EU Commissioner Heading Push For Client-Side Scanning Continues To Say Dumb Stuff In Defense Of Her Terrible Proposal

from the doubling-down dept

There may be an entire commission behind the push to mandate client-side scanning in the European Union, but there’s one truly propulsive force behind it: Commissioner Ylva Johansson, the person in charge of the Home Affairs office.

Johansson is the one who penned a largely incoherent defense of the proposal back in August 2022, long before criticism of the proposal hit critical mass. Her defense basically relied on this being “for the children,” which she apparently considered to be enough of an impetus to shout down any objections. That this might make children less safe wasn’t considered. That this would expose EU citizens to persistent surveillance, as well as increase the risk of their personal data being obtained by criminals, was shoved to the side to buttress the narrative Commissioner Johansson wanted to push.

Despite being soundly advised of the risks, Johansson pushed forward, claiming whatever happened to anyone wasn’t really a problem. She also dodged the encryption-breaking elements of the proposal by pretending this had nothing to do with basically outlawing end-to-end encryption. But facts are facts: you can’t perform client-side scanning without breaking end-to-end encryption. If content has to be scanned, one end of the encryption needs to be broken.

The proposal is so bad even the EU government’s lawyers won’t condone it. It’s so bad even certain EU constituent countries won’t condone it. The German government has already stated it’s not interested in compelling client-side scanning even if it the EU Commission says that’s the way things are going to be in the European Union.

None of this appears to be having any effect on the Commissioner, who has chosen to disregard any valid criticism of this proposal and double down on everything she and “her” proposal are wrong about. Perhaps its fitting that one of the burrs under Johansson’s saddle is the German government, as Morgan Meaker reports in this recent article for Wired.

On April 23, the German politician Patrick Breyer uploaded a meme to his Mastodon account. “Big Sister is Watching You”, it warned in big white letters, written behind a smiling photograph of Ylva Johansson, the EU commissioner in charge of home affairs. Within the bureaucratic confines of Brussels, it’s rare for a politician to evoke enough anger to feature on a meme—let alone be labeled as the modern incarnation of author George Orwell’s Big Brother by her colleagues.

Germany’s in no hurry to accept the intrusion of a EU-mandated Big Brother. It spent years doing its own Big Brother work, both under Hitler and as a USSR farm team. This direct rejection of Johansson and her proposal is, as the Wired article notes, a rarity.

But criticism in general of Johansson and this proposal is far from rare. Lots of opposition has been raised, almost all of it pointing out how this would be either (1) unworkable, (2) dangerous, or (3) both of the above.

If anything, this constant stream of criticism appears to have given Johansson the impression she must be right, if only because so many people think she’s wrong. Couching her arguments in loaded “for the children” language, she suggests her opponents are either incorrect or simply don’t care if kids get sexually abused.

In many ways, the responses given to Wired are the inversion of this assessment of Johansson from one of the many services her proposal would harm.

“Either she’s stupid or she’s evil,” says Jan Jonsson, CEO of Swedish VPN service Mullvad.

Maybe it’s both. Or maybe it’s neither. Maybe it’s just someone deciding this will be their legacy and now, having been told by thousands of people their baby is ugly, they’re fiercely determined to prove everyone else wrong.

This is how Johansson can (virtually) attend the Big Brother Awards to accept a facetious award for her contribution to the surveillance state without a solitary trace of irony or shame. And maybe that’s why she can continue to pretend this isn’t about encryption, when it has everything to do with encrypted communication services that ensure users’ security by refusing to break their end of the encryption.

The wording of Johansson’s proposal is “technology neutral,” meaning it doesn’t even mention encrypted spaces. But, crucially, it doesn’t rule out encrypted services either.

That’s implausible deniability. That’s willfully ignoring the technical details in favor of presenting broader claims about saving children and insinuating anyone objecting to this massive expanse of EU government surveillance power just doesn’t care enough about sexually exploited children.

Johansson stresses that this bill is not about privacy, but about protecting children. We should be thinking about the 11-year-old girl who has been coerced into sending someone explicit pictures and is now seeing them circulate around the internet, she says. “What about her privacy?”

That’s the mentality we’re dealing with. Of course the victim of CSAM has had their privacy violated. But it’s been violated by the person performing the criminal act, not by the services utilized to communicate with the victim. And hosts of user-generated content already block and report CSAM when it’s detected on the open web. Demanding service providers scan all users’ content proactively means millions of privacy violations will occur every day, with only a very small percentage of them involving the distribution of illegal content.

That seems to be fine with Johansson, who is apparently willing to sacrifice the privacy and security of millions for the hypothetical 11-year-olds she presents as a counterargument.

No one is arguing CSAM needs to be actively combated, deterred, and subjected to the full force of the law. What they’re arguing against is the wholesale dismantling of privacy and security protections their users trust them to provide in exchange for incremental law enforcement gains that will always fail to satisfy politicians like Johansson, who seem to believe everyone should be punished because a small minority of internet users utilize communication services to break the law.

She’s clearly unwilling to listen to reason. And as this proposal inches forward against increasing resistance, the arguments made in support of it will become less rational and more emotional. But emotions aren’t legal justifications for the always-on surveillance this proposal would create.

