German Parliament Rejects EU Commission Call For Client-Side Scanning
from the not-happening-here-if-we-can-help-it dept
Everybody agrees child sexual abuse material is a serious problem. Unfortunately, far too many supposedly serious people are coming up with very unserious “solutions” to the problem.
Pressure applied by lawmakers and law enforcement led to Apple deciding to get out ahead of the seemingly-impending mandates to “do something” about the problem. In August 2021, it declared its intent to engage in client-side scanning of users’ content which would search for illegal material on users’ devices as well as their cloud storage accounts. After receiving a ton of backlash, Apple backpedaled, putting its scanning plans on ice for the foreseeable future.
Apple recognized the problem, albeit after the fact. Legislators pushing for client-side scanning don’t appear to be getting any smarter about the issue, despite having a real-world example to learn from. A bunch of security researchers wrote a report detailing all the security and privacy issues client-side scanning introduces, noting that any tradeoffs in effectiveness of shutting down CSAM were extremely limited.
This too has been ignored. Government officials all over the world still think the best thing for the children is something that would reduce the security and privacy of children who own smartphones and are almost always connected to the internet. Two GCHQ employees wrote a paper suggesting the smart thing to do was mandate client-side scanning wherever it was needed. Bundled with that proposal was the implicit suggesting that end-to-end encryption was no longer an option — not when there are children to protect.
Less than a month after this paper was published, an EU commissioner composed an incomprehensible defense of client-side scanning, one presumably provoked by the EU Data Protect Board’s rejection of the entire premise, which pointed out the numerous violations of enshrined personal privacy rights client-side scanning would result in.
Somehow, despite all of this, the EU Commission is trying to move forward with mandated client-side scanning. Here’s what at least some members of the Commission want, as described by Hanna Bozakov in a blog post at Tutanota:
The EU proposal covers three types of sexualized abuse, such as depictions of abuse, previously unknown material, but also so-called grooming, i.e. targeted contact with minors with the intention of abuse.
The draft law is currently in the European process of becoming a law. If passed in its current form, it would force online service providers to scan all chat messages, emails, file upload, chats during games, video conferences etc. for child sexual abuse material. This would undermine everybody’s right to privacy and weaken the level of security online for all EU citizens.
Broad. Sweeping. Dangerous. These are all suitable terms for this proposal. And let’s not forget the children it’s supposed to help, who will be just as victimized by the law as the people who wrote it.
Fortunately, there’s already some strong opposition to this proposal. The German Parliament has soundly rejected this push for client-side scanning, saying there’s no way it’s willing to inflict this privacy invasion on its constituents.
While the German Parliament itself is not directly involved with the EU Commission’s proposal to make client-side scanning of encrypted communication mandatory for online services, the hearing was still a great success for digital rights groups and privacy activists.
The draft law itself is being negotiated between the EU Commission, the European Parliament and the member states in the Council of Ministers. In this context, the German government can have a deciding influence in the Council of Ministers.
And, to the very least, the German government wants the removal of client-side scanning, i.e. the examination of communications content on end devices, from the proposal.
So, if the EU Commission ratifies this proposal, the German government likely won’t enforce it. In fact, it will probably challenge the law in the EU human rights court, which will almost certainly find it a violation of rights guaranteed by other EU laws. This is a losing proposal for several reasons, but especially in a continent where this same commission has created sweeping privacy protections for European residents. It can’t just undo those because it wants to solve a problem it didn’t consider during its erection of other privacy protections.
Now that an entire country has rejected client-side scanning, the EU Commission needs to go back to the drawing board. Yes, CSAM is a problem that needs to be addressed. But it simply can’t be solved by turning everyone accessing the internet into a suspect.
Filed Under: client side scanning, csam, eu, gchq, germany, privacy, security, surveillance
Comments on “German Parliament Rejects EU Commission Call For Client-Side Scanning”
The EU should really listen to the germans. They know a thing or two about invasion of privacy.
Just think … if “they” can scan the contents of your phone without your knowledge or consent, then so can anyone else. That’s just the way it is, act accordingly.
Really, Tim?
The sentence beginning “It can’t just undo those…” could have used a term that didn’t incite a chuckle when used in this context.
The Stasi and KGB would have loved laws like this one, just think of all the information about everybody they could have put in their files.
Encrypted containers make this easily bypassed
While tech companies would be scanning the stored information of every innocent person, CSAM materials would still be easily shared via encrypted ZIPs or other containers that the scanning wouldn’t catch.
Once again we have a law that is designed to catch no one, while treating all innocent users like criminals.
Re:
The problem, and bypass of encryption, is that when you phone is being scanned, that is shown on the screen, or played into the speaker or earphone can be scanned. Besides which, if you decrypt on your phone, the scanner can get the key.
Realtor: And here's the 'we WILL enter the house whenever' clause...
Mandatory client-side scanning is the digital equivalent of law enforcement and/or companies they’ve ‘deputized’ being required to regularly come into your house at any point and without warning to search around for anything damning ‘just in case’ so nice to hear at least someone involved spotted what a terrible idea it is and was willing to speak up.
Criminals do what Criminals do, even if not elected
So when are we going to name, shame, blame, and disdain all these still nameless beaurocrats that are either idiots, sociopaths or more likely, paid shills for those doing their darndest to create the new serfdom?
At least unemploy them, though I personally prefer they all get permanent residence in a very deep hole somewhere remote breaking big rocks into small rocks.