Governments know how to get what they want just "think of the children!"

As the UK representative said, “Encryption remains the elephant in the room.”

https://cyberlaw.stanford.edu/blog/2020/03/earn-it-act-here-surprise-it%E2%80%99s-still-bad-news

The EARN IT Act Is Here. Surprise, It’s Still Bad News.

By Riana Pfefferkorn on March 5, 2020 at 8:17 pm

Well, the dreaded day has come: the EARN IT Act was formally introduced today in the Senate Judiciary Committee. I wrote at length in January about the bill, which aims to kneecap encryption under the guise of protecting children online, while capitalizing on the techlash and the current unpopularity of Section 230 of the Communications Decency Act. As introduced, the bill is up to nine co-sponsors total, from the original two (Sens. Graham and Blumenthal).

This version of the bill is different from the version that I blogged about in January, and also from the intermediate version that Eric Goldman blogged about last month. I've attached a PDF to this blog post of the version as introduced. (Scroll down, it's there at the bottom!) Here’s the Senate Judiciary Committee’s press release (which, maddeningly, does not link to bill text, at least as of the time I wrote this). Here’s coverage from the New York Times, whose reporting last fall is credited for helping inspire the bill. Here’s a Wired story that quotes me.

I have some observations on how the bill as introduced has changed from the version I blogged about in January. You’ll want to read that blog post before this one, as this post assumes the reader’s familiarity with the initial January version of the bill. And, as in that blog post, I can’t hope to touch on even half of what’s going on in this bill. It’s still a sprawling mess that would take a roomful of lawyers and policy wonks, with many different kinds of expertise, to issue-spot everything that’s weird or problematic with it.

First, a round-up of responses from civil society:

ACLU & Americans for Prosperity
Center for Democracy and Technology
Open Technology Institute
TechFreedom
Free Press
Disruptive Competition Project (DisCo)
NetChoice

Now, here goes:

This version of the bill is twice the length of the previous version. Most of that is due to a new Section 7 at the end of the bill, which will replace the outmoded and disfavored term “child pornography” everywhere it occurs in federal law and replace it with “child sexual abuse material,” to have the same legal meaning. (The bill spells out all of those instances in federal law, hence the length.)
While I am on board with getting rid of the term “child pornography,” it bears remembering that the “best practices” the bill contemplates go beyond images. CSAM is only a subset of the problem at hand. The bill now calls for best practices for fighting “the online sexual exploitation of children, including the enticement, grooming, sex trafficking, and sexual abuse of children and the proliferation of online child sexual abuse material.”
(That’s a long list, so throughout this blog post, I’m going to refer to all of those things as “CSAM” for the sake of convenience.)
It’s an improvement that the bill is now being a bit more specific; the original bill referred to “online child exploitation conduct,” without saying what that meant, though it seemed to differentiate between “child exploitation” and “child sexual abuse.”
CSAM, enticement, grooming, sex trafficking, and sexual abuse are all different problems with different mitigation strategies that providers could deploy. Because these categories don’t just involve images, any best practices risk overbreadth and could result in the censorship of legal speech (like FOSTA has -- which, by the way, already covers sex trafficking; it’s unclear how this bill interacts with it).
Even my saying “just images” oversimplifies the problem facing both the Commission (in drafting best practices) and providers (in implementing them). Think child sexual abuse imagery is a bright-line, clear-cut thing, both for First Amendment purposes and for detection/reporting purposes? Nope. It’s not.
The Commission is up to 19 members from the original 15.
Still includes the AG and the heads of DHS and the FTC.
It now has 2 members with “current experience in matters related to constitutional law, consumer protection, or privacy.” This is an increase from 0 in the original version. So we’ve got that going for us, which is nice. But that “or” means the Commission could end up with 2 consumer-protection people who are experts in, I don’t know, car seat safety, who know nothing about privacy or the Constitution. What’s to stop that from happening?
The Commission still has 2 members who are experts in computer science, but the exact wording has become more specific: previously, it called for current experience in “computer science or software engineering”; now, it’s “computer science or software engineering related to matters of cryptography, data security, or artificial intelligence in a non-governmental capacity.”
This is the only place in the bill where cryptography comes up. By requiring a cryptography expert, this version of the bill basically confirms what we all knew to be true from the start: The “best practices” are going to target encryption. And again, that “or” in “cryptography, data security, or AI” means that the Commission could end up including zero cryptography experts.
The original bill called for 2 members to have “experience in providing victims services for victims of child exploitation”; the bill as introduced allots 4 members who shall either have that experience (in a non-governmental capacity”) or “be survivors of online child sexual exploitation.” This is fascinating. I am strongly against so much about the EARN IT Act, but expressly reserving seats at the table for survivors (well, modulo that “or” again) is remarkable.
That said, all of the foregoing is basically window dressing: The best practices require only 14 of the 19 members’ approval. That means the Commission can completely ignore the 4 experts in privacy, constitutional law, and computer science, or the 4 survivors and child-abuse experts, and the best practices will still go onward into the hands of the Attorney General.

The bill no longer gives unilateral power to the AG to write the “best practices” himself. Instead, after the Commission submits the recommended best practices to him, the AG, “upon agreement with” the heads of DHS and the FTC, shall either approve or deny them.
If approved, the best practices are published on the DOJ website and the Federal Register and submitted to Congress. If denied, the AG has to write up why he denied them. Then, the Commission gets a do-over: it “may resubmit recommended best practices.”
In other words: even though he no longer gets to rewrite the best practices at will, the AG still has thumbs-up/thumbs-down power over them (so long as the FTC and DHS heads agree). He -- along with the heads of FTC and DHS -- is also on the Commission. Why would the remaining members of the Commission ever bother writing any best practices that won’t please AG Barr? He still basically gets to dictate what the best practices say, because if they write some he doesn’t like, he can just deny them and make them resubmit revised versions that are more to his liking. And since AG Barr despises encryption (and because, as said, the 14-of-19 requirement means all the members who are experts in privacy, cryptography, and data security can be totally ignored), of course the best practices will go after encryption.
The bill has been rewritten in what appears to be an attempt to avoid the serious procedural defects present in the original leaked version.
The original version unconstitutionally delegated ultimate power to the Attorney General to decide what the “best practices” would be (and allowed him to rewrite whatever the unelected Commission recommended), sidestepping the usual regulatory rulemaking procedures or congressional review. It wasn’t a law, it wasn’t an agency rulemaking, it was a set of “best practices” that just happened to also have the force of law because not following them would open providers up to liability and oh also maybe land one of their executives in prison.
Now, the bill contains a process for the recommended best practices, after approval by the Attorney General, to be put into a “covered bill” in Congress (which must contain all of the best practices, not only some of them) and fast-tracked to a vote in each house of Congress.
Do not pass Go, do not collect $200, do not do all the usual things that would otherwise pose inconvenient democratic speed-bumps to the swift passage of a bad bill. A lot of the bill is devoted to spelling out exactly how the best practices will get to sidestep the usual Schoolhouse Rock stuff. The determination to get around normal congressional procedure is itself a huge red flag.
I’m not a legislative analyst, and the language is confusing to me, but I think the upshot of all this is that the “best practices” would get passed into an actual law enacted by Congress.
This has echoes of the CLOUD Act, which gives Congress the opportunity to disapprove of an executive agreement under the Act that the U.S. enters into with another country. But as with CLOUD, I expect that this process is just a rubber-stamp by Congress, particularly given the fast-tracking provisions that do away with the usual legislative processes. That is: the “best practices” are still pretty much up to the AG to determine.
Despite the attempt to fix it, the bill still seems to have nondelegation-doctrine and Administrative Procedure Act problems, as TechFreedom explains here.
If these "best practices" are now going to be codified into federal legislation, that might (might) address the bizarre nondelegation/administrative procedure issues with the original -- but it opens up a host of other problems.
The rewrite leaves the bill even more vulnerable to challenges on First and Fourth Amendment grounds.
Codifying “best practices” for online content means congressionally-required rules governing speech on the Internet. That just opens up a whole can of First Amendment worms, as Project DisCo describes.
The bill contains the following “rule of construction”: “Nothing in this Act or the amendments made by this Act shall be construed to require a provider of an interactive computer service to search, screen, or scan for instances of online child sexual exploitation.” That rule of construction is clearly aimed at trying to fix EARN IT’s “state actor” problem under the Fourth Amendment, but it might not be enough. TechFreedom did a great write-up of the Fourth Amendment issue so I don’t have to.
And if those “best practices” are indeed codified into federal law, then, as I’ve said before, the best practices would conflict directly with CALEA to the extent that they involve encryption or law enforcement access to communications. But the bill still doesn’t even acknowledge that CALEA has any bearing on this bill.