This is the latest entry in my lengthy archive of writing, talks, and interviews about the EARN IT Act:

• Blog posts at the CIS blog: part 1, part 2, part 3, part 4, part 5, part 6, part 7, part 8
• Articles for Brookings TechStream: part 1, part 2
• Talks at the DEFCON Crypto & Privacy Village and the University of Waterloo
• Interviews on the Decipher Security Podcast and ExpressVPN blog

On January 31, Senator Richard Blumenthal, together with 18 co-sponsors from both parties, reintroduced the EARN IT Act. Two days later, the House reintroduced its version too. Last introduced in 2020, the EARN IT Act would, if passed, pare back online service providers’ broad immunity under a federal law called Section 230, exposing them to civil lawsuits and state-level criminal charges for the child sexual abuse material (CSAM) posted by their users.

At first blush, that might sound like a good thing, which is why it will be hard for members of Congress to resist – who could ever vote against child safety? But make no mistake: this was a dangerous bill two years ago, and because it’s doubled down on its anti-encryption stance, it’s even more dangerous now.

Protecting children online is a laudable and urgent goal. However, the EARN IT Act would do little to protect child sex abuse victims – to the contrary, it risks making it even harder to track down and convict offenders. And by discouraging providers from using encryption to protect the privacy and security of users (including children), while simultaneously encouraging them to over-censor their users’ perfectly legal speech, EARN IT would do a lot of damage to innocent internet users who have broken no law.

EARN IT 2022 Is the Worst of Both (Senate and House) Worlds

There have already been some excellent write-ups this week about the resurrection of this zombie bill and the menace it still poses. If you only have time to read one thing, make it Casey Newton’s Platformer newsletter, which provides a cogent and succinct overview of everything you need to know. Then check out Mike Masnick’s three-part deep dive at Techdirt: one on how EARN IT risks exacerbating the online child exploitation problem, another on how EARN IT is far worse than the last law that amended Section 230, and a third meticulously picking apart a “myths vs. facts” document the bill’s sponsors released that (surprise!) peddles more myth than fact, as Mike explains with palpable exasperation. The Internet Society, ACLU, CDT, and EFF, all longtime opponents of EARN IT, have also weighed in (and EFF provides an action item for contacting your elected representatives to tell them to oppose EARN IT).

For me, this week’s reintroduction of EARN IT is déjà vu all over again. As the link round-up at the top of this post shows, I spent most of 2020 explaining why EARN IT was a terrible bill that would have numerous downsides without ameliorating the complicated problem of child safety online. All of that is still true today, because the bill hasn’t changed.

The new Senate bill is a near-replica of Senate bill text from July 2020, whose many problems I documented here. The only real change is the replacement of that bill’s already-tepid language attempting to protect encryption, with language from the September 2020 House version of the bill. The House language, as I wrote here, is even weaker: it discourages providers from offering encryption by exposing them to liability for doing so (as long as complainants can gin up some other pretext for suing), and by permitting evidence of their encryption features to be used against them in court. That is, the only change since July 2020 has made the bill worse.

To get my in-depth explanation of EARN IT 2022, you need only read those two previous writings of mine about EARN IT 2020, which together cover the entirety of the new zombie bill. Again, they’re here (about the bill overall) and here (about the weak-sauce encryption language). It’s certainly convenient for me that I don’t have to do any new analysis. But it’s also maddening that the bill hasn’t gotten any better, when its backers had over a year and a half to fix the problems that I and others identified the last time around. (Or, preferably, to just let it fail instead of bringing it back from the dead.)

That’s So Much Reading! What’s the TL;DR, Again?

To recap, here’s why the EARN IT Act would harm online speech, privacy, and security without achieving its child-safety goal:

• Fear-Driven Censorship of Legal Speech. Contrary to the outright lies in the EARN IT sponsors’ “myths vs. facts” document, nobody, literally nobody, is claiming there’s some First Amendment right to CSAM that EARN IT impairs. The real issue is censorship of legal speech that is constitutionally protected. By threatening tech companies with significant litigation exposure for doing an imperfect job of fighting CSAM on their services, EARN IT will result in companies overzealously censoring lots of perfectly legal user speech just in case anything that could potentially be deemed CSAM might be lurking in there, or even shutting down part or all of their services entirely. They’d throw the First Amendment-protected baby out with the unprotected CSAM bathwater. (The same thing happened with online censorship after Congress passed the SESTA/FOSTA law, on which EARN IT is modeled, which carved out sex trafficking offenses from Section 230.) [More here.]
• Making Law Enforcement Investigations Harder. Meanwhile, increased vigilance by providers will push CSAM traders off law-abiding platforms and onto offshore sites (that don’t follow U.S. law) and the dark web, where they’re harder to track down. (This, too, happened after SESTA/FOSTA: even as platforms censored legal speech, sex trafficking offenders and victims got harder for investigators to find.) [More here.]
• Undermining User Privacy & Security. EARN IT would, as said, discourage the use of encryption, which is vital to protecting the privacy and data security of children and adults alike (yes, children deserve privacy too). Punishing companies for strong data protection practices is an utterly mindboggling public policy choice in the midst of an ongoing cybersecurity crisis, which has only grown worse since mid-2020 (think SolarWinds, Colonial Pipeline, Log4j, the ransomware pandemic…). As I’ve pointed out before, members of Congress (including EARN IT’s main sponsors) have this unfortunate tendency to bemoan that tech companies aren’t doing enough to protect users’ privacy, then get mad at them for using strong encryption to do just that. Sen. Blumenthal in particular is a study in contradiction: while pushing his anti-encryption EARN IT bill the first time around, he was simultaneously infuriated by Zoom’s lack of true end-to-end encryption. [More here.]
• Privacy Intrusio