A controversial EU legislative proposal to scan citizens’ private messages in an attempt to uncover child sexual abuse material (CSAM) poses a risk to the future of web security, Meredith Whittaker warned in a statement. Public blog post Monday. She’s the president of the non-profit behind the end-to-end encrypted (E2EE) messaging app Signal.
“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a serious security vulnerability in underlying infrastructure that would have global implications far beyond Europe,” she wrote.
The European Commission put forward the original proposal for a mass survey of private messaging apps to counter the spread of online CSAM in May 2022. Since then, MEPs have been united in rejecting this approach. They also proposed an alternative route last fall, which would have excluded E2EE applications from scrutiny. However, the European Council, the legislative body made up of representatives of member states’ governments, continues to push for encrypted platforms to remain firmly within the scope of the Wipe Act.
The council’s latest proposal, which was put forward in May under the Belgian presidency, includes a requirement that “providers of interpersonal communications services” (also known as messaging apps) install and operate what the draft text describes as “technologies for upload moderation,” according to the text. Published by Netzpolitik.
Section 10A, which contains the upload moderation plan, states that these technologies are expected to “detect, prior to transmission, the dissemination of known child sexual abuse material or new child sexual abuse material.”
Last month, EURACTIV It stated that the revised proposal would require users of E2EE messaging applications to consent to scanning to detect CSAM. Users who haven’t consented will be blocked from using features that involve sending visual content or flagged URLs as well – essentially downgrading their messaging experience to basic text and voice.
Whitaker’s statement distorts the council’s plan as an attempt to use “rhetorical games” to try to rebrand client-side scanning, a controversial technology that security and privacy experts say is incompatible with the strong encryption that underpins confidential communications.
“[M]Mass scanning of private communications fundamentally undermines encryption. I stressed the complete stop. “Whether this occurs by manipulating, for example, the random number generation of an encryption algorithm, or by implementing a key escrow system, or by forcing communications to pass through a monitoring system before being encrypted.”
“We can call it a backdoor, or a front door, or ‘load moderation.’ But whatever we call it, each of these methods creates a vulnerability that can be exploited by hackers and hostile nation-states, removing protections for unprotected mathematics.” Unbreakable and replaced by a high-value security vulnerability.
Also criticizing the Council’s revised proposal in a statement last month, Pirate Party MEP Patrick Breyer – who has opposed the Commission’s controversial messaging plan from the start – warned that “the Belgian proposal means that the core of the European Commission’s extremist policy will be… Implementing Unprecedented Initial Chat Control Proposal Without Change Using only messaging services to send text messages is not an option in the 21st century.
The European Union’s data protection supervisor also expressed concern. Last year, it warned that the plan constituted a direct threat to democratic values in a free and open society.
Meanwhile, pressure on governments to force E2EE applications to screen private messages will likely come from law enforcement.
Last April, European police chiefs issued a joint statement calling on platforms to design security systems in a way that enables them to identify illegal activities and send reports on the content of messages to law enforcement. Their call for “technical solutions” to ensure “lawful access” to encrypted data did not specify how platforms should achieve this trick. But, as we mentioned at the time, the pressure was for some form of screening on the client side. Therefore, it does not seem to be a coincidence that just a few weeks later the Council issued its “Loading Supervision” proposal.
The draft text contains some statements that seek to place a fig leaf on top of the massive security and privacy black hole that “upload moderation” refers to – including a line that states “Without prejudice to Article 10A, this Regulation shall not prohibit or make “End-to-end encryption is impossible”; In addition to claiming that service providers will not be required to decrypt or provide access to E2EE data; A clause stating that they should not introduce cybersecurity risks “for which no effective measures can be taken to mitigate those risks”; Another line states that service providers should not be able to “infer the essence of the content of communications.”
“These are all nice sentiments, and they make the proposal a self-defeating paradox,” Whitaker told TechCrunch when we asked for her response to these terms. “Because what is proposed — installing mandatory erasure on end-to-end encrypted communications — would undermine encryption and create a major security vulnerability.”
The Commission and the Belgian Presidency of the Council were contacted to respond to their concerns, but at the time of writing, neither had provided a response.
EU law-making is usually a tripartite affair – so it remains to be seen where the bloc will ultimately end up examining chemical weapons. Once the Council agrees to its position, so-called tripartite talks begin with Parliament and the Commission to seek a final compromise. But it is also worth noting that the composition of the Parliament has changed since MEPs agreed to their negotiating mandate last year after the last EU elections.