DOJ's Latest Ideas For Section 230 Reform Dumber Than Even I Expected

from the what-the-actual-fuck,-guys? dept

Ever since the DOJ started attacking Section 230 of the Communications Decency Act, it was obvious that it was simply a ploy to attack big tech companies that are (unfairly) seen as being "anti-conservative." Remember, that Section 230 explicitly exempts federal crimes -- the kind of law enforcement the DOJ is engaged in. That is, there is literally nothing in Section 230 stopping the DOJ from doing its job. But as Barr and the DOJ continued to attack 230, it also became clear that this was going to be a wedge issue he could use to undermine encryption -- encryption that keeps us all safe.

Last month, the DOJ hosted a "workshop" regarding Section 230, and again Barr and the DOJ's agenda became quite clear. For all the talk of "dangers" to children online, the DOJ ignored the fact that it has failed to abide by Congressional mandates regarding fighting child sexual exploitation, and Congress itself has failed to fund programs it has put forth to deal with the issue.

At the DOJ's 230 hearing, plenty of speakers highlighted why messing with 230 would create all sorts of problems. Unsurprisingly, the DOJ has ignored all of that, and sent out Deputy Attorney General Jeffrey Rosen to pitch four changes to Section 230, each one dumber and more counterproductive than even I had expected. The speech starts out with a misleading history of antitrust law -- the other big tool in the DOJ's toolbox to whack at internet companies -- and then gets to 230. If I have a chance I may get back to Rosen's antitrust discussion, but to keep this post from getting too long, we'll just focus on the 230 argument (ignoring the fact that evidence shows that 230 increases competition, rather than diminishes it).

Shifting gears just a little, as we focus on market-leading online platforms, there is another major issue that has come to the forefront: Section 230 of the Communications Decency Act of 1996. Section 230 has played a role in both the good and the bad of the online world. It has no doubt contributed to new offerings and growth online. At the same time, as DOJ is the agency tasked with protecting the American public through enforcing the law, we are concerned that Section 230 is also enabling some harm.

"Some harm" carries a lot of weight here. Lots of things "enable some harm." Not all of them require massive structural changes. After giving some background on 230 and why it's been useful, he then turns to "the dark side."

But there is a dark side, too. To say the least, the online world has changed a lot in the 25 years since the original drafting of Section 230. The Internet is no longer made up of the rudimentary bulletin boards and chat rooms of AOL, CompuServe, and Prodigy, but instead, it is now a vital and ever-present aspect of both personal and professional modern lives. Indeed, it is now quaint to think of the likes of CompuServe hosting online comments. Instead, major online platforms now actively match us with news stories and friends and, whether by algorithm or otherwise, effectively choose much of what our children see, and enable a seemingly limitless number of people to connect with us or with our children. And platforms are often themselves speakers and publishers of their own content, and not mere forums for others to communicate.

It's not that quaint. Many sites -- such as this one -- still rely on 230 daily. And when platforms are speakers and publishers of their own content, that content is not covered by 230. So it's not clear why that matters.

Now, a quarter century after its enactment, there also is recognition that Section 230 immunity has not always been a force for good, particularly in light of some of the extraordinarily broad interpretation given to it by some courts. For example, platforms have been used to connect predators with vulnerable children, to facilitate terrorist activity, and as a tool for extreme online harassment.

And, again, the DOJ has failed to prosecute many of those situations in which that violated federal laws. That's not on 230, that's on the DOJ. It also leaves out that 230 is what allows platforms to put in place programs to protect children, remove terrorist activity, and block "extreme online harassment. Rather than point that out, Rosen falsely suggests that 230 is to blame for it, rather than the reason it can be blocked.

The drafters of Section 230 might be surprised by this development. Remember, Section 230 was but one provision in the much larger Communications Decency Act of 1996. As its name suggests, the primary aim of the Communications Decency Act was to promote decency on the Internet and to create a safe environment for children online.

The drafters -- Chris Cox and Ron Wyden -- are both still with us. And both of them have made it clear in recent days that, no, they are not "surprised by this development." As for why 230 was a part of the Communications Decency Act, well, Rosen should read Jeff Kosseff's book. The CDA was a separate act, and 230 was attached to it by Cox and Wyden to enable platforms to have that moderation capability so that they could moderate, since without it, following the ruling in the Stratton Oakmont v. Prodigy case, moderation would have been effectively impossible.

As it turned out, the Supreme Court rejected most of the Communications Decency Act on First Amendment grounds. The most significant piece that survived was Section 230. But rather than furthering the purposes of its underlying bill, some scholars have argued that Section 230 has instead immunized platforms “where they (1) knew about users’ illegal activity, deliberately refused to remove it, and ensured that those responsible could not be identified; (2) solicited users to engage in tortious and illegal activity; and (3) designed their sites to enhance the visibility of illegal activity and to ensure that the perpetrators could not be identified and caught.”

Those scholars are wrong. Nearly every major platforms works hard to remove such content -- and, again, if it violates federal law, nothing has ever stopped the DOJ from enforcing the law.

To address these concerns and the others that have been raised, we see at least four areas that are potentially ripe for engagement. First, as a threshold matter, it would seem relatively uncontroversial that there should be no special statutory immunity for websites that purposefully enable illegality and harm to children. Nor does someone appear to be a “Good Samaritan” if they set up their services in a way that makes it impossible for law enforcement to enforce criminal laws. In these particular situations, why should not the website or platform have to defend and justify the reasonableness of their conduct on the merits just like businesses operating outside the virtual world?

This is the most disingenuous bit in the whole discussion. Rosen and the DOJ are obnoxiously linking two separate issues into a misleading "but think of the children" argument. Separately, the word "purposefully" is carrying a lot of water in this paragraph as well -- especially since the EARN IT act does not say "purposefully" but rather has a "reckless" standard (which is already probably unconstitutional). The second half of the paragraph, about the "Good Samaritan" part is a direct attack on encryption -- basically saying that if you offer end-to-end encrypted services, you should lose 230 protections. This is bizarre and stupid at the same time.

First, messaging communication services rarely need 230 protections anyway, since those communications are private, between users. There's no moderation issues in the first place. Second, framing encryption that keeps everyone safe as setting up a service to make "it impossible for law enforcement to enforce criminal laws" is super misleading. Encryption protects us all, and law enforcement has a ton of other tools to do their jobs. The problem is that the DOJ hasn't used those tools and now just wants to whack tech companies.

Finally, the last line is utter bullshit. It's framed in a manner to suggest that companies offering end-to-end encryption are no different than those (never actually identified) platforms who "purposefully enable illegality and harm to children" and then saying they should have to "justify the reasonableness of their conduct." You shouldn't have to justify protecting your users from getting hacked. It's self-evident to everyone but this DOJ.

Next, Rosen tries to get around the fact that the DOJ has failed to actually do its job by still blaming 230... because it's blocking civil cases.

Second, the Department of Justice is also concerned about Section 230’s impacts on our law enforcement function, and the law enforcement efforts of our partners throughout the executive branch. In our discussions with scholars and members of the public on this topic, many are surprised to learn that Section 230 is increasingly being claimed as a defense against the federal government in civil actions. To be clear, Section 230 has a carve-out for certain federal criminal enforcement. But not all problems can be solved by federal criminal law. Federal civil actions play a very important role in their own right. The increasing invocation of Section 230 in federal civil enforcement actions often goes beyond the purpose of the Communications Decency Act, and can undermine the goals of 230 itself.

Can he point to an actual example of useful, reasonable, non-crazy civil actions blocked by 230? Because the very fact that he doesn't give any examples should give you that answer. 230 protects against frivolous ambulance chasing civil suits -- the kind we're already seeing from the last time we amended 230 -- and not legitimate lawsuits.

Third, we are concerned about expansions of Section 230 into areas that have little connection to the statute’s original purpose. As I mentioned earlier, the core of Section 230 concerns defamation and other speech-related torts. And for good reason: The restaurant review platform, for example, has no idea whether the user is right when he says the soup was cold or when she says the service was poor. Nor does the social media site have any idea whether the nosy neighbor’s online comments about the new person down the block are true or not. Civil immunity from tort litigation for online platforms in these instances makes some sense. The alternative would be a quasi-heckler’s veto, where the restaurant or neighbor could complain about the comments, and the platform would be forced to take them down for fear of civil liability.

But some websites have tried to transform Section 230 into an all-purpose immunity for claims that are far removed from speech. For example, some platforms have argued that Section 230 permits them to circumvent or ignore city ordinances on licensing of rental properties. While these types of arguments have not always succeeded, they demonstrate the potentially overbroad scope that some advocates have given the immunity.

This is a misleading summary of a complex issue. What's at issue is whether or not a service like Airbnb can be held liable for user listings on the site. But user listings are speech. Cities have every right to go after those actually posting the listings -- since they're the ones breaking the law. But many cities are trying to go after Airbnb directly, since it's easier to go after just one player.

And here's the big thing that Rosen absolutely leaves out: so far Airbnb has been losing in court. So for all his concerns that 230 is being used "beyond" what it should cover, the courts have already shut that aspect down (in my view, the courts have gone too far, in fact).

Fourth, we are concerned about the extent to which platforms have expanded the use of Section 230 to immunize taking down content beyond the types listed in the statute. Under the Good Samaritan provision, platforms have the ability to remove content that they have a “good faith” belief is “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.” We are told that some platforms treat this provision as a blank check, ignoring the “good faith” requirement and relying on the broad term “otherwise objectionable” as carte blanche to selectively remove anything from websites for other reasons and still claim immunity.

Perhaps there needs to be a more clear definition of “good faith,” and the vague term “otherwise objectionable” should be reconsidered. Of course, platforms can choose whether or not to remove any content on their websites. But should they automatically be granted full statutory immunity for removing lawful speech and given carte blanche as a censor if the content that is not “obscene, lewd, lascivious, filthy, excessively violent, or harassing” under the statute?

If the attack on encryption is the most ridiculous, this part is the most frivolous. First of all, having the government determine whether or not moderation choices are made in "good faith" or if they fit outside of "obscene, lewd, lascivious, filthy, excessively violent, or harassing" under the statute would almost certainly violate the 1st Amendment. Second, the removal of "otherwise objectionable" would create a massive problem for online moderation, and would, in fact bring back the "extreme online harassment" he was complaining about just a few paragraphs earlier.

Of course, we all know what is being dog-whistled in this prong: he wants to penalize platforms for "anti-conservative bias" and push for some nonsensical, impossible "neutral" standard for platforms who want 230 protections. But just the fact that this would wipe out the ability to block harassment, while at the same time he's complaining about harassment should show you how brain dead and backwards this proposal is.

This is not a serious proposal, but in this time and place, with the DOJ's backing, it has as serious chance of being put into law. It would devastate large parts of the internet, but that seems like collateral damage for a DOJ who is not focused on what's actually best for society and the economy, but rather what's best for itself.

Filed Under: cda 230, doj, encryption, intermediary liability, jeffrey rosen, section 230, william barr

Deputy Attorney General Rosen: Companies Like Facebook Are Making Everyone Less Safe By Offering Encryption

from the 'for-the-children'-beats-out-'because-terrorism' dept

The federal government's anti-encryption push is starting to turn into a really weird movement. Yanking pages from the FOSTA playbook, Attorney General William Barr threw an anti-encryption party featuring him, FBI Director Chris Wray, Deputy AG Jeffrey Rosen, and some overseas critics of secure communications.

It was full of loaded language, beginning with the conference's name:

Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases

This is how the DOJ and FBI are going to play this game: the specter of exploited children vs. secure communications for millions of Facebook users. Facebook is definitely the target. This conference -- which featured zero tech experts or encryption advocates -- was preceded by the announcement of a data-sharing agreement between the US and UK government that namechecked Facebook's Messenger and WhatsApp.

It was also preceded by Attorney General William Barr's letter to Facebook, asking it to drop its plans to add end-to-end encryption to Messenger. The letter, signed by the participants in this one-sided conference, said the addition of encryption -- without some form of "lawful access" -- would result in massive amounts of undetectable child exploitation.

Now that William Barr has said his piece, the floor has been opened up to DOJ Deputy Attorney General Jeffrey Rosen. Rosen's pitch isn't all that different from the one Barr laid out in his open letter to Facebook. But Rosen does add a bit more color to his in the form of questionable analogies.

Outside the digital world, none of us would accept the proposition that grown-ups should be permitted to mingle in closed rooms with children they don’t know in order to groom them for sexual exploitation. Neither would we ever accept the idea that a person should be allowed to keep a hoard of child sexual abuse material from the scrutiny of the justice system when all of society’s traditional procedures for protecting the person’s privacy, like the Fourth Amendment’s warrant requirement, have been satisfied. But in the digital world, that is increasingly the situation in which we find ourselves.

First off, no one finds the propositions Rosen offers acceptable -- not the digital variety nor the real-world version. However, both versions still happen, with or without "lawful access." It's not that the DOJ and FBI shouldn't go after child exploiters. It's that pretending that undermining encryption will cause "lawless spaces" to cease to exist isn't an honest approach.

To be fair, Rosen isn't saying exactly that. But what he's pitching is encryption backdoors that will result in millions of insecure communications for millions of people. The potential for harm is immeasurable. But we -- and our service providers -- should apparently be willing to take that risk so law enforcement has easier access to these communications. That's the trade-off being demanded, even if Rosen, Barr, etc. aren't intellectually honest enough to use those exact words.

The intellectual dishonesty continues with Rosen's refusal to call backdoors "backdoors."

I am not for a moment suggesting that we should “weaken” encryption. As we confront the problem of “warrant-proof” encryption, nobody is calling for secret “back doors” to communications systems, even though that is often how the issue is misreported. As FBI Director Wray said this morning, law enforcement seeks a front door — that is, access through a transparent and publicly acknowledged system, and only once we have secured the authorization of a court. And we don’t want the keys to that door. The companies that develop these platforms should keep the keys, maintaining their users’ trust by providing access to content only when a judge has ordered it.

If you put an entrance anywhere, the building is compromised. A hole in a wall, floor, roof, wherever, is still a hole. It doesn't matter who holds the keys. The keys exist and can be copied or misplaced. Law enforcement may need a warrant, but criminals and state actors only need access to the key. Dressing it up as an escrow system doesn't magically make this problem go away.

Rosen is calling for more than backdoors. Using another emotional argument, Rosen appears to saying the government should be allowed to eavesdrop on encrypted communications.

Every day, companies like AT&T, Verizon, and Sprint provide law enforcement with targeted lawful access to the content of phone communications in ways that promote public safety — but only after the government has complied with the rigorous requirements of the law, and a judge has authorized access. Why should internet technology companies operate under different rules? For a young girl who is being trafficked for sex, it makes no difference whether her tormenters are communicating via traditional voice calls over a cell phone, or via an encrypted internet app. But it makes a huge difference to the investigators trying to find her, as they can gather the first category of electronic evidence, but not the second. From a policy point of view, it doesn’t make any sense.

The example Rosen uses is wiretaps. The FBI would definitely like to be the unseen party to any number of conversations, especially now that most of them don't take place over the phone. With this, Rosen is asking for more than unencrypted access to data at rest. He's asking for a "non-backdoor" that allows investigators to intercept communications. This increases the complexity of the government's demands and the insecurity of the targeted app's users.

Rosen says 70% of 16 million child sexual abuse reports Facebook made last year originated from its Messenger service. Once end-to-end encryption is applied, these messages will no longer be visible to Facebook, in addition to being less accessible to law enforcement. He compares the millions of Facebook reports to the very limited number produced by Apple, which has provided end-to-end encryption for a few years now. Apple has forwarded a little over 200 tips over the last three years. As Rosen conjectures, it can't simply be because no child abusers use iPhones.

Rosen isn't wrong. Encryption will result in far fewer reports, if Facebook can't scan messages for child porn. But he's completely wrong in his portrayal of the trade-offs being made.

Some companies have completely favored the privacy of their users over the safety of their users.

This isn't about privacy, even though there is definitely a net privacy gain. It's about security, something even the government realizes is essential for electronic communications. But the government wants less security for everyone, in exchange for an unknown quantity of law enforcement "wins." Rosen actually says users are "safer" when their communications providers scan communications for illicit content -- an argument few outside the FBI and DOJ would make. Rosen is spinning this from the viewpoint of law enforcement riding to the rescue of victimized children. But it won't just be the FBI making use of backdoors or intercepted communications. It will also be governments who treat criticism and dissent as crimes, which definitely makes things less safe for millions of people around the world.

Rosen closes with this last bit of intellectual dishonesty:

If we are to move to a world where even judge-approved search warrants become useless to the protection of exploited children, and to public safety more broadly, our country needs an open discussion of the costs some such technology platforms will be imposing on all of us. If our efforts to make the virtual world more secure leave us more vulnerable in the physical world, that decision should be an informed one.

But Rosen and the agencies he's speaking for don't want an "informed" decision. They've spent years blowing off experts who say what they want will result in less security and safety for users, as well as pointing out the impossibility of creating a "secure" backdoor. You only need to look at the speaker list for this event to see the DOJ and FBI aren't interested in being informed. When the only people being asked for opinions are those who think undermining encryption is a necessity, you're going to come to the conclusion that undermining encryption is a necessity.

Filed Under: doj, encryption, going dark, jeffrey rosen, security
Companies: facebook