The EARN IT Act Is a Threat to Privacy, Free Speech, and the Internet Economy

July 10, 2020

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

In recent months, Section 230 of the Communications Decency Act, an often misunderstood law that states that online services are not legally responsible for content their users post, has come under Congressional scrutiny. One of these efforts—the controversial Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act—is advancing through Congress despite serious flaws that would threaten online privacy and the freedom of expression and disrupt the Internet economy.

When Sens. Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) first introduced the EARN IT Act in March, the tech industry and privacy and security advocates widely criticized the bill as a backdoor attempt to ban end-to-end encryption, which ensures only the sender and recipient of a message can view its contents. In its initial form, the bill would have required Internet companies to take “reasonable measures” to prevent child exploitation, or risk losing Section 230 protection, making them liable for user-generated content on their platforms. These measures would include abiding by a list of best practices set by a National Commission on Online Child Exploitation Prevention and the Attorney General, a position currently held by William Barr, who has argued against strong encryption because it makes law enforcement’s task of finding and prosecuting online criminals more difficult.

The current version of the EARN IT Act addressed some, but not all, of the initial draft’s issues. First, Sen. Graham introduced a manager's amendment, changing the bill’s effects on Section 230. Rather than revoking Section 230 protection for Internet companies that fail to take “reasonable measures” to prevent child exploitation, the new version of the bill instead adds an exception to Section 230 so Internet companies can be held criminally and civilly liable for violating child exploitation law. This approach is similar to the Allow States and Victims to Fight Online Sex Trafficking Act and Stop Enabling Sex Traffickers Act (FOSTA-SESTA), another amendment to Section 230 passed in 2018 that added an exception for sex trafficking law.

In the committee proceedings, Sen. Patrick Leahy (D-VT) introduced an amendment that separated the EARN IT Act from the issue of encryption. The amendment, which also passed the Judiciary vote, states that “cybersecurity protections,” including end-to-end and other forms of encryption, “do not give rise to liability.” In other words, the National Commission and Attorney General Barr could not declare that companies that use end-to-end encryption or that otherwise cannot decrypt their users’ communications are not following best practices to prevent child exploitation. 

The amended EARN IT Act is an improvement over Graham and Blumenthal’s initial draft, but an exception to Section 230 for child exploitation law is largely unnecessary. Child sexual exploitation is already illegal under federal law, and Section 230 does not exempt companies from following federal law. But the EARN IT Act would allow states to enforce their own child exploitation laws against Internet companies. Not only would this create a patchwork of state laws that Internet companies would have to comply with, it would also allow states to create laws targeting encryption. 

This would expose Internet companies to costly unnecessary litigation that they currently avoid thanks to Section 230’s liability protection. Companies could respond to this in three ways, all of which would be bad for their users. First, they could recoup the costs of litigation by charging consumers for services they currently provide for free. Second, they could stop providing their services altogether; this is exactly what happened to some websites after the passage of FOSTA-SESTA. Third, they could take a much stricter approach to content moderation and engage in censorship to keep their platforms free of any even potentially objectionable content—such as deleting any video that appears to contain an image of a child at the beach or in a swimming pool.

By allowing states to enforce their own stricter laws, the EARN IT Act would also permit any state to undermine online privacy. Federal law only holds companies accountable for “knowingly” violating child exploitation law. If an Internet company knows about child sexual exploitation on its platform and fails to act, the federal government currently can hold it liable. But some stricter state laws hold companies accountable for “recklessly” failing to inspect their users’ content for child sexual abuse material. This higher standard would require companies to inspect all their users’ data and communications, including personal emails, video conference calls, and more. And since Internet companies have users in all 50 states, they will likely just comply with the state with the strictest law. If Congress wants to require companies to inspect all unencrypted user data it can, but such a significant shift in policy should not be left to one state to decide for the rest of the nation.

Graham and Leahy’s amendments were much needed improvements, but even in its current state, the EARN IT Act still contains glaring problems and would incentivize problematic behavior by Internet companies. Online child exploitation is a serious problem that Congress should continue to investigate and law enforcement should continue to prosecute, but Congress should look for options that do not limit free speech and privacy or unnecessarily expose Internet companies to expensive lawsuits.