If it were up to the European Commission, starting next year every image in a chat message would be scanned for the presence of child pornography. Privacy experts are sounding the alarm, warning of the far-reaching consequences of client-side scanning. "Don't start it," reads their appeal.
The European Commission wants to tackle the production and distribution of child pornography material. To this end, the EU's executive committee presented a legislative proposal last year to protect children from this. Among other things, it states that hosting companies must make a risk analysis that their services are used to distribute child pornographic material.
Furthermore, the European Commission calls for a reporting requirement for companies that find child sexual abuse online. National authorities may issue removal orders to remove the image and video material from the Internet. Finally, the Commission wants to establish an independent knowledge center. This will provide advice to member states, but will also help victims to remove visual material from the Internet.
The most far-reaching measure is to scan every image sent through chat services for the presence of possible child pornography material even before it is encrypted. We also call this client-side scanning.
For example, it will be possible to compare digital fingerprints from photographs with a database containing millions of child pornography photos. In case of a match, a notification goes to the knowledge center, where the photo is reviewed by a staff member. If necessary, Europol or the national police are notified.
Client-side scanning has far-reaching implications for our privacy and security, four hundred scientists wrote early this month in an open letter (pdf). "All technological solutions mentioned give a third party access to private conversations under conditions determined by this third party," the authors wrote. They compared the European Commission's plan to continuous wiretapping of citizens via a "policeman in the pocket.
Current technology is vulnerable to manipulation and extremely complex, writes De Volkskrant. One small adjustment to a photograph and the fingerprint of the image no longer matches the photo in the database.
Also, it is difficult for a computer system to distinguish between, say, a young child taking a bath and child pornography. Computers do not pay attention to the intention of the creator, or what the relationship is between the person in the picture and the person who shot the picture. For that reason, experts think the European Commission's plan will produce many false positives.
The main criticism of the European Commission's plan is that it violates our privacy on a large scale. "This proposal puts a crowbar into the private lives of all citizens. With this we are treading a path where you don't really want to go," Jaap-Henk Hoepman, associate professor of privacy and technology at Radboud University, told De Volkskrant.
According to him, the EU proposal means that investigators and intelligence agencies can constantly watch our private lives. Hoepman compares the plan to installing a security camera in every home in the Netherlands. "A government camera that is activated and sets up a live stream when it picks up a suspicious sound," he says.
The associate professor is not the only one worried. Seventy British security experts warned the government last week that citizens are coming under permanent surveillance. WhatsApp and Signal have threatened to leave the United Kingdom if plans for client-side scanning continue.
The European Commission's bill will soon be discussed in the European Parliament and the European Council. Sweden proposed maintaining end-to-end encryption and said it wanted nothing to do with client-side scanning. Spain, which currently holds the presidency of the European Union, rejected the proposal.
Although the Dutch government is outgoing, it, like Spain, sees salvation in the European Commission's plan. In April, the cabinet ignored a motion from the House of Representatives that proposed not to approve client-side scanning. Earlier this month, outgoing Justice and Security Minister Dilan Yeşilgöz-Zegerius said investigative services should be given access to interpersonal messaging under "appropriate conditions and safeguards.
Open Letter from Security and Privacy Researchers in relation to the Online Safety Bill
