.@SenateJudiciary is marking up #EARNITAct, which claims to crack down on child sexual abuse material but will really jeopardize prosecutions. Forcing tech firms not to use strong encryption & to monitor users makes them state actors who need a warrant 🧵
judiciary.senate.gov/meetings/02/03…
judiciary.senate.gov/meetings/02/03…
https://twitter.com/TechFreedom/status/1491203235692302337
#EARNITAct's sponsors say they've fixed the bill. They haven't. Making the "best practices" "voluntary" doesn't help. The 4th Amd./privacy problem has always been come from exposing tech companies to such vast liability that they *must* monitor what users say & abandon encryption
#EARNITAct was changed in 2020 to "fix" the liability it enables under federal law (by tying it to "actual knowledge", but it then does exactly the same thing through the back door: enabling states to enforce criminal & civil laws that turn on mere recklessness or negligence
That difference is key: if you can be sued or prosecuted without proof that you *knew* about CSAM, you'll have to monitor everything your users say lest you be accused of not doing enough to address the "risk" of CSAM being used on your service
Having to monitor user communications means either:
—abandoning strong encryption (the point is the provider can't read communications)
—compromising encryption by allowing the gov't to view it all as a "ghost user"
—monitoring content by scanning client-side (on the device)
—abandoning strong encryption (the point is the provider can't read communications)
—compromising encryption by allowing the gov't to view it all as a "ghost user"
—monitoring content by scanning client-side (on the device)
The 2020 Leahy Amendment may shield companies from the first problem but it doesn't clearly fix the other two
We proposed an expansion of the Leahy Amendment drawing on existing language from federal law: §§ 2-4 come from 18 USC 2258A(f)
techfreedom.org/wp-content/upl…
We proposed an expansion of the Leahy Amendment drawing on existing language from federal law: §§ 2-4 come from 18 USC 2258A(f)
techfreedom.org/wp-content/upl…
Section 2258A(f) has been critical to courts ruling that tech companies are not state actors who need to get a warrant before they can monitor user communications: It assures that they're not under a legal duty to conduct searches
To avoid triggering the Fourth Amendment here, and thus letting criminals walk free, the Leahy Amendment to #EARNITAct must be expanded include 2258A(f)'s protections for monitoring: so if companies DO do it, it's truly voluntary
We add an additional prong: companies have no legal duty to "facilitate monitoring, or other access to the content of communications, by a government entity." That's crucial to avoid companies being coerced to allow ghost users, etc
So expanding the original Leahy Amendment is critical at today's #EARNITAct markup
But first, we have to restore the original Leahy Amendment. The current language may look similar, but it's actually the opposite of the Leahy amendment: it DOES allow tech companies to be sued
But first, we have to restore the original Leahy Amendment. The current language may look similar, but it's actually the opposite of the Leahy amendment: it DOES allow tech companies to be sued
#EARNITAct turns on liability. Just like Texas's abortion law, it uses the fear of liability to coerce a desired result without technically requiring it—there, banning abortion, here banning encryption and coercing monitoring of users
Restoring the Leahy Amendment's protection is critical, but it's hard to craft protections from liability that will work in practice
So it's also critical that @SenateJudiciary tighten the underlying standards for liability. @SenMikeLee proposed just that at the 2020 markup...
So it's also critical that @SenateJudiciary tighten the underlying standards for liability. @SenMikeLee proposed just that at the 2020 markup...
Lee's 2020 amendment tied liability under state law to federal law, which requires actual knowledge, and also ensured that states would not expand liability by defining a slew of new terms differently from federal law
.@SenMikeLee withdrew these amendments on the understanding that #EARNITAct's sponsors would work with him to address his concerns on the Senate floor before any final vote. No such changes have been made. The bill still enables vast liability under state law
@SenMikeLee .@SenateJudiciary just spent 20 minutes debating whether the problem was racism or anyone mentioning racism—which is 20 minutes more than they've spent on figuring out whether #EARNITAct will make it easier or harder to stop child porn (answer: harder)
https://twitter.com/BerinSzoka/status/1491794620103020553
@SenMikeLee @SenateJudiciary Finally, we start markup of the #EarnItAct
Sen. Graham has to be on the floor soon, so... byyyyyye...
Sen. Graham has to be on the floor soon, so... byyyyyye...
Graham: #Section230 laments the spread of child sexual abuse material protects social media platforms... they say they're billboards
230 has NEVER protected websites from criminal prosecution. Which is why Backpage was prosecuted even without #SESTA
230 has NEVER protected websites from criminal prosecution. Which is why Backpage was prosecuted even without #SESTA
Blumenthal is right: the only thing more odious than children being raped is images of that rape being spread online
Which is precisely why @SenateJudiciary needs to make sure #EARNITAct doesn't jeopardize the criminal prosecutions of those who spread child sexual abuse material
Which is precisely why @SenateJudiciary needs to make sure #EARNITAct doesn't jeopardize the criminal prosecutions of those who spread child sexual abuse material
@SenateJudiciary Blumenthal: there is free software (PhotoDNA) that allows tech companies to detect when child sexual abuse material appears
Yes, and every company SHOULD use it! But ask yourself: why doesn't #EARNITAct just mandate that? Why does current law say there's no legal duty to scan?
Yes, and every company SHOULD use it! But ask yourself: why doesn't #EARNITAct just mandate that? Why does current law say there's no legal duty to scan?
Because if the government requires scanning, or effectively compels it, it's no longer private companies doing the right thing. It's a government actor conducting a search, which requires a warrant under the Fourth Amendment
The whole point of #EARNITAct is to coerce searches...
The whole point of #EARNITAct is to coerce searches...
The bill's sponsors are trying to do an end-run around the Fourth Amendment
That will NOT hold up in court. Courts have heretofore ruled that, when tech companies scan user communications, they're doing so for their own reasons. #EARNITAct will force companies to get warrants
That will NOT hold up in court. Courts have heretofore ruled that, when tech companies scan user communications, they're doing so for their own reasons. #EARNITAct will force companies to get warrants
Blumenthal: there's no express duty to scan for CSAM but if they have knowledge of it, they can be accountable
In fact, #EARNITAct authorizes companies to be sued under *state* law merely for recklessness/negligence (i.e., not scanning)
That's how the bill breaks encryption...
In fact, #EARNITAct authorizes companies to be sued under *state* law merely for recklessness/negligence (i.e., not scanning)
That's how the bill breaks encryption...
End-to-end encryption means a provider can't read user communications
Offering E2EE could easily be considered "reckless"/"negligent" disregard of the risk of spreading CSAM
Offering E2EE could easily be considered "reckless"/"negligent" disregard of the risk of spreading CSAM
Blumenthal keeps saying #EARNITAct requires actual knowledge. That's only three of the first of three amendments to #Section230.
If he means that, he has to accept Lee's amendments to require actual knowledge under state claims
If he means that, he has to accept Lee's amendments to require actual knowledge under state claims
Kennedy: So you're saying that companies can be held liable if they seem CSAM and do nothing?"
Blumenthal: Yes
OK, so here's the problem with actual knowledge: it creates a perverse incentive NOT to monitor and to make it hard for anyone to notify you of unlawful material
Blumenthal: Yes
OK, so here's the problem with actual knowledge: it creates a perverse incentive NOT to monitor and to make it hard for anyone to notify you of unlawful material
Feinstein: I did not know there was a blanket immunity in this area of the law
THERE ISN'T! #Section230 does NOT affect enforcement of federal criminal law!
THERE ISN'T! #Section230 does NOT affect enforcement of federal criminal law!
Lee: Many concerns were addressed in 2020. I voted for #EARNITAct understanding that sponsors would work with me to address concerns
They haven't. Presumably, Lee is going to reintroduce his excellent 2020 amendment. The real question is: will he support the bill when it fails?
They haven't. Presumably, Lee is going to reintroduce his excellent 2020 amendment. The real question is: will he support the bill when it fails?
Lee: it's at markup when we improve bills
Yes, and also it's supposed to be at hearings that the Committee members understand (a) what a bill does and (b) why there are concerns about it. The Committee is very far from understanding either, so today's markup is wildly premature
Yes, and also it's supposed to be at hearings that the Committee members understand (a) what a bill does and (b) why there are concerns about it. The Committee is very far from understanding either, so today's markup is wildly premature
Lee's first amendment: restore the Leahy language approved at the July 2020 markup (protecting encryption), but then replaced with language from the House bill that does the opposite (punishing encryption) without discussion
Lee's 2nd amendment is minor (still unclear)
Lee's 3rd amendment focuses on services complicit in distribution of CSAM. Claims Big Tech companies can and do thoroughly monitor problematic posts. If they aren't just as vigilant about CSAM as about "stifling views," sue them
Lee's 3rd amendment focuses on services complicit in distribution of CSAM. Claims Big Tech companies can and do thoroughly monitor problematic posts. If they aren't just as vigilant about CSAM as about "stifling views," sue them
Lee: Big Tech has demonstrated the ability to thorough monitor their sites to [censor conservatives]
He's talking about removing *public content* that tech companies can monitor
But the problem with #EARNITAct is that it coerces tech companies not to encrypt *private* messaging
He's talking about removing *public content* that tech companies can monitor
But the problem with #EARNITAct is that it coerces tech companies not to encrypt *private* messaging
If #EARNITAct passes, Signal has already said they will have to leave the US for fear of being sued
The entire point of end-to-end-encryption is that it can't be content-moderated
Lee is mixing up apples and oranges
The entire point of end-to-end-encryption is that it can't be content-moderated
Lee is mixing up apples and oranges
It's hard to believe Lee doesn't understand the difference between content moderation of *unencrypted* PUBLIC posts and forcing companies NOT to encrypt private user-to-user communications so they can be content-moderated
But, hey, at least he got to complain about "censorship"
But, hey, at least he got to complain about "censorship"
Really sad that the only Senator (Lee) willing to stand up and try to fix clear problems with #EARNITAct also fundamentally misunderstands how content moderation and encryption works
But his example is exactly right: without his amendment (contra Blumenthal), #EARNITAct would allow a church to be held strictly liable if someone posts CSAM on its messaging board
Again, his amendment merely ties state claims to federal law, which requires actual knowledge
Again, his amendment merely ties state claims to federal law, which requires actual knowledge
Lee: if you want to adopt a different [knowledge] standard (from "actual knowledge"), let's have that conversation. But let's not leave it up to states to adopt whatever standards they want
Amen
Amen
Blumenthal: the treatment of encryption in #EARNITAct is the result of many hours of discussion with Sen Leahy. The bill doesn't prohibit liability for encryption, only misuse of encryption to further illegal activity
He's talking about the new "independent basis" language...
He's talking about the new "independent basis" language...
Blumenthal means that using encryption can't be an "independent basis" for liability, but it *can* be used as evidence of a company not doing enough to stop CSAM
@Riana_Crypto addressed this two years ago
tl;dr: if you can sue for "recklessness," the protection is meangingless
@Riana_Crypto addressed this two years ago
tl;dr: if you can sue for "recklessness," the protection is meangingless
Sen @Ossoff takes the floor, enters into the record a massive coalition letter warning about the perverse consequences of #EARNITAct
https://twitter.com/CenDemTech/status/1491412073196269577
Leahy: we negotiated some language about encryption, which is included in #EARNITAct. I think the language does that [protecting encryption]
No! The current language does the opposite from Leahy's 2020 amendment! It says websites CAN be sued for encryption!
No! The current language does the opposite from Leahy's 2020 amendment! It says websites CAN be sued for encryption!
Also, the issue here is not actually primarily about encryption (using strong encryption means you can't monitor) but about whether tech companies are coerced into monitoring for CSAM
That *sounds* great, but the government can't do that without subjecting companies to the 4Amd!
That *sounds* great, but the government can't do that without subjecting companies to the 4Amd!
Neither the original version of the Leahy Amendment nor the current version protects companies from being sued for not doing enough to monitor for CSAM
There is a reason why current law (2258A(f) says they have no such duty: it would trigger the Fourth Amendment!
There is a reason why current law (2258A(f) says they have no such duty: it would trigger the Fourth Amendment!
Concerns about encryption have always been secondary, so merely saying you can't be held liable for using encryption obviously don't solve the problem
If Whatsapp stops using E2EE and starts monitoring private messaging, it will be conducting searches under legal compulsion
If Whatsapp stops using E2EE and starts monitoring private messaging, it will be conducting searches under legal compulsion
The Supreme Court has been VERY clear: the government doesn't need to explicitly require something to trigger the Fourth Amendment.
Read our letter: techfreedom.org/wp-content/upl…
Read our letter: techfreedom.org/wp-content/upl…
Blumenthal: this approach is very narrowly targeted, we're carving out an exception, but I hope we'll review #Section230 as a whole
Allowing tech services to be sued for recklessness in using encryption is ANYTHING but "narrowly targeted"
Allowing tech services to be sued for recklessness in using encryption is ANYTHING but "narrowly targeted"
Lee's amendment would at least fix that problem
But as with the 2020 markup, he correctly identified that problem today, but didn't bother to even put his amendment up for a vote
The sponsors didn't fix the problem last time and clearly won't this time. They don't even get it
But as with the 2020 markup, he correctly identified that problem today, but didn't bother to even put his amendment up for a vote
The sponsors didn't fix the problem last time and clearly won't this time. They don't even get it
#EARNITAct sent to the floor with no objections, no amendments, no vote on amendments, and no one other than @SenMikeLee even remotely understanding how the bill works (and even he is deeply confused about how content moderation and encryption works)
#YourTaxDollarsAtWork
#YourTaxDollarsAtWork
Don't miss my colleague @AriCohn's thread on the hearing:
https://twitter.com/AriCohn/status/1491776393277026304
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
