Members of Congress have mounted a major threat to your freedom of speech and privacy online. Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) recently introduced a bill that would undermine key protections for Internet speech in U.S. law. It would also expose providers of the private messaging services we all rely on to serious legal risk, potentially forcing them to undermine their tools’ security.
The so-called EARN IT Act (S. 3398) is an attack on speech, security, and innovation. Congress must reject it.
Stop the Graham-Blumenthal Bill
The bill deals with the very serious issue of child exploitation online, but it offers no meaningful solutions. It doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies with resources to investigate claims of child exploitation or training in how to use online platforms to catch perpetrators. Rather, the bill’s authors have shrewdly used defending children as the pretense for an attack on our free speech and security online.
Make no mistake: the EARN IT Act is a vehicle to undermine end-to-end encryption.
The EARN IT Act would create a “National Commission on Online Child Sexual Exploitation Prevention” tasked with developing “best practices” for owners of Internet platforms to “prevent, reduce, and respond” to child exploitation online. But far from mere recommendations, those “best practices” would essentially become legal requirements: if a platform failed to adhere to them, it would lose essential legal protections for free speech.
Once the Commission completed its recommendations, the Attorney General, the Secretary of Homeland Security, and the Chair of the Federal Trade Commission would approve or veto the best practices. If they all agreed, then Congress would have an extremely short timeline to debate the best practices and write them into law without amendments.
The EARN IT Act Would Censor Innocent People
The Graham-Blumenthal bill undermines Section 230, the most important law protecting free speech online. Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions).
Section 230 has played a critical role in the development of the modern Internet. Thanks to Section 230, online platforms can allow users to share your thoughts without fear that something they say could cost them millions of dollars or even jail time. In weakening Section 230, Congress risks forcing platforms to kick innocent people off of the Internet entirely—as has already happened with the disastrous consequences of SESTA/FOSTA. When platforms are forced to become more restrictive in what they allow on their sites, marginalized users are disproportionately silenced.
The EARN IT Act would give platforms two choices: either adhere to the Commission’s recommended “best practices” or be ready to convince a judge that it “has implemented reasonable measures” relating to preventing online child exploitation. In practice, that means that if a platform didn’t adhere to the best practices, it would be extremely difficult and costly for an Internet company to have a case relating to child exploitation dismissed under Section 230.
The EARN IT Act doesn’t just undermine Section 230; it also violates the First Amendment rights of both platforms and their users. As EFF explained in a letter to Congress, the EARN IT Act seeks to regulate how platforms manage online speech, yet Internet platforms’ editorial activities are protected from government interference by the First Amendment. Additionally, to pass constitutional scrutiny, a law that regulates the content of speech must be as narrowly tailored as possible to avoid chilling legitimate speech. But the EARN IT Act isn’t narrowly tailored at all: as we explain in our letter, it would inevitably lead platforms to become more restrictive in the types of speech they allow, particularly in their approach to sexual speech, silencing innocent users in the process.
The EARN IT Act Would Undermine Our Security
Make no mistake: the EARN IT Act is a vehicle to undermine end-to-end encryption. Attorney General William Barr has repeatedly blamed encryption for sexual crimes against children. He’s far from the only one: Barr joins a long history of government officials from both parties demanding that encryption providers compromise their users’ security.
Under the EARN IT Act, the Commission would have 19 members, three of which are the Attorney General, the Secretary of Homeland Security, and the Chair of the Federal Trade Commission. The “best practices” would pass first-round voting if 14 out of the 19 commissioners (including the agency heads) approved them. After that vote, the three agency heads would then have the power to unanimously approve the “best practices” for a vote by Congress or reject them.
In other words, any one of the three agency heads could scrap the best practices unilaterally. That structure all but guarantees that the best practices that come before Congress will include a direct attack on our right to communicate privately and securely: one of the government officials could use their veto power to pressure the rest of the Commission to include it.
The bill includes language claiming that the bill won’t be used to “require a provider… to search, screen, or scan” for unlawful material, but that’s a mere fig leaf: it would be trivially easy for the Commission to present “best practices” that don’t explicitly require scanning but are only implementable by scanning (or not offering private messaging at all).
All Roads Lead to Disaster for Internet Users
When a draft version of the Graham-Blumenthal bill leaked in January, EFF stood with a host of experts to explain what a disaster the bill would be for privacy and free speech. We explained that the EARN IT Act represented a major abandonment of Congress’ duties: laws restricting speech online require a careful, transparent lawmaking process. Congress should not offload that duty to an unelected commission, and certainly not an unelected commission stacked with law enforcement surrogates.
The bill’s authors responded by introducing the bill’s new structure, where the Commission recommends best practices, three government officials approve or veto them, and then they’re fast-tracked through Congress. Far from a solution, this convoluted approach underscores the EARN IT Act’s inherent flaw: it lets the Attorney General use the “best practices” as a pretense to advance his own agenda. To understand why, consider how the system would play out in practice.
The platforms would be able to maintain their legal protections so long as they left users out in the cold, making all of us more susceptible to criminals online.
The bill says that two members of the Commission must have “current experience in matters related to constitutional law, consumer protection, or privacy.” But that’s hardly a balance: those two members could easily be outvoted by the rest of the Commission, including law enforcement advocates, representatives from big tech companies, and the three agency heads.
Imagine a scenario in which the Attorney General (or one of the other two government officials) insisted on implementing a “best practice” that undermined encryption (which, as we’ve already discussed, is all but guaranteed). They could easily strong-arm the Commission by vetoing any set of best practices that didn’t include their proposal.
It gets worse. Now suppose that no best practices get approved by Congress, either because of a standoff between government officials and other members of the Commission or because Congress failed to approve them in the short timeline required. That outcome could be the worst of all: if Congress doesn’t approve a “best practices” bill within four years of the time the EARN IT Act passes, then Section 230 protections would be weakened for all online platforms, regardless of what measures they take to curb online child exploitation.
More likely, the Commission would take every step it could to avoid that scenario. In other words, Attorney General Barr would have Internet platforms right where he wants them, ready to compromise their users’ security and privacy in order to avoid serious repercussions, including both civil and criminal liability. The platforms would be able to maintain their legal protections so long as they left users out in the cold, making all of us more susceptible to criminals online.
A Reminder: The EARN IT Act Doesn’t Support Children
As we mentioned when we wrote about the prior version of EARN IT, Section 230 does not exempt online intermediaries from liability for a violation of federal criminal law. If a platform knowingly distributes child exploitation imagery, then the Department of Justice can and must enforce the law. What’s more, if an Internet company finds sexual abuse material on its platform, the law requires it to provide that information to the National Center for Missing and Exploited Children and to cooperate with law enforcement investigations.
EFF and a coalition of organizations recently sent a letter calling on Congress to discard the EARN IT Act and instead focus on measures that would provide support to those working to help children:
While we applaud Congress’ desire to address the sexual exploitation of children online, a more effective way to address that crisis would be to better equip law enforcement agencies to investigate it by adding staffing and funding to more effectively use their current lawful investigative tools. […] Law enforcement agencies in the United States at all levels—federal, state, local and tribal—do not have sufficient personnel or technical resources to investigate and prosecute all of the cases that internet service providers currently refer to the National Center for Missing and Exploited Children (NCMEC). Indeed, we understand that U.S. law enforcement prosecutes only a small fraction of the cases that NCMEC refers to them.
Congress ought to ask the hard questions about why so few NCMEC reports lead to arrests. It ought to consider whether law enforcement agencies need additional training and resources in order to use the Internet to find perpetrators.
In the meantime, Congress must reject the Graham-Blumenthal bill. Undermining our free speech and privacy is not the way to protect children.