EARN IT Act 2022: Section-by-Section Breakdown

Summary: This section establishes a Commission tasked with developing “best practices” for websites that are meant to address all stages of trafficking of minors into commercial sex, all aspects of minors engaged in commercial sex, child sexual abuse, and the distribution of CSAM, and to whom these standards would apply, as well as alternatives tailored to details about the digital space.

The Commission would be chaired by the Attorney General and includes 19 members. 11 of these members are taken from federal agencies, law enforcement, and tech companies, but 4 members would be survivors of child sexual exploitation or those supporting survivors, and 4 would have a civil rights, civil liberties, privacy, or cybersecurity background.

The Commission will have 18 months to develop its recommended best practices, which must be updated and resubmitted every five years. 

The mandate of this Commission covers all aspects of prevention, identification, disruption and reporting, including working with outside entities, retention of metadata and content, training of websites, age ratings and gating for content, parental controls, practices between websites and third parties, data retention and reporting on these aspects. 

The Commission is asked to consider cost and technical limitations; the impact on competition, product quality, and privacy; and the impact on law enforcement. 

The Committee’s recommended best practices are published online and in the Federal Register, a journal where government rules, regulations, and notices are posted. These best practices are not binding. 

he mandate is incredibly broad and means the commission has the ability to basically regulate anything it wants without explanation. 

The inclusion of “age rating and age gating systems” suggests that this could cover pretty much any content. We know that parental controls regularly block access to LGBTQ content and women’s health information. A commission led by law enforcement and tech companies is the wrong voice to center in these life and death conversations.

EARN IT also offers zero accountability. There are no metrics for success, no metrics for whether there will be a disproportionate impact on anything, no measures of transparency for Congress to even review the impact. 

Similar to FOSTA/SESTA, this section creates a carve out of Section 230 that makes websites liable when one of their users violates federal CSAM law. Websites would be subject to both civil and criminal cases using the federal CSAM law, as well as civil and criminal cases using state laws “regarding” conduct related to CSAM (as that term is defined in federal law).  

Under this section, websites cannot be sued specifically for their use of encryption or their efforts to protect encrypted data. However, if a website is sued under this section, a website’s encryption practices can still be reviewed by a court if it thinks encryption is relevant. 

Federal criminal prosecutions have never been barred by 230, so federal criminal liability is unchanged. However, like FOSTA/SESTA, this section expands federal civil liability and civil and criminal state liability for websites, turning people who are being victimized or at risk of being victimized into liabilities and high-risk groups. This incentivizes kicking people off of platforms to limit liability. 

This section’s state liability language is much broader than the Section 230 carve-out created by FOSTA too. EARN IT would create liability under many state laws that use the federal definition of CSAM (whereas under FOSTA the conduct underlying the violation had to match the conduct prohibited by federal anti-trafficking law). EARN IT gives nearly unrestrained power to states to have an impact across the globe, both now and with state laws enacted in the future. Websites will need to be aware of all CSAM-related statutes in all fifty states. Sites will likely need to adhere to the strictest of these – meaning the most conservative states will control access to online material. FOSTA had a similar, global impact, even in countries where trading sex is legal. This is likely to have a dramatic impact on young people’s access to sex education and health materials, regardless of where they live or what they want. 

The encryption language in this section is a red herring: it looks like it provides strong encryption protections, which would preserve the online privacy of sex workers, vulnerable groups, and community organizers. However, these encryption protections won’t apply to most of the cases brought against websites under this section because most cases are not solely focused on a website’s encryption practices. The exception allowing courts to review website’s encryption practices swallows the protection, meaning websites may still choose to stop encryption their services to avoid legal liability. 

This section expands the types of information that parties are expected to send to the National Center on Missing and Exploited Children (NCMEC) when reporting potential instances of CSAM. This includes location data, email addresses, and identifying information about any “involved minor”. Additionally, websites are given broader legal immunity when they send CSAM and related information to NCMEC. 

This section also includes language to standardize the format of reports sent to NCMEC.

Companies are likely already collecting this kind of information about their users. When combined with Section 8, tech companies would be permitted to indefinitely keep reports containing CSAM depictions and identifying information about the people depicted and provide a broad range of information and data about users to NCMEC. 

We have concerns about the security of such information and the harm to survivors if that information is not secure. Private companies are not required to provide the public with the same level of transparency in their protocols that public agencies are, meaning the data and materials they collect and preserve could be leaked, stolen, or otherwise mishandled. Companies need to be held accountable for how they collect and hold this information, and EARN IT doesn’t provide any relevant protections.

After a tip is made to NCMEC, the website must retain all the data it provided for at least 180 days, up from the current 90 days. 

The tip provider may also retain the content of their report, including the CSAM itself, indefinitely in order to “reduce the proliferation of CSAM.”