European Union lawmakers’ controversial proposal to legally force messaging platforms to scan private communications for child pornography (CSAM) is facing a new wave of backlash from security and privacy experts. Protection of private life.
In an open letter published Thursday, more than 270 leading academics and researchers warn that this well-intentioned effort could lead to millions of false positives per day and prove catastrophic for online privacy and security. While the goal of protecting children is laudable, critics argue that the technical requirements of the proposal are completely unrealistic and a recipe for widespread surveillance that will undermine encryption and erode digital rights.
“ The protection offered by end-to-end encryption means that no one other than the intended recipient of a communication should be able to obtain information about the content of that communication “, we can read in the letter. “ Allowing detection capabilities, whether for encrypted data or for data before it is encrypted, violates the very definition of privacy provided by end-to-end encryption “.
Europe wants to put an end to child pornography content (CSAM)
The dispute dates back to 2020, when the European Commission first proposed the CSAM analysis regulation. In addition to identifying known CSAM, the rules would require messaging platforms to deploy technologies to detect new, unknown CSAM and identify potential grooming behaviors, goals that, according to experts, are technologically impossible without compromising encryption and deploying mass surveillance.
Last year, members of the European Parliament attempted to rein in the legislation by passing amendments that removed the grooming detection mandate, exempted end-to-end encrypted services and limited scanning to cases where abuse was already suspected. However, the representatives of the EU Member States have not adopted a unified position and the amendments recently proposed by the current Belgian presidency include a large number of legally and technically delicate elements.
Experts are already sounding the alarm
Among the revisions is a proposal to define certain users as “persons of interest” who have previously reported CSAM or grooming attempts based on automated assessments. Once reported, these people would be subject to more targeted surveillance. However, the signatories to the letter claim that even using a hypothetical detector “in the best case” with a false alert rate of only 0.1%, we could generate more than a million false alerts per day on a platform like WhatsAppgiven its massive scale.
“ Given that WhatsApp users send 140 billion messages per day, even if only one in a hundred messages are tested by these detectors, there would be 1.4 million false positives every day », they write. “ To reduce the number of false positives to a few hundred, at least five repetitions would need to be statistically identified using different, statistically independent images or detectors. “.
Experts also cast a cold shoulder on proposals to classify “high-risk” services for priority analysis or to verify the security of detection technologies, saying such measures are ultimately futile given the technical shortcomings and near-universal adoption of basic messaging functions such as text and image sharing.
Also read – Apple spies on iCloud users’ emails looking for child pornography images
Europe would be on the verge of creating a mass surveillance tool
The end result, according to them, would be “ completely undermine the security of communications and systems » in pursuit of an invasive, legally dubious and likely ineffective solution to combating CSAM that creates “ unprecedented capabilities for monitoring and controlling Internet users “.
The European Data Protection Supervisor and digital rights groups like European Digital Rights have also denounced the proposal as a disproportionate invasion of privacy that could normalize indiscriminate surveillance of online communications. Law enforcement groups, meanwhile, have pushed in the opposite direction, recently issuing their own statement calling for guaranteed access to encrypted email data.
Caught in the crossfire, EU policymakers face intense competing pressures from stakeholders as they try to balance tackling online child exploitation with defending the rights and digital security. But For security experts, there is no gray area.
“ It sets a precedent for internet filtering and prevents people from using some of the few tools available to protect their right to privacy in the digital space “, warns the open letter about the potential consequences. “ It will change the way digital services are used around the world and risks having a negative impact on democracies around the world “.
The experts are finally quite clear. Client-side analysis coded into law is neither realistic nor desirable, and Robust end-to-end encryption without backdoors remains the best path forward to maintain digital security while allowing law enforcement authorities to report the presence of CSAM when detected.