The core of the legislation is a requirement that the National Institute of Standards and Technology (“NIST”) issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. These standards are then to be incorporated by the Office of Management and Budget and, in turn, in federal procurement standards.

As we noted, this work in standards development at NIST was already far along, with NIST having issued a Core Baseline for IoT Device Cybersecurity in June. Not surprisingly, NIST was ready for the Act’s mandate, and on December 15 issued four additional documents for comment. As NIST explained in a blog post, these four new documents “expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.”

To begin, NIST had already issued two key documents, the Core Baseline documents. Specifically, the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline, identified the technical requirements IoT Device manufacturers should address in securing their IoT devices. The new documents are designed to enable these principles to be applied to federal purchases of IoT. They are:

• SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. This document provides guidance for federal agencies seeking to integrate IoT devices and services into their systems and infrastructure. SP 800-213 offers recommendations on considering system security from the device perspective and is intended to enable the federal customer to identify device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties.
• NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline. This document is a complement to the previously released NISTIR 8259 documents. In particular, NISTIR 8259B details additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties.
• NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, This document takes the general guidance provided for in the Core Baseline – which is written for a generic IoT device – and provides a process for applying the baseline to specific industries or uses. It details a process that an organization may use integrate the generic baselines with organization-specific or application-specific requirements (e.g., industry standards, regulatory guidance), thus yielding an IoT cybersecurity profile suitable for specific IoT device customers or applications.
• NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. Finally, this document follows the above process to develop a profile for federal government IoT uses and provides a device-centric, cybersecurity-oriented profile that also incorporates FISMA criteria for security.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.

In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.

This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.

The most controversial aspects of the order are its interpretation of Section 230 of the Communications Decency Act ("CDA")—the statutory provision that shields online service providers from liability for user-generated content and the decisions they make about how to moderate that content—and its attempt to prompt the Federal Communications Commission ("FCC") to adopt regulations further interpreting the law. Reform of Section 230 has been under consideration in Congress for years, with Republicans and Democrats both offering different—and mostly contrary—critiques about how online platforms have failed to act in accordance with the statute while also benefitting from the liability protections.

Other directives in the EO attempt to elicit other parts of the federal government to discipline online platforms for their content moderation practices. Absent Congressional action, the EO’s directives appear to stand on shaky legal ground and are likely to have limited legal impact. However, the issuance of the EO alone may be unlawful, at least according to a complaint challenging the constitutionality of the EO filed with the U.S. District Court in D.C. by the Center for Democracy & Technology ("CDT"). According to the complaint, the EO violates the First Amendment, which strictly limits the government’s ability to abridge speech, by retaliating against Twitter for exercising its right to comment on the President’s statements and because it “seeks to curtail and chill the constitutionally protected speech of all online platforms and individuals” by demonstrating the government’s willingness to retaliate against those who criticize the government.

Seeks to “Clarify” the Scope of Section 230 Immunity Through FCC Regulations

Section 230 gives online service providers immunity from liability in two ways. First, Section 230(c)(1) says that online services are not the “publisher or speaker” of the user content they host. Publishers and speakers can be held liable for language that is, for example, libelous or defamatory. This clause prevents online services from being subject to lawsuits making such claims, while preserving the ability to bring direct suits against the users who actually generate the content. Second, Section 230(c)(2) says that online service providers cannot be held liable for “any action voluntarily taken in good faith to restrict access to or availability of material that [it] considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.” This clause is designed to prevent online services from being deemed publishers when they make decisions about what user-generated content to remove. Its intent originally was to remove disincentives for online service providers to employ blocking and filtering technologies to protect children from online pornography.

The EO purports to clarify the scope of the immunity available under Section 230. Specifically, the EO says that online providers are not acting in “good faith” when they claim to be forums for free and open speech but instead engage in “deceptive or pretextual actions (often contrary to their stated terms of service) to stifle viewpoints with which they disagree.” According to the EO, under these circumstances, the online services are editorializing and therefore acting as publishers, in which case, the EO says the online services should lose their immunity under Section 230(c)(2). This interpretation, which is largely contrary to more than two decades of court precedents, would effectively mean that online services could be held liable for all the content their users post if it is determined their content moderation practices are biased.

To effectuate this interpretation, the EO sets out two directives. First, it directs “all executive departments and agencies [to] ensure that their application of section 230(c) properly reflects the narrow purpose of the section.” This directive is unlikely to carry any weight as Section 230 is not applied by federal agencies, but by courts, which are not subject to presidential directives. Second, the EO directs the National Telecommunications Information Association ("NTIA") to, within 60 days, file a petition for rulemaking asking the FCC to propose regulations to further clarify the circumstances under which an online service can lose its liability protection when it “restricts access to content” in a manner not specifically protected by subparagraph (c)(2)(A),” and the conditions under which such restrictions are not made in “good faith.”

Absent additional authority delegated by Congress, the FCC is unlikely to actually implement such regulations. The Commission has been reluctant to extend regulation to edge providers, such as online platforms, and its legal authority to do so has been debated. While the CDA technically added Section 230 into the Communications Act—the FCC’s regulatory sandbox—the Communications Act does not have any legal hooks that allow the agency to regulate online platforms and Section 230 itself does not provide the agency with any such independent authority. Tellingly, the FCC did not implement Section 230 in 1996 when the provision was added to the Act and does not have any rules on its books that interpret Section 230. Even if the FCC does have such authority, current leadership has already made clear, in the Restoring Internet Freedom order, that it does not want the agency to be the arbiter of neutrality for Internet service providers, which it ostensibly has the authority to do, let alone the arbiter of neutrality by online platforms, over which it has no explicit authority. While all five Commissioners released statements after the EO, three Commissioners expressed opposition or strong skepticism of the “good faith” concept. Thus, even if NTIA were to file a petition for rulemaking, new rules appear unlikely.

Other Directives in the Executive Order

While the directives above have received the most attention, the EO includes four other directives designed to penalize online platforms that engage in alleged viewpoint discrimination.

• Review Government Spending to Online Platforms – The EO directs executive branch departments and agencies to, within 30 days, assess their advertising and marketing spending on online platforms and report their findings to the Office of Management and Budget, while also directing the Department of Justice to “review the viewpoint-based speech restrictions imposed by each online platform identified in the report[s]” and assess whether any “are problematic vehicles for government speech due to viewpoint discrimination, deception to consumers, or other bad practices.” Conspicuously absent is an actual directive for departments and agencies to limit federal spending to such online platforms.
• FTC Review of Content Moderation Practices – The EO directs the Federal Trade Commission ("FTC") to “consider taking action” using its authority under Section 5 of the FTC Act to determine whether online platforms have engaged in unfair or deceptive acts or practices by “restrict[ing] speech in ways that do not align with those entities’ public representations about those practices,” which is something the FTC was already permitted to do. The FTC is also required to consider whether to develop a report describing the apparent 16,000 complaints that the White House received through its “Tech Bias” reporting tool.
• State Review of Content Moderation Practices – The EO directs the Attorney General to establish a working group to assess potential enforcement of state statutes prohibiting unfair or deceptive acts or practices against online platforms, develop model legislation for states that do not have such authority, and collect information regarding various practices by online platforms that could amount to viewpoint discrimination.
• Federal Legislation – The EO directs the Attorney General to “develop a proposal for Federal legislation that would be useful to promote the policy objectives” of the EO.

The order has garnered substantial criticism from online industry advocates and civil liberties groups alike. Among the online platforms, Twitter seemed undeterred by the EO, calling it a “reactionary and politicized approach” and promptly labeling another Trump tweet for glorifying violence in violation of its terms and conditions. Meanwhile, Facebook CEO Mark Zuckerberg, while critical of the EO, also critiqued Twitter’s actions, saying that social media companies should not be the arbiters of truth.

Initial reactions from the FCC Commissioners have been mixed. Republican Commissioner Carr was most supportive of the move, saying he welcomed the EO and its call for guidance on the “good faith” limitation in Section 230. Democratic Commissioner Rosenworcel had a contrary take, saying the EO would turn the FCC into the “speech police.” Both Commissioner Starks (a Democrat) and Commissioner O’Rielly (a Republican) avoided any direct criticism of the EO but affirmed the First Amendment’s important role in the issue. Chairman Pai largely stayed out of the fray, saying that the agency would “carefully review any petition for rulemaking” filed by NTIA. NTIA has not commented on the Executive Order.

The FTC commissioners have been silent on the EO, but the agency’s spokesperson, Peter Kaplan, said that “[t]he FTC is committed to robust enforcement of consumer protection and competition laws, including with respect to social media platforms, and consistent with our jurisdictional authority and constitutional limitations.”

Any substantive action at the FCC is likely months away, at best. NTIA has until July 27, 2020, to file its petition with the FCC, on which the FCC has no obligation to act. If the agency does respond, it may seek comment on whether to initiate a rulemaking first, before initiating a Notice of Proposed Rulemaking. Given the constitutional implications, the FTC may also hesitate to act in accordance with the EO. Regardless, we don’t expect any substantive action in 2020, if at all, particularly in light of the pending legal challenge by CDT. In the meantime, the impact of the EO will largely be political, not legal, while the purpose, meaning and fate of Section 230 is almost certain to be debated in Congress for years to come.