Open Letter to Chairman and Ranking Member
of Senate Committee on the Judiciary

11 June 2025

The Honorable Chuck Grassley
Chairman, Senate Committee on the Judiciary

The Honorable Dick Durbin
Ranking Member, Senate Committee on the Judiciary

STOP CSAM Act Threatens Everyone’s Online Safety and Security

Dear Chairman Grassley, Ranking Member Durbin, and Members of the Committee,

The Internet Society writes to express strong concern with the Strengthening Transparency and Obligations to Protect Children Suffering from Abuse and Mistreatment Act (STOP CSAM Act) of 2025.

The Internet Society works to help people everywhere have an Internet experience that is safe, secure, and protects them online. We strongly believe in the importance of supporting and empowering people to be safe online—especially protecting against child sexual exploitation and abuse. Unfortunately, this bill is not the solution to address these horrific crimes.

We raised concerns with the Committee that the STOP CSAM Act of 2023 would cause unacceptable risks to the operation of the Internet and threaten everyone’s online privacy and security. Despite some progress in the last Congress, our concerns have grown with the 2025 version of the STOP CSAM Act.

Everyone, especially vulnerable children, would be at more risk of harm under the STOP CSAM Act with weakened privacy and security protections.

The bill would also create massive barriers for growth and innovation in the United States tech sector. It would threaten the foundation of the Internet, and the ability of American companies small and large to compete globally.

While we have several concerns with the STOP CSAM Act, our focus is on the broad scope and sweeping civil liability the bill would introduce by amending 18 U.S.C. § 2255 (Section 2255). Those amendments in Section 5 of the bill pose an existential threat to the Internet and crucial security technologies that keep children and vulnerable people safe online. This section must be removed or significantly revised.

Civil Liability Amendment in STOP CSAM

The bill would put people and organizations of all sizes at legal risk for developing or operating software or services the Internet depends on—even if they don’t have knowledge of criminal activity occurring on their products or services.

United States law already empowers child abuse victims to bring cases against offenders in criminal and civil courts. Civil cases for statutory damages are brought under 18 U.S.C. § 2255. The STOP CSAM Act would amend this civil liability in two important and concerning ways:

1. Any person, company, or nonprofit that operates part of the Internet ecosystem or distributes software used in Internet communications could be held liable.
2. People or organizations that implement security best practices to encrypt data transmitted or stored on their services could be held liable for being “reckless” in actions that “facilitate” or “promote” communications over the Internet.

The Internet’s infrastructure is made up of many services that range from providing access to the Internet to making it faster, more secure, and more reliable for everyone. Many of these are neutral services, or “mere conduits,” that store, host, or deliver data—including caching, hosting, and content delivery network (CDN) services. Despite having no way of knowing what data packets—small segments of information transmitted over networks—contain, these providers could be held liable under a “reckless” standard.

The encryption technology we rely on for everyday online security—from protecting our banking transactions, to keeping sensitive medical information confidential, or guarding children’s data against cybercriminals and predators—could be used as reason to hold a service liable for “reckless” operations. This is a significant threat to normal, secure operations of the Internet.

Encryption Protects Children from Grooming and CSAM

Chances are that you are currently using encryption to stay safe online. End-to-end encryption makes sure nobody can get your passwords, payment information, or access photos of your children or grandchildren on your phone or computer.

If you are a parent or care for children, using encrypted tools and services is one of the best ways to keep your children safe online. This is why the Internet Society has a Parents’ Guide to Encryption.

End-to-end encryption can keep your baby monitor from being accessed by intruders or your teenager’s messages with friends safe from snooping. It also keeps your family photos and videos safe in the cloud.

Imagine 12-year-old Kevin chatting with his friends online using a messaging app. His parents can block message requests from unknown users, and end-to-end encryption keeps his photos and messages safe from even the app company, protecting against grooming or sextortion. This is not just a hypothetical. It’s a real and scary challenge parents everywhere are navigating, including at the Internet Society. We believe encryption is an important part of the solution to protect children.

We Forget Internet Infrastructure Services Until They Don’t Work

We are constantly online. The Internet just seems to work, but that speed and resilience would be put at risk by this bill. Many small companies, even individuals and nonprofits, operate online services that protect us and make up the foundation of the Internet.

Faced with potential civil liability for the broad category of “conduct relating to child exploitation,” Internet services could be forced shut down or undermine security and privacy protections to protect against liability.

Most Internet traffic is encrypted. This means many Internet service providers cannot view the contents of data flowing across their networks. To protect against liability, Internet intermediaries could refuse to carry this encrypted traffic on their services, putting people and businesses at higher risk of cybercrime and national security threats.

New Barriers for the US Technology Industry

Introducing broad civil liability for a broad range of Internet and software services will create significant barriers for US technology innovation and leadership. It will undermine the ability of new US companies to grow or compete in overseas markets and limit investment in the US technology sector.

For smaller companies, even the threat of a civil lawsuit enabled by this legislation could be untenable. For interactive computer services that attempt to avoid civil liability by undermining the security and privacy of their services, the economic damage can also be severe. Weakened security can leave American businesses more exposed to costly cyberattacks and intellectual property theft.

Likewise, forcing businesses to weaken security practices would significantly raise the cost of doing business in the US. This could further increase the cost of cyber insurance making it difficult for small and medium businesses to afford higher premiums with increased cybersecurity risk. These businesses will also face challenges in foreign markets with less secure products.

We look forward to working with Congress to develop solutions that effectively protect children online and preserve the foundation and security of the Internet.

Sincerely,

John Perrino
Senior Policy and Advocacy Expert
Internet Society

Ryan Polk
Director, Internet Policy
Internet Society

CC: Members of the Senate Committee on the Judiciary