The Cooper Davis Act seeks to solve a very real problem: The ease with which drugs can now be purchased online. Back in the day, buying drugs used to be a slog. First, you had to know a guy—typically not a super pleasant or well-groomed one. Then, you had to meet up at said guy's apartment or a street corner, where your plug would dole out the goods. It was an entire ordeal, filled with paranoia and inconvenience. But these days, buying drugs is a lot simpler. In fact, to hear federal officials tell it, buying narcotics is currently about as easy as DoorDashing a burrito. That's because drug sales on social media platforms have exploded, creating a streamlined drug-buying experience that puts an entire black market at young people's fingertips.

The negative impacts of this trend are obvious: reporting shows that powerful opioids are being pushed into the hands of young people through platforms like Facebook, Instagram, and Snapchat. Young people will seek out prescription medications—stuff like Xanax, Oxycontin, and Vicodin—only to be sold counterfeit pills that have secretly been laced with fentanyl or meth (this is done because of the narcotics' cheapness and addictiveness). Teenagers looking to score will then be delivered fatally powerful drugs, which end up killing them.

In an attempt to solve this dizzying drug crisis, the Cooper Davis Act has proposed a radical strategy: according to the most recent version of the bill text, which was shared with Gizmodo by the ACLU, the law would require "electronic communication service providers and remote computing services" to report to the U.S. Attorney General any evidence they discover of "the unlawful sale and distribution of counterfeit substances and certain controlled substances." What this means is that large tech companies—everything from social media giants like Instagram, Facebook, and Snapchat to cloud computing or email providers—would be legally required to report certain types of drug activity (basically anything having to do with fentanyl, meth, and counterfeit prescription medications) to the federal government if the company became aware of the drugs being bought or sold on their platforms.

That might theoretically sound like a good idea but the big question is: how, exactly, are platforms supposed to figure out who is a drug dealer and who isn't? That part isn't made clear by the legislation. What is clear is that, under the new law, platforms would be required to surrender large quantities of user data to the government if they suspected a particular user of wrongdoing. That data would be packaged into a report and sent to the DEA and would include...

...the [user's] electronic mail address, Internet Protocol address, uniform resource locator, payment information (excluding personally identifiable information), screen names or monikers for the account used or any other accounts associated with the individual, or any other identifying information, including self-reported identifying information...

Additionally, platforms would also have the discretion to share even more data with the government if they felt like—including private communications like DMs and emails. Meanwhile, companies that failed to report evidence of drug offenses could face steep fines. A first failure to report drug activity could result in fines of up to $190,000 per violation, while each additional offense after that could see fines of up to $380,000 per violation.

[...] Companies looking for a roadmap would likely end up turning to another federal policy known as 2258A. Venzke says that the Cooper Davis Act is actually modeled off of 2258A and that it uses similar policy and language. This longstanding law requires web companies to report child sexual abuse material to the federal government if the companies become aware of it on their platforms. Under this regulation, web platforms are obligated to report suspected child abuse material to the CyberTipline of the National Center for Missing and Exploited Children, a federally funded nonprofit established by Congress to combat child abuse. NCMEC, in turn, forwards the reports it receives to relevant law enforcement agencies for further investigation.

Over the years, companies like Facebook, Apple, and Google have addressed 2258A's reporting requirements by developing a sophisticated surveillance system designed to detect abuse material when it's uploaded to their sites; the system leverages a database of cryptographic hashes, each of which represents a known child abuse image or video. Companies then scan user accounts for matches to these hashes and, when they get a positive hit, they forward the user's relevant data to NCMEC.

However, when it comes to online drug activity, things are decidedly more complicated. Unlike the problem of CSAM—in which a database of known prohibited material can be compiled and scanned against—it's far from clear how companies would reliably identify and report suspected drug activity. Online drug transactions are largely carried out under the cover of coded language, using oblique terms and signals. How are companies supposed to sift through all that without driving themselves (and their users) insane?

"If platforms are actively monitoring for fentanyl [sales], they're going to have to look for a lot more than images and videos," said Venzke. "They're going to have to dig through speech, they're going to have to look at emojis, they're going to have to try to infer user intent." Since the bill does little to stipulate how reporting will be conducted, it will be up to the companies to figure out how to do all this. This could easily lead platforms to build their own internal surveillance systems, the likes of which are designed to monitor how platform users interact in an effort to ferret out drug activity. In this scenario, the likelihood that platforms would end up reporting a lot of "false positives" to the government (i.e., people suspected of drug activity who, in reality, have done nothing wrong) would be high, Venzke says.