On Wednesday, a woman named Nicole testified to the Senate Judiciary Committee about how her child's biological father produced sexually abusive photos of their 5-year-old and shared them on the internet. Hands tightly clasped in front of her, she recounted how her child has been revictimized over the years as the images circulate, even now that the perpetrator of these crimes is behind bars.

Sign up for Protocol newsletters

"I have been told that, at one point, these images were the most highly traded in the world," said Nicole, who was granted anonymity by the committee.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

Nicole called on Congress to pass the EARN IT Act, a bipartisan bill that would force online companies to adhere to a set of best practices, drafted by a newly formed national commission, in order to crack down on online child sexual abuse material. If they failed to do that, they could lose legal protection under the law that enshrines the modern internet: Section 230.

"I do not understand how with all the technology available today, there are not safeguards to prevent distribution and redistribution of a child's sexually abusive images," Nicole said. "How can these images continue to be uploaded and shared, distributed for years on the internet, without companies doing anything?"

Nicole's testimony was heartbreaking — and darkly familiar.

A little more than two years ago, in September 2017, another anguished mother, Yvonne Ambrose, brought another Senate committee room to a standstill as she explained how her daughter, Desiree, who she described as "my heart, my world," was murdered after being listed by a pimp on Backpage.com. Ambrose wanted Congress to pass a bundle of laws, now known as FOSTA/SESTA, that would change Section 230 to hold online companies liable for knowingly facilitating sex trafficking.

Until that moment, few of the law's tech industry opponents — which included Facebook, Google and the lobbyists who represent them — had thought FOSTA/SESTA would pass. But Ambrose's testimony was a watershed, effectively cementing the 2018 passage of the law.

"I've never seen anything like it," one former tech industry official who was involved in the FOSTA/SESTA debate recalls, noting that from then on, tech groups' conversations on Capitol Hill got a lot harder. "We were like, 'You're opening the floodgates to civil liability. You'll break the internet and stymie free speech online.' And [lawmakers] would say, 'Yes, but what about the children?'"

As the Judiciary hearing committee got underway Wednesday, Nicole's testimony set the stage for a similar turning point for the EARN IT Act.

Once again, lobbying groups like TechNet and the Internet Association, as well as corporate giants like Facebook, have come out against the law over concerns that the commission could force online services to weaken encryption in order to secure Section 230 immunity. Once again the Internet Association sent one of its lawyers to make that case to Congress. And once again, that lawyer — this time, Elizabeth Banker — would be speaking to lawmakers who had just heard a mother tell a story no mother should ever have to tell.

"Any society that fails to protect its children, and do all that's within reason to do so, has lost their way," Sen. Lindsey Graham said in his opening remarks today. "America is not going to lose its way." Graham co-authored the bill with ranking member Dianne Feinstein, as well as senators Richard Blumenthal and Josh Hawley.

The EARN IT Act would establish the National Commission on Online Child Sexual Exploitation Prevention, a 19-member commission, tasked with creating a set of best practices for online companies to abide by with regard to stopping child sexual abuse material. Those best practices would have to be approved by 14 members of the committee and submitted to the attorney general, the secretary of homeland security, and the chairman of the Federal Trade Commission for final approval. That list would then need to be enacted by Congress. Companies would have to certify that they're following those best practices in order to retain their Section 230 immunity. Like FOSTA/SESTA before it, losing that immunity would be a significant blow to companies with millions, or billions, of users posting content every day.

The question now is whether the industry can convince lawmakers that the costs of the law outweigh the benefits. It's a debate that will test what tech companies have learned from the FOSTA/SESTA battle — and how much clout they even have left on Capitol Hill.

"If this were to pass, this would say a lot about the ability of the pro-tech interests to be able to influence legislation," said Jeff Kosseff, an assistant professor of cybersecurity law in the United States Naval Academy and author of a book on Section 230 called "The Twenty-Six Words That Created the Internet."

Before the FOSTA/SESTA fight, the tech industry had gone to war with Washington plenty, and had some luck getting its way. In 2012, another pair of bills known as SOPA/PIPA sought to crack down on online copyright infringement and inspired a wave of protests from tech companies and civil liberties groups alike. Wikipedia went dark for a day. Google blacked out its logo in solidarity. Facebook CEO Mark Zuckerberg wrote a post opposing the bills, which he said "could seriously hamper the innovation, growth and investment in new companies." Online petitions in opposition to the laws accrued millions of signatures, and groups like Fight for the Future flooded lawmakers' inboxes with emails from their constituents.

The strategy worked. Spooked by the groundswell of activism, Congress shelved the bills. "During the SOPA/PIPA fight, members were unsure of where the support for policy changes was and backed away from making the changes in that legislation," said Rick Lane, a former lobbyist for the Chamber of Commerce and 21st Century Fox, who now advocates for Section 230 reform.

Fast-forward to early 2017. The conversation around FOSTA/SESTA was getting underway, spearheaded by Sen. Rob Portman, who introduced SESTA. At the time, the tech industry was feeling emboldened by its success in the SOPA/PIPA debate. They felt confident SESTA wasn't going anywhere.

But politically, everything had changed. The 2016 presidential election gave way to a backlash against big tech that continues today, and the companies didn't fully understand yet just how strong that backlash was. "The large online services and the trade associations misunderstood how much the terrain had shifted beneath them," said Jonathan Mayer, an assistant professor of computer science at Princeton University, who was a technology adviser to California Sen. Kamala Harris during the FOSTA/SESTA negotiations. "They came into the debate really expecting to win, and not just win in the sense that the legislation wouldn't pass, but they didn't even have to bother with it."

Mayer describes that as a "quite a significant misreading of the political landscape."

"People thought that Section 230 was untouchable, that it was settled law, and lawmakers weren't going to touch the foundational law of the internet," said one former Facebook employee who was involved in the discussions. "They thought it would be a sustained PR political fight, and it would go away."

Ambrose's testimony coincided with Facebook's bombshell announcement that Russian trolls had coordinated a campaign to influence the 2016 election. Facebook had been standing strong with Google and others in opposing FOSTA/SESTA, but as the social network took a beating in the press, it changed course.

"Sheryl Sandberg and others didn't think that it was worth taking on yet another fight. It was as simple as that," said the former Facebook employee.

Facebook was able to negotiate some minor concessions, Mayer said. Shortly after, the Internet Association came out in support of the law, and in March 2018, the FOSTA/SESTA package passed the Senate with a vote of 97 to 2. Only Sen. Rand Paul and Section 230's author, Sen. Ron Wyden, voted against it. When President Donald Trump signed it into law, Ambrose was standing over his shoulder.

"They folded with FOSTA/SESTA," said Danielle Citron, a law professor at Boston University who has volunteered her expertise to both tech companies and Congress on Section 230 and online content moderation issues. "It's the wrong solution."

Last year, Citron held a meeting with members of Congress in both parties to discuss Section 230. Citron said she urged lawmakers to avoid taking a piecemeal approach to amending the law, and instead to adopt language that would require online companies to implement "reasonable" content moderation standards for a variety of online harms. Citron was joined by her colleague Mary Anne Franks, a University of Miami law professor who runs the Cyber Civil Rights Initiative, a nonprofit dedicated to stopping the spread of nonconsensual pornography.

Ultimately, Citron said, "That wasn't persuasive."

Instead, the EARN IT Act would force companies to adhere to a narrow set of standards, which Citron views as limiting. "Once you have a checklist, you end up encoding the checklist and that's all you do," Citron said. "You don't experiment."

She argues that the EARN IT solution could dissuade companies from trying new things as they try to fend off the very real threat of child sexual abuse material.

That's one of several arguments the Internet Association laid out in its prepared remarks Wednesday. "This process would have a severe chilling effect on legitimate investment and innovation — if product design decisions can be second guessed by a Commission, every investment decision in a new online service will be clouded with uncertainty," the remarks read.

The Internet Association also argued that the EARN IT Act is on constitutionally shaky ground. Not only could it be construed as a First Amendment violation, because the government would be telling companies what they can and can't publish, it might also be vulnerable to a Fourth Amendment challenge, which prohibits unreasonable search and seizure. The Internet Association argues that the EARN IT Act could turn companies into de facto "agents of the government" because of how they're required to monitor for child sexual abuse material, a service companies like Facebook already provide willingly. The final draft of the Act addresses this issue head on, stating the law shouldn't be construed as requiring "a provider of an interactive computer service to search, screen or scan for instances of online child sexual exploitation."

But the Internet Association's approach this time isn't all oppositional. In a sign tech giants may have learned their lesson from the FOSTA/SESTA debate, the group's prepared remarks explain what companies like Google and Microsoft are already doing to combat child sexual abuse material using image hashing tools. And they lay out legislative steps they would support in combating the scourge, including appropriating resources to law enforcement officials who are already empowered to prosecute these cases under Section 230. (Sen. Wyden has said he plans to propose legislation to this effect).

In her opening remarks, the Internet Association's lawyer, Banker, appeared to choke back tears as she discussed the indelible mark that reviewing child sex abuse material through her work has left on her.

During the FOSTA/SESTA debate, Mayer said, this type of conciliatory approach was entirely missing. "They weren't giving the best version of their own argument," Mayer said. "I have to imagine that industry has learned some lessons."

It's also made some key hiring decisions. In the fall, Google hired Mark Isakowitz to lead its D.C. policy shop. Prior to taking on the role, Isakowitz was chief of staff to none other than SESTA sponsor Sen. Portman.

But it's not clear what the industry has gained from this shift. The EARN IT Act still opens up the possibility that an administration interested in weakening encryption — as the last several have been — could make Section 230 immunity dependent upon building a backdoor for law enforcement. If that weren't at least part of the goal of the bill, Mayer said, its authors could easily write in language to allay those concerns. But they haven't.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

In some ways, the task ahead of the tech industry is tougher because of the encryption element. Not only do tech giants have to defend their legal immunity, despite the volume of criminal activity on their platforms, they also have to defend their decision to encrypt those platforms, making that criminal activity inaccessible to both the companies and to law enforcement.

"Facebook is talking about end-to-end encryption which means they go blind," Sen Graham said, later adding, "We're not going to go blind and let this abuse go forward in the name of any other freedom."

Mayer said these new dynamics, coupled with Silicon Valley's waning reputation, suggest that even if tech giants did learn a lesson from the FOSTA/SESTA fight, it might be too late. "It may be there isn't much political maneuvering room left for them," he said.