German Parliament Rejects EU Commission Call For Client-Side Scanning

from the not-happening-here-if-we-can-help-it dept

Everybody agrees child sexual abuse material is a serious problem. Unfortunately, far too many supposedly serious people are coming up with very unserious “solutions” to the problem.

Pressure applied by lawmakers and law enforcement led to Apple deciding to get out ahead of the seemingly-impending mandates to “do something” about the problem. In August 2021, it declared its intent to engage in client-side scanning of users’ content which would search for illegal material on users’ devices as well as their cloud storage accounts. After receiving a ton of backlash, Apple backpedaled, putting its scanning plans on ice for the foreseeable future.

Apple recognized the problem, albeit after the fact. Legislators pushing for client-side scanning don’t appear to be getting any smarter about the issue, despite having a real-world example to learn from. A bunch of security researchers wrote a report detailing all the security and privacy issues client-side scanning introduces, noting that any tradeoffs in effectiveness of shutting down CSAM were extremely limited.

This too has been ignored. Government officials all over the world still think the best thing for the children is something that would reduce the security and privacy of children who own smartphones and are almost always connected to the internet. Two GCHQ employees wrote a paper suggesting the smart thing to do was mandate client-side scanning wherever it was needed. Bundled with that proposal was the implicit suggesting that end-to-end encryption was no longer an option — not when there are children to protect.

Less than a month after this paper was published, an EU commissioner composed an incomprehensible defense of client-side scanning, one presumably provoked by the EU Data Protect Board’s rejection of the entire premise, which pointed out the numerous violations of enshrined personal privacy rights client-side scanning would result in.

Somehow, despite all of this, the EU Commission is trying to move forward with mandated client-side scanning. Here’s what at least some members of the Commission want, as described by Hanna Bozakov in a blog post at Tutanota:

The EU proposal covers three types of sexualized abuse, such as depictions of abuse, previously unknown material, but also so-called grooming, i.e. targeted contact with minors with the intention of abuse.

The draft law is currently in the European process of becoming a law. If passed in its current form, it would force online service providers to scan all chat messages, emails, file upload, chats during games, video conferences etc. for child sexual abuse material. This would undermine everybody’s right to privacy and weaken the level of security online for all EU citizens.

Broad. Sweeping. Dangerous. These are all suitable terms for this proposal. And let’s not forget the children it’s supposed to help, who will be just as victimized by the law as the people who wrote it.

Fortunately, there’s already some strong opposition to this proposal. The German Parliament has soundly rejected this push for client-side scanning, saying there’s no way it’s willing to inflict this privacy invasion on its constituents.

While the German Parliament itself is not directly involved with the EU Commission’s proposal to make client-side scanning of encrypted communication mandatory for online services, the hearing was still a great success for digital rights groups and privacy activists.

The draft law itself is being negotiated between the EU Commission, the European Parliament and the member states in the Council of Ministers. In this context, the German government can have a deciding influence in the Council of Ministers.

And, to the very least, the German government wants the removal of client-side scanning, i.e. the examination of communications content on end devices, from the proposal.

So, if the EU Commission ratifies this proposal, the German government likely won’t enforce it. In fact, it will probably challenge the law in the EU human rights court, which will almost certainly find it a violation of rights guaranteed by other EU laws. This is a losing proposal for several reasons, but especially in a continent where this same commission has created sweeping privacy protections for European residents. It can’t just undo those because it wants to solve a problem it didn’t consider during its erection of other privacy protections.

Now that an entire country has rejected client-side scanning, the EU Commission needs to go back to the drawing board. Yes, CSAM is a problem that needs to be addressed. But it simply can’t be solved by turning everyone accessing the internet into a suspect.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “German Parliament Rejects EU Commission Call For Client-Side Scanning”

Subscribe: RSS Leave a comment
mick says:

Encrypted containers make this easily bypassed

While tech companies would be scanning the stored information of every innocent person, CSAM materials would still be easily shared via encrypted ZIPs or other containers that the scanning wouldn’t catch.

Once again we have a law that is designed to catch no one, while treating all innocent users like criminals.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

Realtor: And here's the 'we WILL enter the house whenever' clause...

Mandatory client-side scanning is the digital equivalent of law enforcement and/or companies they’ve ‘deputized’ being required to regularly come into your house at any point and without warning to search around for anything damning ‘just in case’ so nice to hear at least someone involved spotted what a terrible idea it is and was willing to speak up.

N0083rp00f says:

Criminals do what Criminals do, even if not elected

So when are we going to name, shame, blame, and disdain all these still nameless beaurocrats that are either idiots, sociopaths or more likely, paid shills for those doing their darndest to create the new serfdom?

At least unemploy them, though I personally prefer they all get permanent residence in a very deep hole somewhere remote breaking big rocks into small rocks.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...