EARN IT Act Finally Introduced; Five Eyes Announce Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse; Senate Judiciary Holds Hearing

Cybersecurity, data security, privacy, Technology 10 Minutes

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

Senate Judiciary Committee Chair Lindsey Graham (R-SC), Ranking Member Dianne Feinstein (D-CA), and Senators Richard Blumenthal (D-CT), Josh Hawley (R-MO) formally introduced legislation they floated earlier this year that could potentially result in the liability shield enjoyed by technology being removed. Critics claim the legislation is an attempt to force technology companies to either give up end-to-end encryption or build in backdoors to encryption that will ultimately compromised. If enacted, the EARN IT Act would represent a second piece of legislation to change Section 230 of the Communications Decency Act in the last two years with enactment of “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (P.L. 115-164).

The “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020” (EARN IT Act of 2020) (S.3398) would establish a National Commission on Online Child Sexual Exploitation Prevention (Commission) that would design and recommend voluntary “best practices” applicable to technology companies such as Google, Facebook, and many others to address “the online sexual exploitation of children.” The Department of Justice (DOJ) would name the chair of the Commission and the Department of Homeland Security (DHS) and Federal Trade Commission (FTC) would each name one member of the Commission with the Speaker of the House, House Minority Leader, Senate Majority Leader and Senate Minority Leader each being able to appoint four members each. The Commission would submit its best practices to the Attorney General within 18 months of being convened, and if approved by DOJ, with the concurrence of DHS and the FTC, would publish these voluntary standards. Moreover, the EARN IT Act contains language allowing for the fast track consideration under which Congress could codify these practices, and thereafter technology companies subject to these standards would need to submit annual certifications that it “has a reasonable basis to conclude that review does not reveal any material non-compliance with the requirements of the best practices.” If a technology knowingly submits a false certification, then the company and the responsible executives and employees would face criminal liability, including fines and imprisonment. The bill would remove the liability shield under Section 230 of the Communications Decency Act with respect to state child exploitation laws unless companies either certify compliance with either the Commission’s best practices or those enacted by Congress or through the use of alternative reasonable measures.

In their press release, Graham, Feinstein, Blumenthal, and Hawley asserted:

The EARN IT Act is supported by more than 70 groups, survivors and stakeholders, including the National Center for Missing & Exploited Children (NCMEC), Rights4Girls, and the National Center on Sexual Exploitation.

Background on the EARN IT Act:

  • In July 2019, the Senate Judiciary Committee held a hearing titled, “Protecting Innocence in a Digital World”.
  • Later in 2019, the New York Times published a series of investigative reports, describing the rapid increase of child sexual abuse material on prominent online platforms. This is a threat that has not received a consistent and forceful response from the tech industry.
    • Reports of suspected child sexual abuse material to the NCMEC CyberTipline have exploded since its inception. For example, over the past five years, reports increased from 1.1 million in 2014 to 16.9 million covering 69.1 million photos, videos, and files in 2019.   
  • Section 230 of the Communications Decency Act gives “interactive computer services” significant immunity from civil liability, as well as state criminal liability for third party content on their platforms.  Sadly, given this limited liability, many companies do not aggressively go after online child sexual exploitation.

Among those opposed to the bill are:

  • Johns Hopkins University Associate Professor Matthew Green argued the EARN IT Act “represents a sophisticated and direct governmental attack on the right of Americans to communicate privately…[and] I can’t stress how dangerous this bill is, though others have tried.”
  • The Electronic Frontier Foundation (EFF) asserted of the bill that “its supporters’ strategy is clear. Because they didn’t put the word “encryption” in the bill, they’re going to insist it doesn’t affect encryption….It’s true that the bill’s authors avoided using that word. But they did propose legislation that enables an all-out assault on encryption.”
  • The Center for Internet and Society at Stanford Law School claimed the EARN IT Act “aims to kneecap encryption under the guise of protecting children online, while capitalizing on the techlash and the current unpopularity of Section 230 of the Communications Decency Act.”

The EARN IT Act was introduced the same day the Departments of Justice (DOJ) and Homeland Security (DHS) announced the release of the Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse developed in conjunction with the governments of Australia, Canada, New Zealand, and the United Kingdom. DOJ and DHS claimed in their press release that

The voluntary principles provide a common and consistent framework to guide the digital industry in its efforts to combat the proliferation of online child exploitation.  The voluntary principles cover the following themes:

  • Prevent child sexual abuse material;
  • Target online grooming and preparatory behavior;
  • Target livestreaming;
  • Prevent searches of child sexual abuse material from surfacing;
  • Adopt a specialized approach for children;
  • Consider victim/survivor-led mechanisms; and
  • Collaborate and respond to evolving threats.

DOJ and DHS added

  • These voluntary principles are built on existing industry efforts to combat these crimes.  Some leading companies have dedicated significant resources to develop and deploy tools in the fight to protect children online and to detect, disrupt and identify offenders.  Although significant progress has been made, there is much more to be done to strengthen existing efforts and enhance collective action.
  • These principles are intended to have sufficient flexibility to ensure effective implementation by industry actors.  Some companies have already implemented measures similar to those outlined in these principles.  Regardless of whether or not a company chooses to adopt these principles, existing laws and regulations in relevant jurisdictions continue to apply to all companies.  Nothing in these principles overrides or is contrary to the need for companies to comply with the law.

These voluntary principles on online child abuse and exploitation are of a piece with previous efforts by the DOJ and Attorney General William Barr to pressure technology companies to provide greater technical assistance to defeat end-to-end encryption.

A week later, at a hearing, the Senate Judiciary Committee looked at the EARN IT Act with Graham and Blumenthal making opening statements of their bill. Many of the Members expressed support for the legislation or its goals and argued that large technology companies have simply not been doing enough to combat online child exploitation.

National Center for Missing & Exploited Children (NCMEC) Vice President John Shehan stated

The EARN It Act is a child protection bill that addresses many of the gaps identified by NCMEC in this written testimony regarding current efforts to combat the proliferation of child sexual abuse and exploitative material online, including:

(1) lack of adoption of consistent practices and technology across the tech industry to combat the problem;

(2) failure of companies to implement best practices across all of their platforms and services;

(3) reliance on wholly voluntary measures to protect children from being enticed/groomed online for sexual abuse and to prevent images of their rape and sexual abuse from circulating online;

(4) absence of incentives for ESPs to invest and engage in best practices to keep children safer online; and

(5) denial of a child victim’s right to his or her day in court against all parties, including tech companies, that have recklessly contributed to the child’s revictimization when sexually abusive images are recirculated online.

The EARN It Act addresses each of these gaps, shortcomings, and inconsistencies.

Match Group Chief Legal Officer & Secretary Jared Sine explained

  • Match Group takes the privacy of our users seriously, which is why we have developed a privacy framework that meets the standards of the GDPR—and all are brands are required to meet or exceed these standards. Like all internet companies, we grapple with the same inherent tensions that exist between privacy and security.
  • We believe that these issues are not mutually exclusive, especially when it comes to our support of the EARN IT Act. There are technological solutions to balance safety for our children and privacy, and we need to work to enable the Commission and develop those solutions. That is the point of the Commission—its ability to collaborate to solve these issues, taking into account the ecosystem, its needs, and the rights of its users and providers to drive a solution that works for everyone.
  • We also believe that Section 230 has been a critical part of the internet’s rise and success and must be kept strong and vibrant. However, we do not believe that companies who do nothing to stop child exploitation should receive the benefit and trust that Section 230 has long granted them.
  • This legislation acknowledges the importance of Section 230 to privacy, free speech, and so many other rights that we hold dear, while rightfully recognizing that online platforms must do more. The bill also creates a collaborative framework for setting standards across the internet ecosystem that will help tech companies fulfil their moral and societal obligation to protecting our kids online.
  • We do not take our support for this proposal lightly. We recognize how important it is to strike the right balance between privacy and security. But we believe the proposed legislation has the ability to do just that: by balancing those needs of safety and privacy through collaboration. As part of the standard setting process, the Commission established by the EARN IT Act must be empowered and instructed to take these tensions into account.
  • Match Group strongly supports the Commission included in this proposal for the very reason that it provides a forum for bringing law enforcement, industry, and technical experts together to create commonsense rules of the road that will not just level the playing field for technology companies but also incentivize investing in—and enforcing—online safety. Not only do we support this legislation, but we’d also like to offer suggestions to make it even stronger. We share your goal of making sure this is done in a way that does not stifle innovation but still has teeth, a topic I know Sen. Graham and others have talked about already.

The Catholic University of America Professor of Law Mary G. Leary explained that

  • As Congress contemplates the appropriate limits of Section 230 in the space of child sexual abuse material (CSAM) more generally, particular attention should be paid to this issue and its history. In the current form of the EARN It Act, an interactive computer service can claim a safe harbor from both state enforcement of its criminal laws and civil action through two fairly easily attainable paths. First, it obtains broad immunity if an officer certifies that the provider conducted a thorough review of the implementation and operation of the best practices and he has a “reasonable basis to conclude that review does not reveal any material non-compliance” with the best practices. This should be understood to be a relatively low standard not establishing actual compliance with best practices. This is particularly true given that the best practices will be generated by a commission whose membership largely comes from the tech community or its allies. Such a certification – which notably does not certify the entity is, in fact, in compliance with the practices – will provide the entity immunity from civil suit or state level prosecution. This exclusive protection is sweeping, and yet available to it for a very qualified certification. While the provider does risk prosecution, such a risk is remote as prosecution can only occur if it can be established that the provider knowingly submitted a false certification. The variance between the mens rea necessary for certification (reasonable basis to not believe there is material non- compliance) and that necessary for prosecution (knowingly submitting a false statement) is significant.
  • The second path to immunity is a provider establishing that it has implemented “reasonable measures” to prevent it from being used for the exploitation of minors. This will require a trial court, possibly at a motion to dismiss stage, to determine if the provider was reasonable in its measures. Such an approach risks a similar outcome as with the aforementioned Section 230 sex trafficking caselaw in which courts, unfamiliar with the technology and relying on outdated precedent, arguably expanded Section 230 immunity further than congressionally intended.
  • In such a regime, a victim survivor can attempt to hold a provider responsible for its actions and file a suit with facts and a good faith belief that the provider violated the law, was not in compliance with the practices, and, in fact, did not make a certification in good faith. Yet, by Section 230 immunity being awarded to the provider at such a low standard, the risk exists that the case will be dismissed prior to discovery. Thus, the legal landscape that led to Backpage successfully avoiding liability for several years could be repeated. That is to say an actor could be engaged in activity for which liability is appropriate, but a victim survivor is precluded from proving that case due to the sweeping scope of such immunity available to providers merely by arguing they are reasonable or that they had no reason to believe a material non-compliance occurred.

Internet Association (IA) Deputy General Counsel Elizabeth Banker contended that

IA is concerned that the EARN IT Act would burden, discourage, or even prevent, ongoing efforts by internet companies to keep their platforms safe and to identify and remove abusive content. It also would undermine the efforts of law enforcement, and nongovernmental organizations like NCMEC, to hold bad actors to account and combat child sexual abuse material (CSAM) online.

1. The bill would be vulnerable to Fourth Amendment challenges that could render evidence from platforms’ screening efforts inadmissible, therefore hampering efforts to combat CSAM. Criminal defendants across the United States have filed motions to suppress evidence of child sexual exploitation crimes in the hopes of avoiding conviction.4 The argument that many of these criminal defendants make is that providers, including IA member companies, who proactively detect CSAM and who report it to NCMEC’s CyberTipline, act as “agents of the government” for Fourth Amendment purposes. Under Fourth Amendment jurisprudence, a search performed by an agent of the government is subject to the same requirements as if the government performed the search directly. If a criminal defendant is able to show that the search violated the Fourth Amendment, the exclusionary rule may require that the evidence obtained through the illegal search, and any fruits of the poisonous tree, be excluded at trial.

2. The bill would delegate authority to set important standards to an administrative body. The EARN IT Act would delegate important decisions concerning security, privacy, and free speech on the internet—weighty and complex matters that directly impact hundreds of millions of consumers—to an administrative body that would be composed of members who are not elected representatives and that would operate with little transparency. These critical decisions should not be made through an opaque process; rather, they should be made by Congress directly.

3. The bill would be vulnerable to First Amendment challenges. If the EARN IT Act became law, it would be vulnerable to various First Amendment challenges. IA is concerned that such vulnerabilities create legal jeopardy, significant delays, and other costs and impediments that would inevitably slow the achievement of the goals that everyone engaged in the fight against CSAM is trying to attain.

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s