On Thursday, February 10, 2022, the Senate Judiciary Committee approved the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), first introduced in 2020 by Sens. Lindsey Graham, R-SC, and Richard Blumenthal, D-Conn. The EARN IT Act aims to tackle the online proliferation of child sexual abuse material (CSAM) by paring back online service providers’ broad immunity under Section 230 of the Communications Act of 1934. The Act would open up websites and tech platforms to civil lawsuits and state criminal charges for user-created content hosted on their websites.

The EARN IT Act gives state attorneys general the authority to bring civil or criminal lawsuits against service providers “regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material.” The Act leaves it up to states to pass legislation imposing civil or criminal liability on providers. This exposes tech companies to a patchwork of different state laws.

As currently written, Section 230 does not protect online service providers from federal criminal prosecution. That means they are already criminally liable for the possession or transmission of CSAM. Companies are also already required to report any CSAM they know about on their servers and can face criminal prosecution for knowingly facilitating the spread of CSAM. But providers are not required to proactively look for CSAM, nor can they be sued by victims whose images are posted by users on their platforms.

The EARN IT Act has drawn criticism by those who caution against the bill’s possible unintended side effects. Chief among those concerns are:

• Digital Security. EARN IT may discourage the use of encryption—technology used to protect sensitive data—by potentially exposing providers to liability for offering it. While the 2022 version of the bill was amended to add a provision to prohibit encryption from being used as the sole justification for lawsuits, evidence of encryption features can still be used against them in court. The bill, if passed, would set up a tension between protecting users’ online privacy and security, and providers’ liability for CSAM. Dozens of civil liberties, digital rights, and big tech groups oppose the bill for these and other reasons.
• Potential Fourth Amendment Implications. States could require providers to monitor all user data on their services and eventually turn that material over to law enforcement. On the face of it, that seems like a laudable goal: helping law enforcement identify and prosecute distributors of CSAM. But doing so could convert providers into government agents, in which case the evidence obtained from those providers could be deemed the fruit of an unconstitutional warrantless search and therefore inadmissible in court.
• Driving Illegal Actors Further Underground. EARN IT could have the unintended effect of driving illegal actors further underground, making cases harder to investigate and prosecute. In 2018, the House bill known as FOSTA (Fight Online Sex Trafficking Act) and the Senate bill SESTA (Stop Enabling Sex Traffickers Act) – other carveouts to Section 230 – created new ways for online service providers to be sued if their users created ads for online prostitution. Though intended to prevent sex trafficking, FOSTA-SESTA has been criticized for driving sex trafficking to offshore websites (beyond the legal arm of the federal government) and the dark web. And so far, there has only been one public criminal case under the law, a federal prosecution of the owner of CityXGuide, a host of online advertisements for prostitution and sex trafficking.

Online service providers may need to enhance detection and reporting of child sexual abuse material, to the extent they have not already. A likely first place for states to act will be in compelling providers to proactively monitor and search out child sexual abuse material. Companies should review and update their child safety policies, including reporting procedures, and demonstrate a concerted effort to conform with industry best practices now, before waiting for legislation to trickle through the states. This should include efforts to actively scan for CSAM on user accounts. Providers should also consider amending and updating their user disclosures and consent policies in anticipation of litigation over Fourth Amendment concerns. Courts have in the past looked to the provider’s terms of service and whether users consented to those terms, in determining whether the user had a reasonable expectation of privacy over images turned over to the government for prosecution.

However, if service providers plan to offer end-to-end encryption on its platforms, this could dramatically hide the amount of CSAM from the providers themselves and law enforcement, and as such is likely to be closely scrutinized. One option is to limit end-to-end encryption to users over the age of 18, which would still allow accounts of minors to be monitored for sexual abuse and exploitation. This may help detect the active enticement of minors but would do little to prevent the proliferation of images among those over 18.

Throughout all of these efforts, companies and users will have to walk a tightrope between the balance of security and privacy. Regardless of what happens with the EARN IT Act, this tension is here to stay, and online service providers will continue to be scrutinized for how they respond.