Should internet platforms be required to take more responsibility for what their users say and do? Attorney General Bill Barr is set to give a major address today arguing that, to stop the spread of child pornography, Congress must make sweeping changes to Section 230, the 1996 law that made possible the free and open internet as we know it. Don’t buy it. Barr is exploiting concerns over sexual abuse material (CSAM) to attack the privacy of law-abiding Americans.
Section 230 overruled court decisions that had held internet operators liable for user-generated content. Congress wisely understood that if taking an active role in content moderation increased a website’s legal risks, they’d simply stick their heads in the sand. Despite overwhelming bipartisan support for Section 230 at the time, both leading Republicans and Democrats now blame the law for the internet’s ills.
But Section 230 has never stopped the feds from prosecuting websites. Federal criminal law already requires internet services to report potential CSAM distribution to the National Center for Missing and Exploited Children — the quasi-governmental clearinghouse that coordinates between companies and law enforcement — and tens of thousands of CSAM traffickers have been brought to justice. This isn’t really about CSAM at all. It’s about how secure the messaging, file and video sharing tools we all use will be.
For nearly 30 years, our national security and law enforcement agencies have tried to prevent ordinary Americans from having access to technologies that offer secure, private communications. Congress has required telecom carriers to build in backdoors, but never extended such statutory requirements to pure internet services. That’s allowed the growth of iMessage, Facetime, Signal, Telegram, WhatsApp and other services based on end-to-end (“strong”) encryption. Because even the service provider can’t read the communications, users can rest assured that no one else can either. Building in a backdoor for the U.S. government means creating a security vulnerability that both the world’s most repressive governments and ordinary criminals could exploit. That would leave us all less secure.
Barr appears to have been working behind the scenes with Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.) on legislation that was recently leaked. The bill seems merely to assemble a commission to “develop recommended best practices for providers of interactive computer services regarding the prevention of online child exploitation conduct.” But that commission would actually have carte blanche to fundamentally reshape the internet — and erode user privacy in ways Congress has, rightly, been unwilling to do directly.
The commission would be stacked with representatives of law enforcement, so it could easily reach the required supermajority to “recommend” banning strong encryption — or that websites retain extensive logs of user data, which law enforcement could access without convincing a judge to issue a warrant (an idea that died Congress in 2011). The public wouldn’t even get to comment on the commission’s recommendations because it wouldn’t technically be a rulemaking, but make no mistake: The commission would effectively be imposing legal mandates.
The Graham-Blumenthal bill would put the operators of online communications services in an impossible position. Even if they continue cooperating with law enforcement to identify CSAM traffickers, they’d face sweeping new criminal and civil liability simply for offering strong encryption to users (or failing to retain data logs, etc.). A court might find that these design decisions were “reckless” — the new, lower standard set by the bill — because they made it easier for CSAM traffickers to communicate in secret. If so, corporate officers could go to prison, and plaintiff’s lawyers could win massive damage awards (under the lower standard of proof that applies in civil cases).
The only way to guard against these new legal risks would be to “earn” back Section 230 protections — and which would require following the “best practices” issued under the bill. In the end, the Graham-Blumenthal bill offers an elaborate end-run around Congress to restrict online privacy in ways Congress wouldn’t be willing to do directly.
There’s good reason to think that it’s really the national security agencies behind this push. The bill could actually make things harder for law enforcement. Multiple CSAM defendants have argued that online communications services operate as government agents and, thus, that the Constitution required a judge to issue a warrant upon a finding of probable cause before those companies turned over evidence of CSAM to NCMEC (as required by law). Courts have consistently ruled that neither private companies nor NCMEC are bound by the Fourth Amendment because they are private actors. But if the Graham-Blumenthal bill passed, accused CSAM traffickers would have a compelling argument that private companies are operating as arms of the state — not voluntarily. A warrant requirement would bring an end to today’s system of close cooperation between service providers and law enforcement.
We should all be able to agree on two things. First, there shouldn’t be a “backdoor to a backdoor.” It’s one thing for an expert commission to recommend new legislation to Congress — but quite another for Congress to outsource the task of totally reshaping online privacy to some outside body. And it’s no excuse that Congress would have the opportunity to veto the Commission’s “best practices.” No lawmaker will take a vote that could be painted as soft on child exploitation.
Second, policing CSAM should be a much higher priority for law enforcement, as it is in European countries. Lawmakers should focus on ensuring that law enforcement has the resources — taxpayer dollars — it needs to do its job. Exploiting CSAM as an excuse to ban strong encryption is merely a distraction from that vitally important conversation.
Berin Szóka is president of TechFreedom, a nonprofit, nonpartisan think tank, and a lawyer with over 15 years of experience in internet law.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.