Despite its unassuming name, the EARN IT Act has substantial cybersecurity implications, its relative obscurity in today’s coronavirus-obsessed headlines notwithstanding. The Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act has already caught the ire of the collective internet and technology spheres due to its dramatic alteration of the safe harbor provisions of Section 230 of the Communications Decency Act (Title V of the Telecommunications Act Of 1996). Although still in the early stages of the legislative process, curbing Section 230’s protections has already garnered substantial support from leaders in both parties, including Joe Biden and Ted Cruz. Therefore, EARN IT’s progress merits close monitoring.
Section 230 provides immunity from liability for providers of an interactive computer service who publish information provided by others. EARN IT requires that a business “earn” this immunity by complying with federal cybersecurity “best practices” promulgated by a 19-person commission and adopted by Congress, rather than being granted immunity by default. The “best practices” would be designed to curb the sharing of child pornography, referred to in the bill as child sexual abuse material or “CSAM.” Although the bill does not list any “best practices” explicitly, observers suspect the EARN IT commission’s standards will dramatically increase law enforcement’s access to previously secure transmissions by banning end-to-end encryption and mandating backdoors to cybersecurity protocols.
Born out of the simmering “techlash” that has developed into a rolling boil since the 2016 presidential election and subsequent Cambridge Analytica scandal, EARN IT’s backers have publicly stated their goals to increase federal oversight of the Internet and to hold big technology companies more responsible for illegal use of their platforms. The bill is positioned as an effort to prevent the distribution of CSAM and is backed by bipartisan support as well as a parade of child advocacy and sexual assault survivor groups. However, EARN IT’s friendly face has not stopped technology companies and civil liberties groups from blanching at the practical effects of the bill and decrying it as a blatant unconstitutional expansion of federal surveillance power.
If EARN IT passes in its current format, social media giants and ISPs will have little practical choice but to comply with the commission’s suggested practices. The need for full immunity will likely prove very compelling. However, the additional strings on Section 230’s immunity will tie up average businesses as well. After all, Section 230 is the source of immunity for an extremely broad range of enterprises, including employers who provide network connectivity to their employees and for many website operators. EARN IT compliance is an issue that should be contemplated by every company currently enjoying Section 230 safe harbor. Use the questions and answers below as a tool to drive discussions regarding this topic:
Does an average business currently have immunity under Section 230?
Likely, yes. Although Section 230’s scope was ill-defined at the time of the Telecommunications Act’s passage in 1996, interpreting authorities have applied its protections to a broad span of modern businesses, including employers who provide internet and e-mail systems to their employees and to website operators.
If EARN IT becomes law, what does a business need to do to keep the same level of Section 230 protections as it had before?
Under the current language, a business would need to adopt any of the “best practices” promulgated by the commission and passed by Congress, and make yearly compliance certifications to the U.S. Attorney General. These compliance statements should not be made lightly; knowingly submitting a false statement of compliance can result in fines and up to two years behind bars. Further, the Attorney General can launch civil investigations into suspected non-compliance and demand discovery that must be responded to within 20 days.
What are the legal risks if a business chooses not to comply with EARN IT “best practices”?
EARN IT compliance is only required if a business wishes to maintain the same level of immunity under Section 230 that it provided before EARN IT. Non-compliance means that a business will lose immunity to claims brought under 18 U.S.C. § 2255, which provides for the recovery of actual damages or $150,000 in liquidated damages to each CSAM victim, and under 18 U.S.C § 2252, which provides criminal punishment for those who “knowingly transport[] or ship[] . . . including by computer any [CSAM].” In its current form, EARN IT does not impact immunity for published illegal content that is not contemplated by the above statutes. However, the more communicative freedom and privacy that the users of a company’s systems or platform have, the greater the risks of non-compliance.
Does losing that immunity matter?
For an average business, hopefully not. But that doesn’t mean writing off EARN IT is a risk worth taking. Generally, a business’s e-mail and communication systems are not ideal conduits for CSAM due to the wide-spread use of content filters and administrative access as well as the strong deterrent of have one’s identity clearly linked to each action and communication. However, as COVID-19 and the resulting remote working boom has driven the workforce in their homes, employees will more frequently jump between company systems and their own personal devices. With personal and company systems now closely integrated (for example, a personal computer and a company laptop both connected to the same monitor), there is a much greater opportunity for the employee to lose track of which system they are using to communicate. Although an employee accidentally using company systems to transmit or upload CSAM does not automatically incur liability, the specter of publicly defending a CSAM lawsuit should make any brand-conscious corporate leader queasy.
Outside of literal compliance with EARN IT “best practices,” what changes does EARN IT mean for an average business?
Until the bill passes and the commission begins developing the “best practices,” we will not know for sure. Compliance with EARN IT “best practices” may entail updating internal cyber security policies and data management practices, re-drafting public-facing privacy notices and website terms of use, and the re-negotiation of vendor and customer agreements. However, the choice to not comply with EARN IT “best practices” may require changes as well, as businesses may consider beefing up content filtering and controls to prevent the transmission of CSAM to account for the loss of Section 230’s safety net.
For more information regarding this article, please contact Matthew Hays.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.
- Lansing v. Southwest Airlines Co., 2012 IL App (1st) 101164 (Ill. Ct. App. June 8, 2012).
- Universal Commun. Sys. v. Lycos, Inc., 478 F.3d 413, 35 Media L. Rep. (BNA) 1417 (1st Cir. 2007).