Last Updated on 2023-07-08 by Joop Beris
Last year in May, the European Commission proposed new rules to eradicate CSAM, Child Sexual Abuse Material. The sexual abuse of children is a heinous crime and profiting from such material is even worse. It is important to take effective measures against creating and spreading of such material via the internet. The new EC proposal goes way too far though. If adopted, it will destroy privacy online for all EU citizens.
What is the problem?
Following the COVID pandemic, there has been an increase in CSAM (Child Sexual Abuse Material) and grooming of teenagers. The European Commission (EC) believes that most CSAM material is hosted in Europe, so they have proposed a new plan to combat this issue. While this goal is commendable, the proposed method involves scanning content on a large scale across various online services, including end-to-end encrypted chat platforms like Signal and WhatsApp. This means that all personal communication would be continuously monitored. As I said, this will destroy privacy online.
When you send messages through apps like Signal, they are encrypted to protect your privacy. However, to address CSAM concerns, there is a proposal to use a technique called “Client Side Scanning” (CSS). With CSS, your device would scan the content of your messages before sending them. While this wouldn’t actually compromise the encryption, it would negate the main purpose of end-to-end encryption (E2EE), which is to ensure private communication where others cannot read your messages.
The problems of Client Side Scanning
Client Side Scanning comes with a serious set of problems. Below I discuss the major objection.
- It will destroy privacy
Client-side scanning involves examining the content of users’ chat messages directly on their devices. This raises important concerns about privacy because it requires giving access to personal and sensitive conversations. Users may not feel at ease with their messages being examined, even if it’s done to prevent the spread of child sexual abuse material.
- Security risks
Client Side Scanning uses software and like any software, it will have weaknesses. So, enabling client-side scanning could create a potential way for attackers to get in. Malicious actors could take advantage of weaknesses in the scanning process to gain access to users’ devices or intercept private information. Any flaws in the scanning system could lead to personal information being compromised or even the whole device being affected.
- False positives/negatives
Client-side scanning algorithms might not be completely accurate. This can result in two types of errors: false positives and false negatives. False positives happen when harmless messages are wrongly identified as suspicious or inappropriate. This can cause unnecessary problems and potentially damage user relationships. On the other hand, false negatives occur when harmful or inappropriate content goes unnoticed and is not flagged.
- Overreaching and Censorship
When a website or application scans the content on your device, it can sometimes go too far and block or filter things it shouldn’t. The algorithms used for scanning may not accurately understand the meaning or purpose behind certain messages. This can result in legitimate conversations being unintentionally blocked or filtered. As a result, it restricts people’s ability to freely express themselves and hampers open communication.
- Dependency on correct implementation
Client-side scanning works best when it is employed correctly and equally. If people or companies use it wrongly or inconsistently, some may choose not to use it at all. This can create an unfair situation for security and might defeat the purpose of having scanning measures in place.
- Legal and Ethical Considerations
Using client-side scanning raises legal and ethical concerns. In Europe, we have the GDPR, which is supposed to give individuals a way to control who has access to their personal information. Client Side Scanning of all messages would undermine that control because it will destroy privacy. The ethical aspects of placing every European internet user under constant monitoring can’t be overlooked.
In short, the proposed method involves scanning content on a massive scale, even on encrypted platforms, which threatens online privacy. This technique, known as Client Side Scanning (CSS), involves scanning users’ messages on their own devices before sending them, effectively undermining the purpose of end-to-end encryption. There are numerous objections to this approach, including worries about privacy violations, security risks, potential for false positives and negatives, excessive control and censorship, reliance on flawless implementation, and complex legal and ethical considerations. It seems that the implementation of client-side scanning poses more questions than it answers, raising doubts about its effectiveness and legitimacy.
Not too late
Fortunately, it’s not too late to kill this proposal instead of letting it destroy privacy. Many experts have spoken out against this proposal and 133 civil society groups have written a letter to the EU, asking to withdraw the proposal. You can bolster that request by supporting Stop Scanning Me and signing their petition. The Stop Scanning Me campaign also proposes alternatives that don’t demand we destroy privacy but address the problem differently, as suggested by experts.
In a world that more and more depends on internet communication, we must make an effort to safeguard it, ensuring its security and maintaining trust for all users.