A new bill would reduce legal protections for apps and websites, potentially jeopardizing online encryption. The draft bill would form a “National Commission on Online Child Exploitation Prevention” to establish rules for finding and removing child exploitation content. If companies don’t follow these rules, they could lose some protection under Section 230 of the Communications Decency Act, which largely shields companies from liability over users’ posts.

Reports from Bloomberg and The Information say that Sen. Lindsey Graham (R-SC) is behind the bill, currently dubbed the Eliminating Abusive and Rampant Neglect of Interactive Technologies (or EARN IT) Act. It would amend Section 230 to make companies liable for state prosecution and civil lawsuits over child abuse and exploitation-related material, unless they follow the committee’s best practices. They wouldn’t lose Section 230 protections for other content like defamation and threats.

The bill doesn’t lay out specific rules. But the committee — which would be chaired by the Attorney General — is likely to limit how companies encrypt users’ data. Large web companies have moved toward end-to-end encryption (which keeps data encrypted for anyone outside a conversation, including the companies themselves) in recent years. Facebook has added end-to-end encryption to apps like Messenger and Whatsapp, for example, and it’s reportedly pushing it for other services as well. US Attorney General William Barr has condemned the move, saying it would prevent law enforcement from finding criminals, but Facebook isn’t required to comply. Under the EARN IT Act, though, a committee could require Facebook and other companies to add a backdoor for law enforcement.

Riana Pfefferkorn, a member of the Stanford Law School’s Center for Internet and Society, wrote a detailed critique of the draft. She points out that the committee would have little oversight, and the Attorney General could also unilaterally modify the rules. The Justice Department has pushed encryption backdoors for years, citing threats like terrorism, but they haven’t gotten legal traction. Now, encryption opponents are riding the coattails of the backlash against big tech platforms and fears about child exploitation online.

Techdirt founder Mike Masnick also notes that Section 230 doesn’t cover federal crimes — so the Justice Department could already prosecute companies if they’re enabling abuse. This bill would just let it write a new set of rules by threatening much broader liability.

A spokesperson for Graham’s Senate Judiciary Committee emphasized to Bloomberg that the bill isn’t final. And the Justice Department is taking a closer look at Section 230 next month, holding a public workshop to discuss potential changes.