Internet drug sales have skyrocketed in recent years, allowing powerful narcotics to be peddled to American teenagers and adolescents. Itâs a trend thatâs led to an epidemic of overdoses and left countless young people dead. Now, a bill scheduled for a congressional vote seeks to tackle the problem, but it comes with a major catch. Critics worry that the legislative effort to crack down on the drug trade could convert large parts of the internet into a federal spying apparatus.
Cecilia Rose Gooding on the Writers Strike | io9 Interview
The Cooper Davis Act was introduced by Kansas Republican Sen. Roger Marshall and New Hampshire Democrat Sen. Jeanne Shaheen in March and has been under consideration by the Senate Judiciary Committee for weeks. Named after a 16-year-old Kansas boy who died of a fentanyl overdose two years ago, the bipartisan bill, which the committee is scheduled to vote on Thursday, has spurred intense debate. Proponents say it could help address a spiraling public health crisis; critics, meanwhile, see it as a gateway to broad and indiscriminate internet surveillance.
Gizmodo spoke with the American Civil Liberties Union and the Electronic Frontier Foundationâtwo organizations involved in the policy discussions surrounding the bill. Both groups expressed concern over the impact the proposed law could have on internet privacy. âThere are some very real problems with this billâboth in how itâs written and how itâs conceptualized,â said India McKinney, an analyst with the EFF.
Critics argue that, at its worst, the bill would effectively âdeputizeâ internet platforms as informants for the DEA, creating an unwieldy surveillance apparatus that may have unintended consequences down the line.
The Problem: The Amazon-ification of Drug Dealing
The Cooper Davis Act seeks to solve a very real problem: The ease with which drugs can now be purchased online. Back in the day, buying drugs used to be a slog. First, you had to know a guyâtypically not a super pleasant or well-groomed one. Then, you had to meet up at said guyâs apartment or a street corner, where your plug would dole out the goods. It was an entire ordeal, filled with paranoia and inconvenience. But these days, buying drugs is a lot simpler. In fact, to hear federal officials tell it, buying narcotics is currently about as easy as DoorDashing a burrito. Thatâs because drug sales on social media platforms have exploded, creating a streamlined drug-buying experience that puts an entire black market at young peopleâs fingertips.
The negative impacts of this trend are obvious: reporting shows that powerful opioids are being pushed into the hands of young people through platforms like Facebook, Instagram, and Snapchat. Young people will seek out prescription medicationsâstuff like Xanax, Oxycontin, and Vicodinâonly to be sold counterfeit pills that have secretly been laced with fentanyl or meth (this is done because of the narcoticsâ cheapness and addictiveness). Teenagers looking to score will then be delivered fatally powerful drugs, which end up killing them.
What the Cooper Davis Act would do
In an attempt to solve this dizzying drug crisis, the Cooper Davis Act has proposed a radical strategy: according to the most recent version of the bill text, which was shared with Gizmodo by the ACLU, the law would require âelectronic communication service providers and remote computing servicesâ to report to the U.S. Attorney General any evidence they discover of âthe unlawful sale and distribution of counterfeit substances and certain controlled substances.â What this means is that large tech companiesâeverything from social media giants like Instagram, Facebook, and Snapchat to cloud computing or email providersâwould be legally required to report certain types of drug activity (basically anything having to do with fentanyl, meth, and counterfeit prescription medications) to the federal government if the company became aware of the drugs being bought or sold on their platforms.
That might theoretically sound like a good idea but the big question is: how, exactly, are platforms supposed to figure out who is a drug dealer and who isnât? That part isnât made clear by the legislation. What is clear is that, under the new law, platforms would be required to surrender large quantities of user data to the government if they suspected a particular user of wrongdoing. That data would be packaged into a report and sent to the DEA and would include…
…the [userâs] electronic mail address, Internet Protocol address, uniform resource locator, payment information (excluding personally identifiable information), screen names or monikers for the account used or any other accounts associated with the individual, or any other identifying information, including self-reported identifying information…
Additionally, platforms would also have the discretion to share even more data with the government if they felt likeâincluding private communications like DMs and emails. Meanwhile, companies that failed to report evidence of drug offenses could face steep fines. A first failure to report drug activity could result in fines of up to $190,000 per violation, while each additional offense after that could see fines of up to $380,000 per violation.
Why the Cooper Davis Act seems like a bad idea
Critics see a number of dangers inherent in the Cooper Davis Act, but the biggest is that it could effectively subvert Americansâ already limited Fourth Amendment protections when it comes to the internet. âRight now, federal law protects user data and limits the ways that platforms and other entities can share it with law enforcement,â Cody Venzke, senior policy counsel with the ACLU, tells me. But Cooper Davis âwould explicitly create an exception to those protections,â he said.
In theory, the Fourth Amendment is supposed to prohibit warrantless search and seizure of private property, meaning cops canât bust down your door and dig through your stuff without a court order. This principle works pretty well in the real world but gets decidedly murky when it comes to the web. Because so much of Americansâ âpersonalâ data is now stored by proprietary online platforms, itâs hard to say that this data is actually owned by the user. Instead, itâs really owned by the company, which means that if the company wants to share âyourâ data with the government, itâs usually well within its rights to do so.
Still, companies arenât necessarily looking to do that on a regular basis and web usersâ privacy is partially protected from government searches of corporate data by the Stored Communications Act, a 1986 law that stipulates police must secure a warrant or a subpoena before they can rifle through someoneâs digital accounts. But the SCA already suffers from a number of loopholes and critics point out that the Cooper Davis Act would carve out yet another exception when it comes to drug-related activity. The SCA is specifically supposed to protect web usersâ private communications, forcing cops to retrieve a warrant before they search them. However, Venzke says that, under the most recent version of the Cooper Davis bill, internet service providers are given the power to âhand over messages, emails, private posts,â and other personal communications to law enforcement âwith no notice to the user, no judicial oversight, and no warrant.â
This bill would do more than whittle away Americansâ online rights, however. In essence, it would deputize large parts of the internet as an unofficial wing of the federal governmentâoffloading some of the investigative work from police agencies onto the shoulders of major tech firms. Instead of the DEA having to find a narcotics suspect and then secure a court order for that personâs digital records, tech companies would be responsible for finding the suspect for the DEA and would then be obligated to send the government a ton of information about that web user, all without any sort of involvement of the court system.
The Cooper Davis Act might have unintended consequences
The premise of Cooper Davis is disturbing enough, but even more alarming are the lawâs lack of technical details. The bill plops a hefty responsibility onto web companies (identifying and reporting criminal suspects) but does almost nothing to elucidate how they should go about doing that.
Companies looking for a roadmap would likely end up turning to another federal policy known as 2258A. Venzke says that the Cooper Davis Act is actually modeled off of 2258A and that it uses similar policy and language. This longstanding law requires web companies to report child sexual abuse material to the federal government if the companies become aware of it on their platforms. Under this regulation, web platforms are obligated to report suspected child abuse material to the CyberTipline of the National Center for Missing and Exploited Children, a federally funded nonprofit established by Congress to combat child abuse. NCMEC, in turn, forwards the reports it receives to relevant law enforcement agencies for further investigation.
Over the years, companies like Facebook, Apple, and Google have addressed 2258Aâs reporting requirements by developing a sophisticated surveillance system designed to detect abuse material when itâs uploaded to their sites; the system leverages a database of cryptographic hashes, each of which represents a known child abuse image or video. Companies then scan user accounts for matches to these hashes and, when they get a positive hit, they forward the userâs relevant data to NCMEC.
However, when it comes to online drug activity, things are decidedly more complicated. Unlike the problem of CSAMâin which a database of known prohibited material can be compiled and scanned againstâitâs far from clear how companies would reliably identify and report suspected drug activity. Online drug transactions are largely carried out under the cover of coded language, using oblique terms and signals. How are companies supposed to sift through all that without driving themselves (and their users) insane? Â
âIf platforms are actively monitoring for fentanyl [sales], theyâre going to have to look for a lot more than images and videos,â said Venzke. âTheyâre going to have to dig through speech, theyâre going to have to look at emojis, theyâre going to have to try to infer user intent.â Since the bill does little to stipulate how reporting will be conducted, it will be up to the companies to figure out how to do all this. This could easily lead platforms to build their own internal surveillance systems, the likes of which are designed to monitor how platform users interact in an effort to ferret out drug activity. In this scenario, the likelihood that platforms would end up reporting a lot of âfalse positivesâ to the government (i.e., people suspected of drug activity who, in reality, have done nothing wrong) would be high, Venzke says.
âContent moderation of this sort, at scale, is really, really, really hard,â McKinney agreed. âAs good as AI is, context matters. A word should not be enough to trigger extra surveillance.â
Overall, critics feel the law could be a disaster for internet privacy.
âThe point of the Constitution, the point of the Fourth Amendment…is that the government is supposed to be constrained as to what theyâre allowed to access about our private thoughts,â said McKinney. âObviously the government doesnât like being constrained. They want to be able to see everything.â
Venzke, meanwhile, said he and his colleagues were âholding their breathâ until the vote goes through. âThe Senate Judiciary has been proactive in addressing folksâ safety online, but unfortunately theyâve done it by undermining free speech and privacy online, which is not the right approach…Weâre hoping folks will stand up for our privacy rights and that the bill will be pulled from consideration.â
Gizmodo reached out to the offices of Senator Marshall for comment but did not hear back. We will update this story if we do.
