Whatever Problem EARN IT Is Trying To Solve, It Doesn't
from the that-seems-like-a-problem dept
I've already talked about the potential 1st Amendment problems with the EARN IT Act and the potential 4th Amendment problems with it as well. But a recent post by Riana Pfefferkorn at Stanford raises an even bigger issue in all of this: what actual problem is EARN IT trying to solve?
This sounds like a simple question with a potentially simple answer, but the reality, once you start to dig in, suggests that either (1) the backers of EARN IT don't actually know, or (2) if they do know, they know what they actually want is unconstitutional.
Supporters of EARN IT will say, simply, the problem they're trying to solve is the prevalence of child sexual abuse material (CSAM) online. And, that is a real problem (unlike some other moral panics, CSAM is a legitimate, large, and extraordinarily serious problem). But... CSAM is already very, very illegal. So, if you dig in a little further, supporters of EARN IT will say that the problem they're really trying to solve is that... internet companies don't take CSAM seriously enough. But, the law (18 USC 2258A already has pretty strict requirements for websites to report any CSAM they find to NCMEC (the National Center for Missing & Exploited Children) -- and they do. NCMEC reported that it received almost 21.4 million reports of CSAM from websites. Ironically, many supporters of EARN IT point to these numbers as proof that the websites aren't doing enough, while also saying it proves they don't have any incentive to report -- which makes no sense at all.
So... is the problem that those 21.4 million reports didn't result in the DOJ prosecuting enough abusers? If so... isn't the problem somewhere between NCMEC and the DOJ? Because the DOJ can already prosecute for CSAM and Section 230 doesn't get in the way of that (it does not immunize against federal criminal law). And, as Riana noted in her article, this very same Senate Committee just recently heard about how the FBI actually knew about an actual serial child sex abuser named Larry Nasser, and turned a blind eye.
And, if NCMEC is the problem (namely in that it can't process the reports fast enough), then this bill doesn't help at all there either, because the bill doesn't give NCMEC any more funding. And, if the senators are correct that this bill would increase the reports to NCMEC (though it's not clear why that would work), wouldn't that just make it even more difficult for NCMEC to sort through the reports and alert law enforcement?
So... is the problem that companies aren't reporting enough CSAM? If you read the sponsors' myths and facts document, they make this claim -- but, again, the law (with really serious penalties) already requires them to report any CSAM. Taking away Section 230 protections won't change that. Reading between the lines of the "myths and facts" document, they seem to really be saying that the problem is that not every internet service proactively scans every bit of content, but as we've discussed that can't be the problem, because if that is the problem, EARN IT has a massive 4th Amendment problem that will enable actual child sex abusers to suppress evidence!
Basically, if you look step by step through the potential problems that supporters of the bill claim it tries to solve, you immediately realize it doesn't actually solve any of them. And, for nearly all of the potential problems, it seems like there's a much more efficient and effective solution which EARN IT does not do. Riana's post has a handy dandy table walking down each of these paths, but I wanted to make it even clearer, and felt that a table isn't the best way to walk through this. So here is her chart, rewritten (all credit to her brilliant work):
If online services don't report CSAM in violation of 2258A, and the real problem is large-scale, widespread, pervasive noncompliance by numerous providers that knowingly host CSAM without removing or reporting it (NOT just occasional isolated incidents), then there's a very long list of potential remedies:
- Conduct a congressional investigation to determine the extent of the problem
- Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
- DOJ prosecutes all those providers for illegally hosting CSAM under 2252A as well as violating 2258A’s reporting requirements
- Amend 2258A(e) to increase penalties for noncompliance
- Amend Dodd-Frank to include 2258A compliance in corporate disclosure requirements (akin to Form SD)
- Encourage FTC investigation of noncompliant companies for unfair or deceptive business practices
- Encourage private plaintiffs to file securities-fraud class actions against publicly-traded providers for misleading investors by secretly violating federal reporting duties
But what does EARN IT actually do?
- Amend Section 230 instead of enforcing existing law
- Don’t demand that DOJ explain why they aren’t doing their job
- Conduct a congressional investigation to determine the extent of the problem
- Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
- DOJ prosecutes those isolated violations or the particular rogue provider
But instead of exploring that, here's what EARN IT actually does:
- Amend Section 230 instead of enforcing existing law
- Don’t demand that DOJ explain why they aren’t doing their job
- Hold hearings to have DOJ explain why their investigations never result in charges
- Amend Section 230 instead of enforcing existing law
- Don’t demand that DOJ explain why they aren’t doing their job
- Tell DOJ to move for courts to unseal all sealed records in 2258A cases
- Require DOJ to report data on all 2258A prosecutions since 2258A’s enactment
- Amend 2258A to require regular reporting to Congress by DOJ of enforcement statistics
- Investigate whether providers (especially publicly-traded ones) kept 2258A fines a secret
- Amend Section 230 instead of enforcing existing law
- Don’t demand that DOJ reveal to Congress its 2258A enforcement details
- Hold a hearing to ask DOJ why it has never once brought a 2258A prosecution
- Amend 2258A by adding a private right of action so that victims can do the work that DOJ isn’t doing
- Amend Section 230 instead of enforcing existing law
- Don’t demand that DOJ explain why they aren’t doing their job
About the only thing that supporters of EARN IT have claimed in response to this point is that, because EARN IT allows for state AGs and civil suits, it is "adding more cops to the beat" to take on failures to report under 2258A. But... that's kinda weird. Because wouldn't it make a hell of a lot more sense to first find out why the existing cops don't bother? Because no one has done that. And, worse, when it comes to the civil suits, this response basically means "the DOJ doesn't care to help victims of CSAM, so we're leaving it up to them to take matters into their own hands." And that doesn't seem like a reasonable solution no matter how you look at it.
If anything, it looks like Congress putting the burden for the DOJ's perpetual failings... on the victims of CSAM. Yikes!
Of course, there are other possible problems here as well, and Riana details them in the chart. In these cases, the problems aren't with failure to report CSAM, but elsewhere in the process. So... if websites do properly report CSAM to NCMEC's CyberTipline, perhaps the problem is that CSAM isn’t being taken down promptly enough or reported to NCMEC “as soon as reasonably possible” as required by 2258A(a)(1)(A)(i).
Well, then, as Riana notes, there are a few things Congress could do:
- Debate whether to insert a firm timeframe into 2258A(a)(1)(A)(i)
- Hold a hearing to ask ICS providers of various sizes why delays happen and whether a specific timeframe is feasible
- Amend Section 230
Well, then, the possible solutions from Congress would seem to be:
- Hold a hearing to ask NCMEC what it would take to process all the reports they already get
- Appropriate those additional resources to NCMEC
- Amend Section 230 to induce providers to make even more reports NCMEC can’t keep up with
- Give zero additional resources to NCMEC
- Order GAO to conduct a study on what happens to CyberTips passed by NCMEC to DOJ
- Hold a hearing to ask DOJ why it isn’t acting on tips or filing its required reports
- Appropriate additional resources to DOJ
- Earmark $1 million for IT improvements
- Don’t demand that DOJ explain why they aren’t doing their job
And finally, perhaps websites do report CSAM in compliance with 2258A to NCMEC's CyberTipline, and maybe NCMEC does relay important information to the DOJ... and horrifyingly, perhaps federal law enforcement is failing child sex abuse victims just as the FBI turned a blind eye to Larry Nassar’s abuse of dozens of child gymnasts for years.
Well, then it seems fairly obvious what Congress should do:
- Hold a hearing on the FBI’s failure to protect children (this did happen in September 2021)
- Amend Section 230, effectively delegating enforcement for child sexual abuse to states and victims themselves
No matter what the problem with online CSAM is, EARN IT isn’t going to fix it. It’s only going to make things worse, both for child victims and for everyone who uses the internet. The truth about EARN IT is that either there isn’t a serious noncompliance problem among providers that’s pervasive enough to merit a new law, but Congress just can’t resist using Section 230 as a political punching bag to harm all internet users in the name of sticking it to Big Tech… or there is a problem, but the DOJ is asleep at the wheel – and EARN IT is a concession that Congress no longer expects them to do their jobs.
Either option should be shameful and embarrassing for the bill’s supporters to admit. Instead, this horrible legislation, if it passes, will be hailed as a bipartisan victory that shows Congress can still come together across the aisle to get things done. Apparently, harming Americans’ rights online while making CSAM prosecutions harder is something both parties can agree on, even in an election year.
So, whatever problem the backers of EARN IT think they're solving for, EARN IT doesn't do it. That seems like it should be a big fucking deal. But, instead of responding to these points, the sponsors claim that people highlighting this "don't care about CSAM."
Filed Under: 2258a, csam, doj, earn it, encryption, fbi, reporting, surveillance
Companies: ncmec