A leaked European Union proposal shows plans to mandate CSAM scanning for child protection in all encrypted messaging services.
In 2021, Apple eventually backed down over its own plans to introduce scanning for child sexual abuse material (CSAM), and agreed to postpone it following severe criticism of its dangers to all privacy. Notably, the UK government backed Apple's plans, albeit after Apple had withdrawn them, and chiefly as part of its own wish to get backdoors into end-to-end encryption.
Now it appears that many of the UK's former fellow EU member countries have been planning their own CSAM measures. These plans have been such that the EU intends to impose a single pan-European solution, both to standardize the measures, and because it says that voluntary ones have not been sufficient.
Security consultant Alec Muffett has tweeted a copy of a draft EU proposal about "laying down rules to prevent and combat child sexual abuse."
Well, this is some interesting reading for the afternoon.https://t.co/1z96uE1REx pic.twitter.com/X8Fybvv4fj
— Alec Muffett (@AlecMuffett) May 10, 2022
"Despite the important contribution made by certain providers," says the proposal, "voluntary action has thus proven insufficient to address the misuse of online services for the purposes of child sexual abuse."
"As a consequence, several Member States have started preparing and adopting national rules to fight against online child sexual abuse," it continues.
The proposal reports that "divergent national requirements" over CSAM would also lead "to an increase in the fragmentation of the Digital Single Market for services."
European Union regulators therefore propose imposing rules in order "to guarantee children's fundamental rights," but also "to establish a fair balance" over the right of privacy for users in general.
The plan is for an "EU Center," which would "create, maintain and operate databases of indicators of online child sexual abuse that providers will be required to use."
Breaking end to end encryption
No specific services are mentioned in the proposal's more than 55,000 words of detail, but it does state that these "measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services."
"That includes the use of end-to-end encryption technology," continues the proposal, "which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children."
"When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation," says the proposal, "nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users."
The plan appears to propose that end-to-end encryption be broken by messaging service providers, in order to scan messages for CSAM.
This is the main issue that security experts had against Apple's CSAM system. They argue that once scanning for CSAM is allowed, governments would be able to require scanning for any other information they desire.
Matthew Green, cryptography teacher at Johns Hopkins University, has described the leaked plans as "the most terrifying thing I've ever seen."
This document is the most terrifying thing I've ever seen. It is proposing a new mass surveillance system that will read private text messages, not to detect CSAM, but to detect "grooming". Read for yourself. pic.twitter.com/iYkRccq9ZP
— Matthew Green (@matthew_d_green) May 10, 2022
The leaked EU proposal has no date, but its appendices include a potential timetable that would see the plans introduced from 2022 to 2027.
27 Comments
And people complained about Apples system… I have to say that I am against any weakening of encryptions or privacy protections but in terms of which method is the lesser of two evils Apple’s solution is the less intrusive. The language in this Bill truly is terrifying. I have to say that considering that the police constantly complain that they don’t have the resources to deal with crimes as it is I find it farcical that more and more legislation continues to be added. Not to downplay the significance of sexual abuse in any way but one has to be pragmatic and decide whether the the attack on privacy is justified. It seems to me police forces do less and less detection and real crime fighting and are becoming merely administrative in their roles.
Murderous regimes around the world are salivating at this proposal.
Be really funny when the same people that put this in effect get arrested…..oh wait yeah their phones will be exempt for some unknown reason.
I said they'd do this a long time ago. This is why they're going after Apple, to force the ability to create back doors. It's not just for what they're saying, it's for everything. What these idiots don't realize is once there's a back door, there's no way to keep it closed even for their own government systems. Nothing will be secure, everything will be open. Yes, it's open for a small group of people right now but allow the back doors and it will be extremely easy for everyone to break into anyone's computer system. Apple needs to continue to fight this fight, which is obviously being backed in the US by our three letter agencies. It's the same around the world.
People flipped out over Apple's proposed on-device scanning and it was essentially hash scanning of the exact same files that would have been scanned in iCloud anyway AND users were in total control of whether or not they used iCloud and which applications would have files uploaded if they did choose to use it. It didn't actually change anything when it came to privacy.