June 25, 2020 10:25AM

Too Many Cooks Spoil the Internet

My colleague Matthew Feeney and I have previously written about the EARN-IT Act, noting that it could be used as a vehicle to fulfill Department of Justice demands for encryption backdoors. That concern has only increased in the wake of the DOJ’s publication of a list of proposed changes to Section 230, which include evidence preservation requirements prohibitive of encryption. However, the EARN IT Act relies on rulemaking by committee to derive the best practices on which it would condition Section 230’s protections. While a charge to establish sweeping best practices may threaten encryption, the proposed committee’s membership selection and voting structure has problems of its own; it seems designed to encourage gridlock and the erosion of civil liberties.

The committee is composed of 19 members selected for five‐​year terms, 14 of them must approve a set of best practices to send to Congress for a fast‐​track vote without amendments. Three are federal officers: the attorney general, the secretary of homeland security and the chairman of the Federal Trade Commission. The rest are selected in a bipartisan fashion, the majority and minority leaders in the House and Senate each get four picks. However, each quartet must include one member with law enforcement or prosecutorial experience addressing Child Sexual Abuse Material (CSAM), one who is either a survivor of sexual exploitation or works with survivors, one expert in either constitutional law or computer science, and one member who works at either a large or small tech firm covered by the bill.

Yes, it sounds a bit like how Rings of Power are distributed, but it creates a scenario in which the path to an approving majority of 14 runs roughshod over Americans’ privacy. The committee is stacked in favor of intrusive action. A party that controls the executive branch need only win over three appointees of the other side to win approval. It seems likely that limits on encryption will receive some cross‐​party support from either law enforcement or representatives of anti‐​abuse non‐​governmental organizations. If all of the minority party’s law enforcement and NGO representatives join the proposal, the majority needs only one technical expert vote to ignore all of the tech firm representatives altogether.

Making this more likely, the technical experts need only “experience in matters related to constitutional law, consumer protection, or privacy,” or “experience in computer science or software engineering related to matters of cryptography, data security, or artificial intelligence.” These stipulations do not ensure that the selected experts are friendly to Americans’ civil liberties, merely that they have some experience with cryptography or the law. Work experience at the DOJ or a facial recognition firm such as Clearview would fit the bill, but wouldn’t ensure the committee appreciates the effect of their best practices on Americans’ privacy.

While the inclusion of representatives from specific separate firms may be intended to increase the representative nature of the committee, in practice it creates dangerous opportunities for anticompetitive “best practices.” Because the bill includes two spots for large firms and two spots for small firms, selected by majority and minority leaders, it creates opportunities for politicians to reward favored firms at the expense of others. Because not all business models will be represented, those with a seat on the committee will find it easier to comply with the resultant rules. Imagine Facebook handicapping the competing Snapchat by proposing prohibitions on disappearing video as an evidence retention mechanism. Not all ill‐​effects need be intentional, firms on the committee are simply more likely to have their unique concerns heard and reflected in the approved practices.

Although the committee could be expanded to include more perspectives, this may make it unwieldy, and cannot escape the problems inherent to replacing a general rule, equally applicable to all, with a set of specific, evolving prohibitions. The latter model, particularly with an explicitly partisan firm selection process, will always create more opportunities for corruption and capture than the simple, universally applicable regime of Section 230.