Whatever Problem EARN IT Is Trying To Solve, It Doesn't

from the that-seems-like-a-problem dept

I've already talked about the potential 1st Amendment problems with the EARN IT Act and the potential 4th Amendment problems with it as well. But a recent post by Riana Pfefferkorn at Stanford raises an even bigger issue in all of this: what actual problem is EARN IT trying to solve?

This sounds like a simple question with a potentially simple answer, but the reality, once you start to dig in, suggests that either (1) the backers of EARN IT don't actually know, or (2) if they do know, they know what they actually want is unconstitutional.

Supporters of EARN IT will say, simply, the problem they're trying to solve is the prevalence of child sexual abuse material (CSAM) online. And, that is a real problem (unlike some other moral panics, CSAM is a legitimate, large, and extraordinarily serious problem). But... CSAM is already very, very illegal. So, if you dig in a little further, supporters of EARN IT will say that the problem they're really trying to solve is that... internet companies don't take CSAM seriously enough. But, the law (18 USC 2258A already has pretty strict requirements for websites to report any CSAM they find to NCMEC (the National Center for Missing & Exploited Children) -- and they do. NCMEC reported that it received almost 21.4 million reports of CSAM from websites. Ironically, many supporters of EARN IT point to these numbers as proof that the websites aren't doing enough, while also saying it proves they don't have any incentive to report -- which makes no sense at all.

So... is the problem that those 21.4 million reports didn't result in the DOJ prosecuting enough abusers? If so... isn't the problem somewhere between NCMEC and the DOJ? Because the DOJ can already prosecute for CSAM and Section 230 doesn't get in the way of that (it does not immunize against federal criminal law). And, as Riana noted in her article, this very same Senate Committee just recently heard about how the FBI actually knew about an actual serial child sex abuser named Larry Nasser, and turned a blind eye.

And, if NCMEC is the problem (namely in that it can't process the reports fast enough), then this bill doesn't help at all there either, because the bill doesn't give NCMEC any more funding. And, if the senators are correct that this bill would increase the reports to NCMEC (though it's not clear why that would work), wouldn't that just make it even more difficult for NCMEC to sort through the reports and alert law enforcement?

So... is the problem that companies aren't reporting enough CSAM? If you read the sponsors' myths and facts document, they make this claim -- but, again, the law (with really serious penalties) already requires them to report any CSAM. Taking away Section 230 protections won't change that. Reading between the lines of the "myths and facts" document, they seem to really be saying that the problem is that not every internet service proactively scans every bit of content, but as we've discussed that can't be the problem, because if that is the problem, EARN IT has a massive 4th Amendment problem that will enable actual child sex abusers to suppress evidence!

Basically, if you look step by step through the potential problems that supporters of the bill claim it tries to solve, you immediately realize it doesn't actually solve any of them. And, for nearly all of the potential problems, it seems like there's a much more efficient and effective solution which EARN IT does not do. Riana's post has a handy dandy table walking down each of these paths, but I wanted to make it even clearer, and felt that a table isn't the best way to walk through this. So here is her chart, rewritten (all credit to her brilliant work):

If online services don't report CSAM in violation of 2258A, and the real problem is large-scale, widespread, pervasive noncompliance by numerous providers that knowingly host CSAM without removing or reporting it (NOT just occasional isolated incidents), then there's a very long list of potential remedies:

• Conduct a congressional investigation to determine the extent of the problem
• Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
• DOJ prosecutes all those providers for illegally hosting CSAM under 2252A as well as violating 2258A’s reporting requirements
• Amend 2258A(e) to increase penalties for noncompliance
• Amend Dodd-Frank to include 2258A compliance in corporate disclosure requirements (akin to Form SD)
• Encourage FTC investigation of noncompliant companies for unfair or deceptive business practices
• Encourage private plaintiffs to file securities-fraud class actions against publicly-traded providers for misleading investors by secretly violating federal reporting duties

If that's the actual problem (which supporters imply, but when you try to get them to say it outright they hem and haw and won't admit it), then it seems like any of the above list would actually be helpful here. And the real question we should be asking is why hasn't the DOJ done anything here?

But what does EARN IT actually do?

• Amend Section 230 instead of enforcing existing law
• Don’t demand that DOJ explain why they aren’t doing their job

Okay, so maybe the supporters will say (as they sometimes admit) that most web sites out there actually do report CSAM under 2258A, but there are still some providers who don't report it and these are occasional, isolated instances of failure to report by multiple providers, OR repeated failure to report by a particular rogue provider (NOT a large-scale problem across the whole tech industry). If anything, that seems more probably than the first version, which doesn't seem to be reported by any facts. However, here again, there are a bunch of tools in the regulator's tool box to deal with this problem:

• Conduct a congressional investigation to determine the extent of the problem
• Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
• DOJ prosecutes those isolated violations or the particular rogue provider

Again, what it comes down to in this scenario is that the DOJ is not doing it's job. The law is on the books, and the penalties can be pretty stiff (first failure to report is $150,000 and each subsequent failure is another $300,000). If it's true that providers are not doing enough here, such penalties would add up to quite a lot and the question again should be why isn't the DOJ enforcing the law?

But instead of exploring that, here's what EARN IT actually does:

• Amend Section 230 instead of enforcing existing law
• Don’t demand that DOJ explain why they aren’t doing their job

Okay, so next up, Riana points out that maybe it's possible that the DOJ does regular investigations of websites failing to report CSAM in violation of 2258A, but those investigations are consistently resolved without charges or fines and do not become public. Then, there's a pretty simple option for Congress:

• Hold hearings to have DOJ explain why their investigations never result in charges

But, instead, here's what Congress is doing with EARN IT (stop me if you've heard this one before):

• Amend Section 230 instead of enforcing existing law
• Don’t demand that DOJ explain why they aren’t doing their job

Okay, okay, so maybe the reality is that the DOJ does in fact criminally prosecute websites for 2258A violations, but the reason there is no public record of any such prosecution ever is that all such court records are under seal. This would be... odd, first of all, given that the DOJ loves to publicize prosecutions, especially over CSAM. But, again, here's what Congress could do:

• Tell DOJ to move for courts to unseal all sealed records in 2258A cases
• Require DOJ to report data on all 2258A prosecutions since 2258A’s enactment
• Amend 2258A to require regular reporting to Congress by DOJ of enforcement statistics
• Investigate whether providers (especially publicly-traded ones) kept 2258A fines a secret

But, instead, here's what EARN IT does:

• Amend Section 230 instead of enforcing existing law
• Don’t demand that DOJ reveal to Congress its 2258A enforcement details

So, maybe the real problem is simply that the DOJ seems to be ignoring any effort to enforce violations of 2258A. If that's the case, Congress has tools in its toolbox:

• Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
• Amend 2258A by adding a private right of action so that victims can do the work that DOJ isn’t doing

Instead, EARN IT...

• Amend Section 230 instead of enforcing existing law
• Don’t demand that DOJ explain why they aren’t doing their job

So... that's basically all the possible permutations if the problem is -- as some supporters claim repeatedly -- that companies are regularly violating 2258A and not reporting CSAM that they find. And, in almost every case, the real questions then should be why isn't the DOJ enforcing the law? And there are lots of ways that Congress should deal with that. But EARN IT does literally none of them.

About the only thing that supporters of EARN IT have claimed in response to this point is that, because EARN IT allows for state AGs and civil suits, it is "adding more cops to the beat" to take on failures to report under 2258A. But... that's kinda weird. Because wouldn't it make a hell of a lot more sense to first find out why the existing cops don't bother? Because no one has done that. And, worse, when it comes to the civil suits, this response basically means "the DOJ doesn't care to help victims of CSAM, so we're leaving it up to them to take matters into their own hands." And that doesn't seem like a reasonable solution no matter how you look at it.

If anything, it looks like Congress putting the burden for the DOJ's perpetual failings... on the victims of CSAM. Yikes!

Of course, there are other possible problems here as well, and Riana details them in the chart. In these cases, the problems aren't with failure to report CSAM, but elsewhere in the process. So... if websites do properly report CSAM to NCMEC's CyberTipline, perhaps the problem is that CSAM isn’t being taken down promptly enough or reported to NCMEC “as soon as reasonably possible” as required by 2258A(a)(1)(A)(i).

Well, then, as Riana notes, there are a few things Congress could do:

• Debate whether to insert a firm timeframe into 2258A(a)(1)(A)(i)
• Hold a hearing to ask ICS providers of various sizes why delays happen and whether a specific timeframe is feasible

Instead, what EARN IT actually does is...

• Amend Section 230

Okay, so if companies are reporting to NCMEC in compliance with 2258A, perhaps the problem is the volume of reports is so high that NCMEC is overwhelmed.

Well, then, the possible solutions from Congress would seem to be:

• Hold a hearing to ask NCMEC what it would take to process all the reports they already get
• Appropriate those additional resources to NCMEC

But, what EARN IT does is...

• Amend Section 230 to induce providers to make even more reports NCMEC can’t keep up with
• Give zero additional resources to NCMEC

Okay, so maybe the websites do properly report CSAM to NCMEC, and NCMEC is able to properly alert the DOJ to the CSAM such that the DOJ should be able to go prosecute the actual abusers, but the DOJ doesn’t act on the reports providers make, and doesn’t make its own mandatory reports to Congress about internet crimes against children. That would be horrifying, but again, it would seem like there's a pretty clear course of action for Congress:

• Order GAO to conduct a study on what happens to CyberTips passed by NCMEC to DOJ
• Hold a hearing to ask DOJ why it isn’t acting on tips or filing its required reports
• Appropriate additional resources to DOJ

All of those would help, if this is the problem, but instead, here's what EARN IT actually does:

• Earmark $1 million for IT improvements
• Don’t demand that DOJ explain why they aren’t doing their job

You might sense a pattern here.

And finally, perhaps websites do report CSAM in compliance with 2258A to NCMEC's CyberTipline, and maybe NCMEC does relay important information to the DOJ... and horrifyingly, perhaps federal law enforcement is failing child sex abuse victims just as the FBI turned a blind eye to Larry Nassar’s abuse of dozens of child gymnasts for years.

Well, then it seems fairly obvious what Congress should do:

• Hold a hearing on the FBI’s failure to protect children (this did happen in September 2021)

But here's what EARN IT does in that situation:

• Amend Section 230, effectively delegating enforcement for child sexual abuse to states and victims themselves

As Riana summarizes:

No matter what the problem with online CSAM is, EARN IT isn’t going to fix it. It’s only going to make things worse, both for child victims and for everyone who uses the internet. The truth about EARN IT is that either there isn’t a serious noncompliance problem among providers that’s pervasive enough to merit a new law, but Congress just can’t resist using Section 230 as a political punching bag to harm all internet users in the name of sticking it to Big Tech… or there is a problem, but the DOJ is asleep at the wheel – and EARN IT is a concession that Congress no longer expects them to do their jobs.

Either option should be shameful and embarrassing for the bill’s supporters to admit. Instead, this horrible legislation, if it passes, will be hailed as a bipartisan victory that shows Congress can still come together across the aisle to get things done. Apparently, harming Americans’ rights online while making CSAM prosecutions harder is something both parties can agree on, even in an election year.

So, whatever problem the backers of EARN IT think they're solving for, EARN IT doesn't do it. That seems like it should be a big fucking deal. But, instead of responding to these points, the sponsors claim that people highlighting this "don't care about CSAM."

Filed Under: 2258a, csam, doj, earn it, encryption, fbi, reporting, surveillance
Companies: ncmec