Monday, February 24, 2020

DOJ 230 workshop part 4


DOJ Section 230 Roundtable, afternoon
Chatham House Rules

Session 1: Content Moderation, Free Speech, and Conduct Beyond Speech

How do platforms deal w/defamation? Standard practice is to review the complaint, the content; compare to TOS/code of conduct. Removal if warranted, contact poster if warranted and sanction at some level if warranted. If no violation, it can be difficult. Service provider can rarely determine falsity.

Hassel v. Bird is part of a trend of expanding 230 immunities outside recognizable form. Involved a statement adjudged to be false/defamatory. Court ordered platform to take it down; platform declined. Platforms just say they don’t care.

Distributor liability would be consistent w/text of 230. Zeran ignored 300 years of common law  If platform is made aware, there is a responsibility to do something.

That’s not what distributor liability was. There is not 300 years of distributor liability; 300 years ago people were still getting arrested for lese-majeste.  There is no common law of internet liability. 230 did cut off common law development of secondary liability but it is possible that the First Amendment requires something very much like 230.

There are three levels in the Restatement: publisher, distributor, and provider of mechanisms of speech, such as photocopier manufacturer and telephone company. That third level is not liable at all. There are cases on the latter. The Q is whether internet companies are publishers, distributors, or providers of mechanisms of distribution.  Consider the city: if someone is libeling me on the sidewalk, I can’t sue the city. Tend to be people who are by law prohibited from discriminating—broadcasters when they sell space to political candidates. [Notably, not photocopier providers—at least I can’t imagine that anyone thinks that their liability for defamation copied on their machines turns on whether they only sell to politically correct copiers.] The real innovation of 230 was not to abandon a 2 level structure, but it also said that service providers get protection even though they do have the power to decide what’s allowed. Maybe we should abandon this category, or reserve it for service providers that don’t discriminate, but traditional rules also had absolute liability, not just notice and takedown. [When communication is not private one-to-one but one-to-many, nobody wants platforms to not discriminate against bad content, because that makes them unusable. So the common carrier neutrality requirement might not be a good fit, though of course that doesn’t necessarily mean that immunity would be the constitutional rule in the absence of 230.]

The libelous/not libelous problem is very difficult. A lot of libel judgments in the record are provably fraudulently obtained, not counting the ones that are outright forgeries. Default judgments, stipulated judgments—no reason to think they’re trustworthy. Deeper problem: I run a blog, someone comments negatively on Scientology, which complains. If you impose notice and takedown, I have to take it down b/c I’m in no position to judge. Judgment in hand=much smaller set w/its own problems; w/ notice regime, there will be default takedowns. Maybe that’s fine, but that’s the downside.

No one is arguing against freedom of speech, but there’s a reality that some platforms with recommendation engines/algorithms have more power than newspaper over what we will see, amplifying their content. So we should figure out a category for a digital curator that classifies companies that use behavioral data to curate and amplify content, and then the responsibility is not just in allowing the content; did the algorithm amplify it.  You’ll have to decide the thresholds, but there is a missed conversation in acting like all platforms are the same.

230 cut off development of state law to see how we can develop rules to fit a solution that is not analogous to a photocopier. These are highly curated, controlled environments they are creating. 230 represents a tradeoff, and they should give something back in public responsibility. That was the deal in common carriage. In return, they got immunity from libelous content.

230 clearly meant to reject notice & takedown b/c of moderator’s dilemma. Most of these cases would fail; moderator can’t tell what is true. Anti-SLAPP laws are also applicable.  Defamation can’t be extrapolated to things like CSAM, which is illegal under all circumstances.

If they’d fail on the merits, why have 230? It bolsters the case b/c it shows the real risk of death by 10,000 duck bites. There may be businesses w/o the wherewithal to deal with a number of frivolous lawsuits. 230 has been useful for getting companies out of litigation, not out of liability; removing burdens from court system.

DMCA has notice and takedown. Not just sole discretion of moderator, right?

It is often abused to take down obviously noninfringing material. Even if the person responds, you can still have the content down for 2 weeks, and that’s very handy in a political system. People use the system for non © purposes. 512(f) has been interpreted by the courts in ways that make it extremely difficult to enforce.

Notice & takedown is good for © but overwhelming which is why the content owners want staydown. © is always federal so there’s less of a mismatch. DMCA isn’t about illegal content (CSAM), whereas © infringement is illegal distribution, not illegal original content.

Where it gets tricky is often where the use involves fair use b/c it can be difficult to build filters/automatic process to distinguish lawful/unlawful, which matters for our discussion b/c much of the content isn’t going to be easy to figure out.

Many, many studies and anecdotal accounts of bad takedown notices. And the content companies are constantly complaining about the DMCA. The best regime is the one you’re not operating under.

Notion that 230 didn’t contemplate curation is flatly wrong. Libraries are curators; Stratton Oakmont was a curator. 230 was intended to incentivize curation.  Ultimately, what is demoting vitriolic content online to make a community less toxic? That’s curation.

There is a fourth Restatement model: 581 on distributors; was almost made up by the Restatement reporters. There’s almost no case law support for the distributor liability; Dobbs hornbook agrees that 1A would not tolerate distributor liability. It is just not the case that there were a bunch of distributor liability cases. But there is a property owner/chattel owner provision of liability: if you own a bulletin board or something like that if you’re given notice: that seems far closer than distributor liability, but the legal authority for that is also extraordinarily weak. Even if as a matter of principle there ought to be such liability, we don’t have 100 years of it. If we did, it’s unlikely to survive NYT v. Sullivan.  Cutting the other direction: to the degree there is amplification, at common law, or republication, even if purely third party content: extraordinarily strong precedent for liability for republication regardless of whether you know or don’t know defamatory content. No particular reason to think 1A would cut into the republication rule. Defamation cases that go over the top [in imposing liability] involve republication. That’s just a mistake by the courts.

A lot of harm at issue is not defamation. Illicit drugs. What if $ goes through the payment systems they host? If they know about animal torture rings, pedophilia groups, Satanic groups are hosting video—these are not hypotheticals.

CDA was about pornography, not just defamation. Indecent content is very difficult to regulate, b/c it is constitutionally protected for adults to access. 230 means that many platforms block this constitutionally protected speech b/c otherwise their platforms would be unusable. 230 allows platforms to do what gov’t couldn’t.

Should platforms be encouraged to be politically neutral in content moderation? Is it a danger we should be concerned about as more political speech occurs in private forums?

Anecdotally, conservatives think that Silicon Valley is biased against them. If you made it actionable, it would just hide better. [Leftists say the same thing, BTW.]

Invites us to have a panel where 18 engineers talk about what law professors should do better. We haven’t had any numbers here. Discussions of how companies make decisions are completely detached from how big companies make decisions. People care deeply, but all moderation is about knobs. You can invest time & effort, but when you moderate more you make more false positives and you moderate less you make more false negatives. Never sat in any meeting where people said “we’re not legally liable so who cares?”  Political bias: rules v. enforcement. The rules are generally public. Example: Twitter has a rule you can’t misgender somebody. There is nothing hidden there. Then there’s bias in enforcement; companies are very aware of the issue; it’s much larger outside of the US b/c companies have to hire people with enough English & education to work at a US tech company, and that tends to be a nonrandom subset of the population.  So that tends to be from groups that may be biased against other subgroups in that country. There are some tech/review attempted solutions to this but anecdotes aren’t how any of this works. Millions and millions of decisions are being made at scale. There’s a valid transparency argument here.

It’s a false flag to say that conservatives feel this way so it’s true. Did we take down more ads on one side than the other? We don’t know which side violated policies more, so that counting won’t work. Need criteria for what is an ad/what is abusive, and we lack such criteria. This political conversation takes away from the debate we should be having.  [Also: If you are sufficiently transparent to show what’s going on in detail that might satisfy critics, then you get a lot of complaints about how you’re sharing bad content, as Lumen has been accused of doing, and you may also provide a roadmap for bad actors.]

Transparency principles: disclose the numbers; explain to users what the rules are and which one they violated; provide an opportunity for appeal. Many companies didn’t have appeal options. We’ve seen improvements on that.

Everthing is biased, but transparency can increase understanding and trust. Build up to a fullblown standards process where all stakeholders can be in the room, big and small companies, different users. Not all use cases are the same. Also, AI is not one tech but a variety of enabling tech. Its complexity is one of the things that standard developers are grappling with. Starting with bias, risk, predictability, governance.

It’s a fact that Google held a meeting w/sr executives after the 2016 election saying it was bad, and conservative engineers were fired for their views. They should have a transparency report about this.

Of course there’s bias. The policies are deliberately complex. Not just Google. Executives admit they hire liberal staff. [There is deep confusion here between the moderators and the executives.] Twitter is the worst actor. Despite all that, companies should solve the problem themselves. These hate speech policies are garbage. EU hate speech policy would be much worse. We have a 1A here that Europe doesn’t believe in. You could ban the Bible under FB’s code, and Bible-related posts have been removed. Tens of millions of Americans are sure there’s a problem.

The problem is at scale: every single group in the world thinks they’re the one that’s targeted. Gay people, Bernie bros, conservatives. The problem is a massive amount of innumeracy and non quantitative thinking in this debate.  1000s of examples of bad decisions exist even if you’re at nine-nines accuracy. Not a single one of Google’s employees who was marching about the travel ban makes a single content moderation decision or oversees anyone who makes a content moderation decision. It is obvious that everyone in the world will not agree what speech moderation should be, and they will all think they’re the victims.

There are plenty o’ conservatives at Facebook.

Should there be any affirmative obligation on transparency in 230? New problems appear that you didn’t anticipate: people with white supremacist usernames.  You could say that adding a new rule is inconsistent/not transparent, but when you didn’t have the problem previously you have to develop some response.

Common law development is the norm w/in platforms. As FB scaled, they went from one page of instructions “if you make you feel bad, take it down” to rules that could be administered based on content. People didn’t want to see hate speech. This wasn’t conservative bias, but civil society groups & sometimes informed by European rules.  There was no reptilian brain behind it all.

To claim that things didn’t change after 2016 is a fantasy: big tech responded b/c Donald Trump won an election based on big tech.

No, that’s when you started to care about it.

Transparency: what is it really? Google’s numbers don’t really tell you how the system works, they just provide numbers of requests. Need to talk about granularity as well as scale. GDPR is another consideration. Europeans won’t allow disclosure of personally identifiable information. That means some gov’t here will have to extract that data as part of transparency.

Speaking of bias, consider the possible bias of gov’t in determining whether the platforms are biased. You can’t tell a bookstore which books to stock, and you can’t go to the NYT or Fox and require them to disclose their editorial policies in the name of appropriate transparency. Assumption that this is a matter for gov’t regulation instead of letting the market decide is a mistake, at least in the US where the 1A constrains.

Misgendering activist was kicked off Twitter for tweets she made before the anti-misgendering policy, and that’s the core of her legal claim. 230(c)(2)(A) doesn’t say “hate speech” [though it does say “otherwise objectionable” and it also says “harassing”]. You can’t have it both ways in not being responsible for 3d party speech and not being responsible for your own moderation decisions.

Other courts have said that spam is covered; other courts have wanted something more like what’s listed in (c)(2). This isn’t a 230 issue at all: the courts are recognizing that platforms themselves have 1A rights and that they cannot violate 1A rights as they are not gov’t actors. Nothing to do w/230.

As for mandatory transparency, many companies do have law enforcement transparency reports and are expanding their efforts. Reporting numbers may be a pretty dry read, but if you dig into the help pages of any number of sites, you can get a better idea of what the rules actually mean. Here is where small businesses would need a carveout; when you’ve built computer systems to do one thing, it can be very hard to convert it into another (the data you’d need for a transparency report). There’s been a transition period for companies to revamp their systems in a way that’s useful for transparency reporting.

Is the court overreading 230 and treating it as anti SLAPP statute/MTD stage?  It is an affirmative defense, and the Q is whether the elements are present on the face of the pleading? Usually there isn’t much question of whether a platform is an ISP, whether the content originated w/a third party, etc. Discovery, where it occurred, has focused on whether there was third party content, and that’s correctly limited discovery.

1A right to discriminate in policy and enforcement? Platforms, when acting in recommendation capacity like Google search/FB stories, get to decide what to include and what not to include. Doesn’t completely answer what happens solely in platform capacity: YT in what it chooses to host. One way of thinking about it: first scenario is clearly Miami Herald v. Tornillo; for the second, there’s a plausible argument that content or viewpoint neutrality rules could be imposed under Pruneyard/FCC v. Turner on what they host. The traditional model did say essentially that common carriers got total immunity, while distributors with power to choose got notice and takedown. There’s room for argument that 1A immunity requires even-handedness. Not positive it’s constitutional, but not positive it’s not either.

Evenhandedness is impossible to define. What violates the policy is the key.  Let’s talk about real victims who were connected to abuse via platforms. Conversation about political bias is a sideshow that undermines search for help for victims.

Session 2: Addressing Illicit Activity and Incentivizing Good Samaritans Online

Hypo: user posts a pornographic photo of a young woman. Individual claiming it’s her asserts it was posted w/out her consent. Platform doesn’t respond for four weeks. Alleged subject sues for damages she suffered as a result of the photo. Suppose: Anonymous user posts it; alleged subject claims it was posted when she was 13. 

Argument that 230 still doesn’t cover it: there’s an exception for crimes, including CSAM. If you look at the provisions that are covered, they include 2255 & 2252(a), both of which have civil liability.

Argument that 230 does cover it: Doe v. Bates: this case has already been litigated.  The statute is very clear about being about “criminal” law, not about civil penalties that might be part of it.

Should 230 immunize this content against civil claims? The platforms are horrified by the material, didn’t know it was there, and took action when they knew. If you have a rule that you’ll be liable in these circumstances, you’ll have platforms stick their heads in the sand. Given potential criminal exposure, this is not a real life hypothetical.

What’s the current incentive to address this? Criminal responsibility; notification obligation. And being human beings/adults in the rooms. Criminal incentive is very strong.  Even with FOSTA/SESTA wasn’t about creating federal law; they took down Backpage w/o it, it was about creating state AG authority/allowing survivors to sue.

What would FB do in this situation? FB unencrypted: Every photo is scanned against photoDNA. Assume it’s not known. All public photos are run by ML that looks for nudity. If classified as such, looks for CSAM. Would be queued for special content review; trained reviewer would classify it by what’s happening and what age the person is.  Depending on classification, if there was a new high level classification they would look for more content from the same user, directly call FBI/law enforcement.

14 year olds sending their own nude selfies violate child porn laws.


Sextortion victims are big population of CSAM material. They’re being thought of as less egregious b/c it’s not hands on abuse but suicide risk is almost doubled. In terms of 14 year olds breaking the law, feds wouldn’t look at charging them for that.

But: State law enforcement has charged 14 year olds, which is relevant to whether we ought to have more state lawsuits against people that the states blame for bad conduct.

FB doesn’t allow public nude photos. If not marked as child, would just be deleted. If reported to FB as nonconsensual, deleted and FB would keep the hash to make sure it doesn’t reappear with a better algorithm than PhotoDNA.  If the victim knew the ex had the photo, she can submit it to FB and that goes to a content moderator that can prevent it from being uploaded. That’s a controversial project: “FB wants your nudes.”

Regardless of company size, we care greatly about CSAM and NCII (nonconsensual intimate images). Everyone views responding to complaints as the baseline. Companies take idea of being in violation of criminal law very seriously. Penalties for failing to report went up significantly in 2008; criminal piece of this is so important: any state law consistent w/this section (CSAM) could be enforced.

FB is the company that does the best at finding the worst, but that’s very unusual. A child couldn’t anticipate that with every platform. No prosecutions on failure to report. The fine is $150,000 which isn’t significant for a tech company.

Not every tech company is funded like WeWork was.  In fact almost no tech companies are and the ones that are, are definitely taking action. People who aren’t deterred by $150,000 and criminal liability are rare, and where you could deter them more is by enforcement not by increasing the penalty. 

Suppose someone sues the platform for damages as a result of availability: should provisions be sensitive for different kinds of harm? If someone is threatened and then raped or murdered, that’s different than having personal information exposed. We might want to focus liability on the type of harm proved to have flowed from this.

Identity of the user Q: if there were a criminal prosecution, then the company would have to turn over the information, and also if there were a civil prosecution you can get discovery. Dendrite/similar standards can be used to override anonymity & get the info.

Platforms send responses to preservation letters telling sender they have no obligation to preserve evidence for anybody outside of law enforcement. They fight the subpoenas even though offenders are usually judgment proof. Costs $250,000 to fight subpoenas. FB automatically deletes stuff after a few months.

Platforms ought to perform an evaluation of the validity of the subpoena.

Euro data law has made platforms turn over data on 30/60 day windows, that’s global.

Deleting content is very serious; many platforms immediately delete the material reported to them. Helps criminals cover their own tracks. There needs to be some type of regulation that when toxic content is reported there’s some curative time you have to save it but not leave it up.

Reporting to NCMEC is a precedent for that.  Should be used for war crimes, not just domestic.

The process of giving us hypotheticals in isolation is a problem. Each example ignores the problem of scale: you get a bunch of these each day. And there are problems of error and abuse.  E.g., French authorities notified the Internet Archive that they were hosting terrorist content and had 2 hours to take it down. 

Hypo: terrorist uses online platform to recruit. Algorithm recommends the group to new individuals, who join in planning acts of terror. Platform gets paid for ads. Survivors of individuals killed in terror act sue under Anti-Terrorism Act.

Should look at how banks are regulated for terror and crime content. Money laundering. Financial services industry argued that they were just P2P platforms that couldn’t be regulated for storing money for illicit actors, but the US government imposed regulations and now they have to monitor their own platforms for money laundering. Terror/organized crime aren’t supposed to use banking services. You agree that your activity will be monitored, and if bank suspects you’re engaged in illicit activity, a suspicious activity report will be filed. That’s not working particularly efficiently. How can we look at systems like NCMEC or other reporting mechanisms to improve upon them? [This seems like a basic problem that money is not obviously and always illicit, like CSAM. We’ve just been hearing about NCMEC’s challenges so it seems weird to look at it for a model—the system that’s best is always the system you’re not using!]  Many companies that produce chemicals and electronics have to control their supply chains to avoid diversion by drug cartels or go to IEDs. Why does the tech industry get freedom from liability for the harms their products cause? There are 86 designated terror groups and we find activity on major social media platforms. Not fans but Hezbollah has an official website and an official FB and Twitter feed. They do fundraising and recruit.

Interagency colleagues are thoughtful about this—NSC and other alphabet agencies. They have ideas about financial services, money laundering, and that would be a productive conversation. But at the end of the day, there is still a First Amendment, and that’s your challenge. EC is de facto setting global standards for large platforms. The large platforms would like something like GDPR because those costs are sunk. EC doesn’t have a 1A hanging over them; EC is already looking at this at the member level. W/o the Brits, it could happen within a few years.

On GDPR as a potential model to get big change out of platforms: It is in fact impossible to comply w/GDPR.  The reason it kind of works is that European regulators sometimes let you fudge if they think you’re acting in good faith, though that is not without its own political bias. The kind of strict compliance regularly required by both US regulators and civil litigation is not compatible with the kind of rules that you can borrow from GDPR type regimes.  Civil liability and especially class actions are not a significant part of the European model.  Having one national regulator to answer to is very different than having to fend off lawsuits any time anyone thinks you didn’t act fast enough.

Financial services people know more than internet services: physical branches, physical IDs, etc. Scale: JPMorganChase has 62 million users and makes $80/per user; FB has billions and makes $8/user. If you want people to be charged $80/year, you can apply money laundering rules to FB and FB will have branches.

As if we know what is a terrorist organization: the platform knows there is a page. But there are anti abortion groups, anti police groups, pro Palestinian, environmental groups w/radical fringe. Somebody calls them a terrorist group. The initial hypo says that they use the service to recruit, radicalize, and promote: the 1A protects a vast range of promoting violence. Holder v. Humanitarian Law Project: Restricting interaction w/designated groups is lawful only b/c people can set up independent promotion. Liability for this would require platforms to remove content that anyone links to violence.

What if they knew it was a terrorist organization? Knowingly facilitates, solicits, profits from.

How does Google “know”?

This scenario happens all the time. FB takes down a bunch, misses a bunch. Consider how many women on the planet are named Isis. Terrorism is one of the hardest things; FB needs its own list of terrorist organizations, b/c some countries use their lists to suppress racial minorities. A lot of speech is currently overcensored b/c lots of victims are Muslims related to political Islam who are not terrorists and not enough people who matter care.

What if they knew someone was convicted of stalking on a dating app?  Assume the matching service knew that but failed to warn. Would 230 immunize that? [Again we have just decided to assume away the hardest part of the hypo: knowledge, as opposed to accusation.]

There are a number of cases that speak to when an interactive service is facilitating/participating in development, like Roommates and Accusearch. You can’t state that b/c the service is being used, it’s facilitating. It has to elicit the content in some specific way. If the site is promoting content likely to be of interest to the user, you can’t jump to that. Having seen OECD process on terrorism: when companies are saying we need to be reporting on terrorist content, whose list should we use? There is no consensus on who should be on the list. We can’t just call something a terrorist organization w/o speaking to definitions and authority.

Agencies can issue guidance if laws are unclear. Can be illustrative; could be multistakeholder process.

We’re hearing GDPR a lot with things like ICANN. We have to make a decision about whether we will kowtow to the EU. If Russians/Chinese had done GDPR, we’d be raising holy hell. Cost per customer is misleading beause the customers are actually the advertisers [though the advertisers are not the only people providing content/in need of screening, which is the source of the problem!]. Google and FB are bigger than banks and making a lot of money.  Conduct has to be where we start, not content/bias. Knowing facilitation/profiting is easier, as w/FOSTA/SESTA. Didn’t have the ability to pierce the veil w/Backpage b/c of 230. The reason Backpage went down was a Senate investigation and then the DOJ, but state AGs couldn’t do it and survivors couldn’t—stopped at the courthouse steps.

Gov’t should have a higher burden of proof for identifying terrorists, but the blanket immunity is a problem. Tech platforms know that if all else fails they can fall back on immunity. Hard cases are always extremely complicated. Blanket immunity can’t be sustainable.

Shady company, MyEx, charged people to take down pictures that had been posted of them, and sometimes they wouldn’t even take them down. FTC shut down the site. There are ways to deal w/some of these issues that don’t involve rebalancing 230. Law enforcement is super important here, and resources for that are really important.

Are we concerned w/230 invoked against FTC? 

State of Nevada was on MyEx case as well. This was §5 deception, not about third party content. We can make those cases. If the companies are doing something, we can go after that. 230 doesn’t help them if they’re actually doing the stuff.  MyEx didn’t raise 230, but it wouldn’t have helped.

See also: Accusearch.

Civil suits are by nature anecdotal and not scaleable. Every individual should have the right to bring these cases. [But if you don’t have strict liability, then most of them should lose.] Extreme cases w/nothing to do with speech are getting thrown out of court—P is suing for an offender’s conduct, like creating fake profiles and sending people to someone else’s home. Grindr is an important case b/c the product itself facilitated the harm. It wasn’t encouraging violence. It was the actual mode of the violence. The words the offender used in his DMs weren’t important to the cause of action. Cts have interpreted 230 so extravagantly. Companies don’t have to build safer products. One victim was murdered by a first date on Tinder, and another person had been raped earlier that week, and yet he still got to use that dating app. How do we stay safe against these platforms?

Proposed changes to 230 that add words to limit it more to speech. E.g., add “in any action arising out of the publication of content provided by that information content provider.”  230 has been interpreted to short circuit all this analysis. Shouldn’t apply to commercial transactions: a dog leash that blinds someone. If these actions happened in physical space, they wouldn’t be treated as speech. [In cases on false advertising, who is responsible for the false advertising is very much an issue; the retailer is not, according to a wave of recent cases. I actually think the case for Amazon’s product liability is fairly strong, but 230 hasn’t precluded it.]

The proposed change doesn’t do useful work. Courts have to have a sense of what information doesn’t constitute speech. There is no well defined principle; Sorrell v. IMS makes clear that data is speech.  It’s not going to do what you want it to.

Tech always wins; we need some unpredictability.

Unpredictability is not an asset in these situations; find a rule that predictably yields the result you want. Immunity for Amazon: the reason isn’t that leashes are treated as info but not as speech; the reason is that Amazon is a place for people to publish certain information and Amazon can’t be held liable; the ad for the leash is info and speech. There are things you can do, but these suggestions aren’t those things.  If you require speech to be an element of the tort for 230 to apply, then people will just assert IIED instead of defamation [though Hustler says you can’t do that for 1A purposes]. Would leave disclosure of private facts immune (including revenge porn) but not IIED.  If you have in mind some particular kinds of harm to regulate against, like revenge porn, you can do that, but if you’re trying to do that based on elements of the offense, the proposal won’t work very well.

Reasonability could be done a lot of different ways: safe harbors, best practices.

There have only been 2 federal criminal cases: Google and Backpage. It’s not enough resources to go after the wide range of criminal activity. Frustrated by discussion that hasn’t looked at major criminal organizations that have infested major platforms. They should have responsibility to take reasonable steps to keep the content off their platforms. Particularly critical for fentanyl sales, but there are other issues ranging from wildlife crime to gun sales to antiquities and artifacts in conflict zones. Illicit networks are weaponizing platforms: hosting chatrooms where organized crime takes place.

Lack of data about use of 230 is important. There are a number of 230 cases involving discovery. There are a number of cases rigorously applying the exceptions. We’re aware of a decent number of cases where the conduct of the platform was more than sufficient for the court to find liability. Reviewed 500 most cited 230 cases, and before we rush to change 230 it would be helpful to have a full understanding of how it’s applied.

Is blanket immunity still justified now that sites are using E2E encryption and thus can’t comply with process to hand stuff over?

EARN IT: Every word other than “that” will be subject to litigation. Even if you assigned it to a commission, that will be litigated. Full employment for lawyers but not great for clients. As you think of proposals, don’t think about FB. Think about the Internet Archive, or Wikimedia, or newspaper comments section. The individual user is who 230 protects. Encryption: vital to many good things; there’s no way you can build E2E encryption that works only for certain, good people. It works for everyone or it doesn’t work at all. People would like that not to be true.

EARN IT: substantive Q of tying immunity to encryption; procedural Q of how it’s done. Procedural answer is straightforward: EARN IT Act is terrible way to do it. (1) Can’t give rulemaking authority to DOJ—there are many equities. (2) This is a high level policy tradeoff that should properly be done by the legislature. Like nuclear power: big risks, big benefits. (3) Bad politics. 230 is already so complicated. Adding the only thing that is more complicated than 230 is bad. (4) Kind of trolling/encouraging pointless disputes: creates a committee, then gives authority to AG.

Possible for a site to ignore the AG as long as it’s not reckless; do have to take some liability if people start distributing child porn on their network if they’re reckless about it. [But how do you decide whether enabling encryption is reckless?] Just stopping looking for child porn is the same thing as encrypting all the traffic.  [That seems like the wrong causation to me, which I suppose makes me a supporter of the doctrine of double effect.] Companies are capturing all the benefit of encryption and offloading costs onto victims of child porn. If E2E is such a great idea, the costs o/weigh the benefits and we should put them on the same actors, the guys selling the encryption. [Wait, that’s not recklessness. That’s a description of strict liability/liability for ultrahazardous activities, unless you have predetermined that using encryption is reckless.  If the standard is truly recklessness, then if the benefits outweighed the costs, it shouldn’t be found to be reckless.]

4th Amendment impact: platforms know they should never take direction from law enforcement. If we act as agents of gov’t, we violate 4th A rights. If you legally have to look for child porn and have to report it, hard to argue you’re not an agent of the state doing a nonwarranted search on every piece of content from the service. Zuckerberg would love this law b/c it would solve his Tiktok and Snapchat threats. E2E encryption is the best way to turn a massive data breach that could destroy the company—or the nation—into a bad weekend. One of our only advantages we have over China is trust, and protecting private info is how we get trust. Destroy encryption=Longterm harm to competition and national security. FB has stopped terrorist attacks; handed info to law enforcement. If you want platforms to do it, has to be voluntary and not involuntary.

4th amendment is a gray area: have to lean into the tough area to protect children. 2 issues on encryption: DOJ’s issue is law enforcement access. NCMEC’s issue is detecting the abuse and being able to make the report. Encryption works to block both. If you don’t see the child, law enforcement action is irrelevant. Has heard from technologists that E2E is wonderful; got to find a way to blend the power of that tool w/child protection measures. 12 million reports is too many reports to lose.

People are working on options other than law enforcement back doors.

No comments: