Two Republicans and two Democrats in the US Senate have proposed a law that aims to combat sexual exploitation of children online, but critics of the bill call it a "Trojan horse" that could harm Americans' security by reducing access to encryption.

The EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act "would create incentives for companies to 'earn' liability protection for violations of laws related to online child sexual abuse material," an announcement by the bill's supporters said today.

Under current law, Section 230 of the Communications Decency Act provides website operators broad legal immunity for hosting third-party content. A 2018 law known as FOSTA-SESTA chipped away at that immunity for content related to prostitution and sex trafficking, and the EARN IT Act would further weaken immunity for website operators who fail to take certain to-be-determined measures to find and remove child sexual-abuse material.

In a related development today, US Attorney General William Barr gave a speech calling for an analysis of how Section 230 affects "incentives for platforms to address [child sexual exploitation] crimes and the availability of civil remedies to the victims."

Bill lets Trump “control online speech”

The bill doesn't directly prevent websites or online platforms from using encryption. But it would create a commission that would develop "best practices for providers of interactive computer services regarding the prevention of online child exploitation conduct" and require online platforms to certify compliance with those best practices. Not following these practices would make the tech companies more vulnerable to lawsuits. The attorney general would be the chairperson of the commission.

As the Electronic Frontier Foundation notes, the proposed 15-member commission would be "dominated by law enforcement agencies," which have repeatedly urged tech companies to weaken encryption. Critics of the bill worry that the commission's best practices will dissuade tech companies from deploying end-to-end encryption that protects the private communications of Internet users.

"This terrible legislation is a Trojan horse to give Attorney General Barr and [President] Donald Trump the power to control online speech and require government access to every aspect of Americans' lives," Sen. Ron Wyden (D-Ore.) said today. Wyden continued:

While Section 230 does nothing to stop the federal government from prosecuting crimes, these senators claim that making it easier to sue websites is somehow going to stop pedophiles. This bill is a transparent and deeply cynical effort by a few well-connected corporations and the Trump administration to use child sexual abuse to their political advantage, the impact to free speech and the security and privacy of every single American be damned.

Those "well-connected corporations" include IBM, Marriott, and Disney, as a recent New York Times article said. Wyden's statement didn't specifically mention encryption, but his office told Ars that "when [Wyden] discusses weakening security and requiring government access to every aspect of Americans' lives, that is referring to encryption."

The EARN IT Act is sponsored by Senate Judiciary Committee Chairman Lindsey Graham (R-S.C.), Judiciary Committee Ranking Member Dianne Feinstein (D-Calif.), Sen. Richard Blumenthal (D-Conn.), and Sen. Josh Hawley (R-Mo.).

The Internet Association, which represents tech companies, said "the EARN IT Act as introduced may impede existing industry efforts to achieve this shared goal" of ending child exploitation online. EARN IT Act sponsors are not receptive to that argument.

"First Big Tech said it needed special immunity from human-trafficking laws," Sen. Hawley said. "Now it says it needs immunity from laws against child pornography. Enough. It's time to stop putting the financial interests of Big Tech above protecting kids from predators. The EARN IT Act is another way to bring today's Internet law into the 21st century."

The Internet Association also said that Section 230 "empowers Internet companies to proactively identify and remove [child sexual abuse material] and other illegal or objectionable material," and that tech companies already coordinate with law enforcement agencies in this area.

Banning encryption “without banning it”

Stanford Law School's Center for Internet and Society (CIS) made a case against the EARN IT Act in late January after draft text of the bill was released. The bill is an attempt to "ban end-to-end encryption without actually banning it," CIS Associate Director of Surveillance and Cybersecurity Riana Pfefferkorn wrote.

Pfefferkorn wrote:

The bill would, in effect, allow unaccountable commissioners to set best practices making it illegal for online service providers (for chat, email, cloud storage, etc.) to provide end-to-end encryption—something it is currently 100 percent legal for them to do under existing federal law, specifically CALEA (Communications Assistance for Law Enforcement Act of 1994).

Stewart Baker, who was formerly assistant secretary for policy at the Department of Homeland Security and general counsel at the National Security Agency, wrote in a blog post that "there is nothing radical" about the bill.

"The risk of liability isn't likely to kill encryption or end Internet security," Baker wrote. But Baker acknowledged that the bill will likely make the decision to offer encryption a more difficult one for tech companies:

To see what this has to do with encryption, just imagine that you are the CEO of a large Internet service thinking of rolling out end-to-end encryption to your users. This feature provides additional security for users, and it makes your product more competitive in the market. But you know it can also be used to hide child-pornography distribution networks. After the change, your company will no longer be able to thwart the use of your service to trade in child pornography, because it will no longer have visibility into the material users share with one another. So if you implement end-to-end encryption, there's a risk that, in future litigation, a jury will find that you deliberately ignored the risk to exploited children—that you acted recklessly about the harm, to use the language of the law. In other words, EARN IT will require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.

Update: The latest version of the bill is now available. The planned commission is now 19 members instead of 15, and the best practices would be submitted to Congress for an additional vote under a fast-tracking process. Pfefferkorn posted an analysis of the updated version, saying "I expect that this process is just a rubber-stamp by Congress, particularly given the fast-tracking provisions that do away with the usual legislative processes. That is: the 'best practices' are still pretty much up to the AG to determine." The current version of the legislation allows the attorney general to approve or deny the commission's recommended best practices; the draft version differed in that it gave the AG power to "modify" the recommendations.

Think of the children

Similarly to the campaign for the FOSTA-SESTA bill that made websites liable for prostitution-related content, EARN IT supporters try to paint the bill's opponents as being indifferent to child abuse.

"The Internet is infested with stomach-churning images of children who have been brutally assaulted and exploited and who are forced to endure a lifetime of pain after these photographs and videos are circulated online," Sen. Blumenthal said.

Blumenthal argued that tech companies should have to "earn" the "extraordinary special safeguard against legal liability" that they've had under Section 230. "Companies that fail to comport with basic standards that protect children from exploitation have betrayed the public trust granted them by this special exemption."

Wyden isn't buying that argument, and he said the government can do more to fight child abuse without jeopardizing online security. The federal government has "spent years ignoring the law and millions of reports of the most heinous crimes against children," Wyden said.

"I'll be offering legislation in the coming days to drastically increase the number of prosecutors and agents hunting down child predators, require a single person in the White House to be personally responsible for these efforts, and direct mandatory funding to the people who can actually make a difference in this fight," Wyden said.

TechFreedom, a libertarian advocacy group, argued that the EARN IT Act might not even accomplish its primary goal of making kids safer. "The EARN IT Act could actually make law enforcement's job significantly harder by ending today's close cooperation between law enforcement and tech companies," TechFreedom President Berin Szóka said.