An amended version of America’s controversial proposed EARN IT Act has been unanimously approved by the Senate Judiciary Committee – a key step in its journey to becoming law. This follows a series of changes and compromises that appear to address critics’ greatest concerns while introducing fresh problems.
The draft legislation [PDF] is nominally supposed to help rid the web of child sexual abuse material (CSAM) by altering Section 230 of the Communications Decency Act, which strongly shields websites and apps, like Facebook and Twitter, from liability regardless of whatever their users share on those platforms, plus or minus some caveats. The proposed law rather ignored the fact that Section 230 already doesn’t protect internet giants if their netizens upload illegal content, though.
Initial drafts of the law also contained two proposals that raised serious concerns from a broad range of groups and organizations. Firstly, the creation of a new 19-person committee that would be led by the Attorney General and dominated by law enforcement which would create content rules that tech companies would have to follow to retain legal protections. Secondly, and the suggestion that has security folks up in arms, is that those rules could require tech companies to provide Feds-only access to encrypted communications.
The idea is that companies would have to “earn” their legal shield – hence the name of the bill, EARN IT – by following the best practices created by the committee.
Following significant pushback on those points, the Judiciary Committee made changes aimed at gaining the full approval of all its members. In the now-OK’d version of the bill, the commission, called the National Commission on Online Child Sexual Exploitation Prevention, would still create its rules but it would be “voluntary” for online platforms to follow them. Instead, if tech companies did follow the commission’s rules, it “would be a defense in any civil suit,” said committee chair Lindsay Graham (R-SC).
Concerns over the law being used to force tech companies to introduce encryption backdoors led to an amendment [PDF], put forward by Senator Patrick Leahy (D-VT), that stated online platforms won’t face civil or criminal liability if they are unable to break end-to-end encryption in their own services.
Taken together, the amendments are intended to attract wide congressional support for the bill, and pave the way to open up Section 230. And in this instance, it worked, with the committee green-lighting the revised version by 22-0 votes on Thursday, allowing it to progress a little further toward the statute books.
However, privacy advocates and tech titans, as well as some lawmakers, remain strongly opposed to the law. For one, the proposed commission will not be made up of elected officials, and will still be able to create rules that do not need congressional approval, putting an extraordinary amount of censorship power into the hands of very few people with limited accountability.
While the revised version steps away from creating a federal standard that will apply across the country, the revised EARN IT Act will instead empower individual states to introduce their own rules. That could well result in the same impact critics warned about in the earlier drafts: that websites and apps would be obliged to add backdoors into their encrypted services after all.
Section 230 authors despair of Trump, Barr, Biden, US Congress’ aggressive ignorance of critical tech law
If forced to remove end-to-end encryption in some states, it is very likely software makers would simply remove it entirely rather than try to provide different versions of the same product depending on where users were located. In effect, it would be a backdoor bill through the backdoor. Or communications providers could simply kill off those services altogether.
The Electronic Frontier Foundation (EFF) warned: “It will only take one state to inspire a wave of prosecutions and lawsuits against online platforms. And just as some federal law enforcement agencies have declared they’re opposed to encryption, so have some state and local police.”
A letter [PDF] signed by 15 civil society organizations, including The App Association, Center for Democracy & Technology, Freedom House, Association of Criminal Defense Lawyers, the Open Technology Institute, and The Internet Society, sent to the two heads of the Judiciary Committee after the changes were introduced, was also critical.
“The manager’s amendment would effectively make the EARN IT Act into an entirely different bill,” it noted, adding: “Most worrisome, the new language would amend Section 230 to exclude state civil and criminal laws from its protection… If a state law makes it illegal to negligently or recklessly transport CSAM, interactive computer services will likely be unable to host user-generated content at all.
“Worse, the new language potentially allows for state lawmakers to target important user-privacy features like end-to-end encryption. By excluding violations of state laws from the protections of Section 230, courts may make rulings that undermine the use of end-to-end encryption.”
It asked the committee to “postpone the markup so that interested parties can examine the proposed amendments in more detail, and work with the Committee to address potential concerns.” But the Senate committee didn’t heed the request, and OK’d the revised bill instead, sending it to the Senate as a whole for review.
The Internet Association, which represents much of the tech industry, was particularly critical, with its government affairs director Mike Lemon saying in a statement: “This bill will not help achieve our shared goal and instead will create a harmful lack of coherence in state laws involving CSAM. The lack of clear federal standards would impede providers from their continued work to tackle this issue.”
Much of lawmakers’ defense of the bill is based around Section 230, which has become a focal point for those keen to rein in technology giants. Meanwhile, the section’s authors have warned it appears to be poorly understood by those who seek to change it.
The top Democrat on the Senate committee, Dianne Feinstein (D-CA), said: “I think it’s important to remember that Congress created Section 230 as a privilege. It’s not a constitutional right.”
And Senator Ted Cruz (R-TX) said that the law “ought to be a warning sign to Big Tech that there is a strong, if not overwhelming, bipartisan concern with Big Tech, and that Section 230 in particular will not serve as an unbreakable shield for all time.” ®