A controversial bill to protect kids online just advanced in the Senate. Here’s what you should know

By narrowing Section 230’s scope, the latest bill seeks to create more legal exposure for companies that fail to do enough to remove child sexual abuse material (CSAM). Tech platforms can already face criminal prosecution at the federal level for knowingly facilitating the spread of child pornography, but the legislation goes further, making it possible for states to bring civil and criminal suits on the matter, too.

The bill also seeks to establish a commission, led by federal law enforcement, charged with publishing voluntary best practices for tech platforms on how to combat child pornography. It’s a carrot-and-stick approach that effectively tells websites how they may, as the bill’s name implies, earn their liability protections.

«Our goal is to tell the social media companies, ‘Get involved and stop this crap, and if you don’t take responsibility for what’s on your platform, then Section 230 will not be there for you,'» Sen. Lindsey Graham, a co-author of the bill, said during Thursday’s committee meeting.

Sen. Richard Blumenthal, another co-author, said that in drafting the bill, the Senate Judiciary Committee heard about numerous examples of platforms, including Twitter and Reddit, that allegedly did not act to remove child pornography despite being notified about it. (Twitter declined to comment; a Reddit spokesperson said the company relies on human reviewers and automated tools to detect CSAM and removes any material it finds, as well as the users who post it, from the platform.) Blumenthal also said the bill is backed by 250 law enforcement, child protection and government organizations.

But critics of the legislation say that the standard for what is considered «enough» enforcement is ambiguous in the bill, and opens the door to vast overreach by federal and state governments; internet censorship; and the undermining of encryption technology that is essential for protecting everything from consumer email accounts to sensitive business and military secrets.

The goal for the proposed legislation

The EARN IT Act is part of a broader bipartisan push to rein in tech platforms, joining a slew of bills related to antitrust policy, content moderation or other issues.

On Thursday, the EARN IT Act sailed out of the Senate Judiciary Committee with unanimous support; its next stop is the Senate floor, though several senators on the panel expressed reservations about certain provisions.

Proponents of the bill say it is meant to give victims of digital child pornography — who may have had sexually explicit videos of themselves as minors shared without consent on social media — «a day in court.»

Blumenthal said the legislation gives victims «access to our justice system so that they can create an incentive for these companies to do the right thing.»

He acknowledged that «there is some controversy» surrounding the proposal, but urged his fellow senators to «imagine, for the moment, the most unspeakable, despicable violation of your physical being …. repeated, thousands of times on the internet, for millions of strangers to see with sadistic pleasure — following you through your whole life.»

For many of the bill’s opponents, however, the EARN IT Act is a reminder of how Congress botched its last attempt to use Section 230 as a cudgel against sex crimes.

A history of unintended consequences

In 2018, President Donald Trump signed a bill known as SESTA/FOSTA, which created new ways under Section 230 for websites to be sued if their users created ads for online prostitution. While the law was meant to prevent sex trafficking, numerous reports have highlighted its unintended consequences — driving sex work further underground and making it more dangerous, according to sex workers themselves. A Government Accountability Office report from 2021 found that since its passage, the law has only been invoked once, raising questions about its actual utility.

A similar effect could occur with the EARN IT Act, critics say. A letter Tuesday by dozens of groups including the American Civil Liberties Union, Human Rights Campaign and the Wikimedia Foundation (the organization behind Wikipedia) said the bill could actually result in a lack of accountability for people spreading CSAM online.

If a state law forces websites «to monitor or filter their users’ content so it can be turned over to the government for criminal prosecution, the provider becomes an agent of the government and any CSAM it finds could become the fruit of an unconstitutional warrantless search,» the letter said.

That would render the evidence inadmissible in court, they added, defeating the bill’s purpose and letting abusers go free.

Sen. Mike Lee appeared to share some of the same hesitations with the bill in its current form.

«I’m a little concerned that the current language inadvertently mandates interactive computer services to do for the government what the government itself is prohibited from doing,» he said, «which is engaging in the open-ended policing — the accessing and then recording of private and protected data — without the protections of the law.»

How this bill would change enforcement

Federal law already requires businesses to report CSAM when they find it. In 2020, the National Center for Missing and Exploited Children said it received 20 million such reports from Facebook, more than half a million from Google and more than 96,000 from Microsoft.

Under current law, however, platforms are not obligated to go searching for CSAM — their obligations begin only when they become aware of it.

This is where the EARN IT Act’s broad provisions on state authority come in. The bill gives state attorneys general, for the first time, the authority to bring civil or criminal lawsuits against websites and tech platforms «regarding the advertisement, promotion, presentation, distribution, or solicitation of child sexual abuse material.»

The legislation leaves it up to individual states to set the legal standard by which websites may be judged, an issue that Lee said should raise concerns.

«If a state, let’s say New York, enacted a law saying that any interactive computer service … doesn’t remove CSAM within one hour of it being posted is liable for damages up to $1 million, a church with that type of interactive website could be strictly liable under that New York law,» Lee said — adding that smaller companies might be crushed under a «patchwork quilt» of state laws.

States could also seek to use other legal standards, such as recklessness or negligence, further lowering the bar for litigation, Lee said.

Blumenthal responded that that is a feature of the bill, not a bug.

«As a former state attorney general,» he said, «I welcome states using that flexibility and I would be loath to straitjacket them in their adoption of different standards.»

Why it’s controversial

The EARN IT Act has also faced controversy in its implications for encryption, the technology used by email providers, messaging apps, banks, cloud storage companies and the government itself to protect sensitive data.

The issue has created some strange bedfellows, as digital rights groups that have vocally opposed Big Tech have aligned with technology industry groups to warn that the EARN IT Act could have unintended consequences for digital security.

Law enforcement groups have long argued that encryption makes it easier for criminals to hide their illegal activity, and that tech platforms have a responsibility to cooperate with police to enable access to that data. Technology groups have strongly opposed those calls, saying a move to give even select access to encrypted communications would allow criminals and foreign adversaries to discover how to crack all encryption because all encryption operates on the same principles no matter the context.

In response to concerns that the EARN IT Act could allow government officials to ban encryption, the bill’s co-authors added a provision that prohibits encryption from being used as the sole justification for CSAM lawsuits.

But that won’t be enough, the civil society groups wrote in their Tuesday letter. A platform’s support for encryption could easily be cited in a lawsuit in a guilt-by-association manner, with its mere existence serving as suggestive evidence of a website’s wrongdoing. And that, the groups said, «will serve as a strong disincentive to deploying encrypted services in the first place.»

Beyond the potential blowback to consumers, enterprises and national security, civil rights advocates say a chilling of encryption will likely endanger those the bill is meant to help by eliminating secure ways for victims and marginalized groups to confide in trusted allies.

But Blumenthal dismissed the concerns Thursday as a «gigantic red herring.»

«Big Tech and their armies of lobbyists and allies have sought to make this an issue of encryption,» he said. «It’s not about encryption.»

What’s next?

With the bill bound for the Senate floor and still subject to revisions, there is a long way to go before the EARN IT Act becomes law.

But its passage out of the Senate Judiciary Committee on Thursday shows how the bill continues to enjoy bipartisan support even despite the wide-ranging criticisms.

Opponents of the bill have sought to mount a massive campaign to defeat it, with the activist group Fight for the Future saying Thursday it had marshalled 600,000 supporters to contact lawmakers on the issue.