, if the claim or charges are a violation of the federal law regarding sexual exploitation of minors.
Only if a service provider certifies that they are in compliance with the published best-practices will they still enjoy section 230 immunity as it applies to child exploitation. This is where the concerns from the EFF and others come into play. Based on existing statements from current US Attorney General William Barr, many have concluded that the best-practices document will include provisions for encryption back-doors, among other bad ideas.
Some of the criticism of the bill are based on the draft version of the bill. The current text of the bill is significantly better than the draft, specifically because the House and Senate must first ratify any guidelines before they become binding.
One of the most dire predictions I’ve seen related to EARN IT is that it will be the death of end-to-end encryption in commercial services. I am hard pressed to think of an example where end-to-end encryption could be used with a service that would also include editorial actions. As mentioned above, Section 230 isn’t required to allow a messaging service to act as a distributor instead of a publisher. Based on existing case law, Telegram and Signal should have nothing to worry about.
I was prepared to join the chorus of voices bashing EARN IT. Hopefully a more nuanced examination of the history and issues surrounding the bill has been enlightening. I would like to go on record on one issue: I am categorically opposed to the forced inclusion of encryption backdoors. If this bill passes and the “best-practices” document that emerges afterwards includes such a provision, I’ll help lead the charge to shoot it down.
The biggest ramification of SESTA and EARN IT is the additional civil liability it presents. It remains to be seen how that change will play out in civil cases — it may put smaller companies and non-profits out of business due to legal costs alone. Due to that liability, many services will implement the published guidelines, and it’s likely that some of those guidelines will have negative consequences. That said, it’s this author’s opinion that the fevered warnings about EARN IT are rather unearned at this point.
Editor’s Note from Elliot Williams
We don’t all share Jonathan’s optimistic views on the yet-undisclosed requirements that these “best practices” rules will contain. Perhaps the actual content of the law should be hammered out first? After public pressure, the act was re-written to require ratification of the best practices by Congress, but it’s still hard to tell right now what anyone is approving, and to me it still looks like a Trojan horse.
While I can’t deny that the legislation has improved since the first draft, or argue much with Jonathan’s strict reading of the law, without being able to read the “best practices” now, we can only look to the intentions of the bill’s sponsors and the structure of the drafting commission. The 19-body commission is stacked with groups that are in favor of irresponsibly weakening encryption, having tried to pass such legislation in the past, and failed.
And even if the commission were strong on protecting encryption, with Attorney General Barr holding a veto on the commission’s recommendations, it’s hard to imagine that “best practices” could emerge from the commission that don’t address his long-standing goal of introducing backdoors, under the guise of requiring editorial oversight. The best possible version of the law will never make it to Congress for approval. If we’re lucky, Congress will strike down the bad bits, but we don’t want to have to count on getting lucky.
In my opinion, if anyone has to earn the trust of the American people on encryption and privacy, it’s those behind the EARN IT legislation. And by obscuring what will eventually become the actual content of the law, I do not think they have. Democracy rests on transparency. The “best practices”, being part of the law, should be established before the law is voted on.
But that’s part of why we’re bringing this up. Please get yourselves educated, discuss in the comments, and write letters to your Congresspeople if you feel motivated. Thanks to Jonathan for writing a great backgrounder.