A planned law to require CSAM scanning in chat apps would be illegal, disproportionate, and could increase rather than decrease the risks to children, say experts. It could also see Apple withdraw iMessage from EU countries.
The warning was given by more than 20 speakers at a privacy seminar, as the European Union continues to press for a CSAM measure which would effectively outlaw end-to-end encryption in chat apps like iMessage, WhatsApp, and Signal …
CSAM scanning in chat apps
The proposed law was first announced back in May of last year. It would apply to a wide range of services, but the most controversial element is the proposed requirement for tech giants to scan the content of messages in chat apps.
This would, of course, be completely impossible in end-to-end encrypted (E2EE) apps like iMessage. The only way for companies to comply would be to completely rewrite their apps to remove E2EE.
Legislators have persisted in calling for backdoors into E2E encrypted messages, consistently failing to understand that it’s a technological impossibility. As University of Surrey cybersecurity professor Alan Woodward puts it: “You either have E2EE or you don’t.”
Woodward does note that there is a possible workaround: on-device scanning after the message has been decrypted. But that is precisely the same approach Apple proposed to use for CSAM scanning, which proved so controversial that the company permanently shelved its plans.
Illegal, disproportionate, and puts children at risk
TechCrunch reports that the plan has been described as “the wrong response” by speakers at a European Data Protection Supervisor seminar.
More than 20 speakers at the three hour event voiced opposition to a European Union legislative proposal that would require messaging services to scan the contents of users’ communications for known and unknown CSAM, and to try to detect grooming taking place in real-time — putting the comms of all users of apps subject to detection orders under an automatic and non-targeted surveillance dragnet […]
The European Data Protection Supervisor (EDPS) himself, Wojciech Wiewiórowski, suggested the EU could be at a point of no return if lawmakers go ahead and pass a law that mandates the systemic, mass surveillance of private messaging […]
Wiewiórowski also [invoked] his personal childhood experience of living under surveillance and restrictions on freedom of expression imposed by the Communist regime in Poland.
Dutch professor Frederik Borgesius said that the scanning would be illegal under existing EU law.
The EU Charter of Fundamental Rights has an element that says if the essence of a fundamental right is violated then the measure is illegal by definition […]
When is the essence violated? Well, the court has said — in a different case — if authorities can access the contents of communications on such a large scale then the discussion is over. No room for proportionality test — the essence of the right to privacy would be violated, and therefore such a measure would be illegal.
Other speakers argued that the law could actually increase the risks to children. First, because human review of photos would be needed, because the proposed law goes beyond identifying known examples, which can be automatically identified by digital fingerprints.
Many photos of minors are actually exchanged between minors in sexting chats, and these images would now be exposed to adult view.
“A big part of the material that we see is not a result of sexual abuse,” Arda Gerkens, chair of the board of The Netherlands’ Authority for the Prevention of Online Terrorist Content and Child Sexual Abuse Material, told the seminar. “The material’s indeed being spread by the Internet — but it’s a growing number which is a result of sexual activity of young people themselves.”
An even bigger risk is that removing E2E encryption would leave messages at risk of being hacked, again exposing teens to the risk of sensitive photos being exposed.
Apple could withdraw iMessage from Europe
The government there backed down, but it seems likely that Apple would take the same stance with EU countries, were this law to pass.
FTC: We use income earning auto affiliate links. More.