EARN What? How lawmakers continue to miss the mark with Section 230

By: Alvaro Maranon

Last month, the Department of Justice held a workshop on Section 230 of the Communications Decency Act [“Section 230”]. Attorney General Bill Bar’s opening remarks highlighted a myriad of talking points that continue to act as the basis for changing Section 230. In this speech, AG Barr argued how Section 230 is responsible for, among others: shielding criminals and bad actors; and enabling internet services to block access to law enforcement officials, even with a court-authorized warrant. Although the speech contained a far more exhaustive list of concerns, they all rally behind the call for reforming Section 230.

This speech was not superficial. It illustrates the reemergence of the government’s anti-encryption campaign. More recently, members of the “Five Eyes” (Australia, Canada, United Kingdom, United States, and New Zealand) have adopted or signaled to adopt overly-broad and expansive anti-encryption legislation. Whether it’s the United Kingdom’s “Ghost Protocol” proposal or Australia’s “Assistance and Access Bill of 2018,” each legislation represents a targeted effort to weaken encryption. 

Now, Senators Graham and Blumenthal are seeking to codify these concerns with their bill titled the “EARN IT Act.” Despite the bill explicitly stating its focus is on combatting child sexual abuse material [“CSAM”], it is much more than that. The proposal amends Section 230 by removing a service providers’ liability shield in civil and state criminal suits over CSAM and exploitation-related material unless the newly created commission certifies them.

The commission would be directed by AG Barr and they would unilaterally determine what best practices each company would need to comply with to “earn” their liability shield. Moreover, the bill includes no oversight language nor any meaningful check on this expansive discretionary power. Thus, given the recent anti-encryption rhetoric, this power will very likely be used to weaken end-to-end encryption (E2E) and impose the frequently sought after but highly illusory backdoor requirement. Attempts to create a “law enforcement only” backdoor, creating a purposeful vulnerability in encryption that would permit an official to have easy access to the encrypted data, is not only impossible but dangerous. Once this weakness is created, nothing guarantees that this master key(s) to all the encrypted accounts can only be used by the good guys. Criminals will not only seek to discover this weakness, but will successfully steal it from law enforcement. The devastating WannaCry ransomware embodied this danger when it crippled devices in over 150 countries causing an estimated $4 billion in losses, after a hacking group had breached the NSA’s Vault7

In an era where the digital economy continues to grow, and threat vectors continue to evolve, encryption needs to be strengthened. These legislative proposals epitomize a near-sighted approach that will fail to account for a plethora of foreseeable consequences. Section 230 and strong encryption have yielded endless economic benefits for individuals and the economy. Encryption strengthens domestic markets and economies by fostering consumer trust in e-commerce. And despite these successes, their true benefit to society has been how they have given a voice to the voiceless: 

  • Encryption empowers journalists, activists, and political dissidents to speak and think freely in times of oppression and xenophobia.
  • Encryption helps oust corruption and other government malfeasance by protecting whistleblowers and activists who seek to reveal scandals and controversies. 

To be clear, combatting CSAM and other heinous crimes should always be welcomed and encouraged. More support is needed in the efforts against similar crimes such as cyberstalking and revenge porn. If lawmakers sincerely sought to address this issue, then they would consult with experts rather than needlessly rush harmful legislation as was seen with SESTA. The Cyber Civil Rights Initiative, headed by a board of fantastic advisors and professionals, is one of many excellent groups that can contribute to the drafting of comprehensive and effective solutions. 

Although critics of Section 230 may have some valid concerns, the aforementioned rationales for wanting to change this law are all based upon false pretexts. The same red herrings were reiterated during the recent Senate Committee on the Judiciary’s hearing on the EARN IT Act. Instead of dismantling Section 230, which has helped foster a rich online community of diversity and enabled ingenious start-ups to prosper like Go-Fund-Me, lawmakers should seek out ways to incentivize internet services to take down more harmful content. 

This isn’t a zero-sum game between law enforcement and tech companies. A critical look at the harms mentioned by AG Barr can reveal how feasible and practical cooperation can be, rather than adversarial, which is often pitched as the only approach for tech private-public efforts. Each of Barr’s claims will be shown to be ultimately unnecessary given the ample alternatives demonstrating otherwise. 

Shielding Criminals 

“No Effect on Criminal Law”- the language of Section 230 is clear. 

Unlike most legislation, Section 230 is quite short and unambiguous, and even carries the nickname of “The Twenty-Six Words That Created The Internet.” Despite this lack of ambiguity, lawmakers continue to purposefully warp its effect and purpose. The bill’s congressional findings and policy indicate an intent that the liability shield would not undermine the enforcement of criminal laws nor the prosecution of sex trafficking crimes. Even with this clear language, AG Barr continues to claim that Section 230 enabled criminals and bad actors to evade punishment. This is far from the truth and the takedown of Backpage.com showcases this. 

At first glance, the domain seizure of Backpage.com appeared to be a success story, given the mass proliferation of truly awful and despicable content on its site. But, a subsequent investigative report revealed that Backpage had not only had taken numerous steps to curb these activities but were a powerful ally in the fight against sex trafficking. The DOJ even described Backpage as being “remarkably responsive to law enforcement requests and often takes proactive steps to assist in investigations.” From developing content-moderation practices that filtered out certain search terms to retaining a former sex-crime and child abuse prosecutor to help craft a holistic safety program, Backpage did not act like they were above the law. 

While takedowns of such sites do offer some solace and remedy to victims of these crimes, these bad actors and criminals will only migrate to other less-visited, and possibly less-cooperative, platforms. The sad truth is that CSAM and other related materials will continue to be widespread, with technology companies reporting “a record 45 million online photos and videos of the abuse last year.” Congress should not only authorize additional funding for these efforts, especially given how they consistently fail to fully approve previously authorized funding for state and regional investigations, but seriously investigate what tools and research can help both the private and public sector combat this problem more effectively.  

Blocking Access to Law Enforcement

“This bill says nothing about encryption.” Senator Blumenthal actively sought to shut-down this narrative at the Senate hearing last week. Numerous experts in this field have denounced this claim and articulated how it could be used to impose ad-hoc carve out exceptions to encryption. Please read any of the following excellent pieces on this subject: Riana Pfefferkorn, Electronic Frontier Foundation, TechFreedom, NetChoice

Although the backdoor issue warrants an entire discussion in and of itself, the misleading justification for which law enforcement relies upon deserves scrutiny. Many of the pretexts have painted an environment where law enforcement is helpless against technology companies in the fight against crime. From encryption creating impenetrable barriers to nullifying the power of a warrant, each fear is far from a reality. In fact, it is the failures of law enforcement that often result in stand-offs and the compounding of problems in investigations. A key CSIS report assessed the challenges and opportunities law enforcement faces as they seek to access and use digital evidence. It found that although encryption does pose a challenge in digital evidence gathering, it is far from the problem. The biggest reported difficulty was their “inability to effectively identify which service providers have access to relevant data.” Moreover, officials often reported going to the wrong ISP, having little to no training in data requests, and an overall lack of funding. 

Cooperation is possible. Creating a comprehensive approach to digital evidence can help lift the burden for both service providers and law enforcement. Narrowing warrant requests can incentivize more cooperation, as service providers will be more comfortable in the sharing of specific information about their users. Narrowing warrant requests can prevent officials from being burdened with large amounts of information that may run afoul to the particularity requirement and the holdings from Carpenter v. United States

These incentives can also easily be applied to harmful content takedowns. Following the mass shootings in Texas and Ohio last year, Cloudfare cut their ties with the notorious 8chan by no longer offering them their essential DDOS protection service. More recently, Facebook, Twitter, YouTube, and other social media giants announced a coordinated update to their policies to flag conspiracy theories about coronavirus and other misinformation. Section 230 encouraged companies to act proactively, and they continue to do so. 

While attacking Section 230 is an easy cop-out, efforts should be put elsewhere. In a time where some legislators continue to lecture private companies about their duty to the public, despite some officials mocking serious issues, their focus should be on supporting Good Samaritans. In the end, Cloudflare’s response to 8chan should represent the norm, not the outlier, in the approach of combating harmful speech.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: