Europe’s proposed “Chat Control” legislation to automatically scan chat, email, and instant message communications for child sexual exploitation material (CSEM) ran up against broad resistance at a meeting of the German Parliament’s (Bundestag) Digital Affairs Committee on Wednesday.
By the Digital Affairs Committee’s own account, as algorithmically translated, “The plans, which include the use of technologies such as client-side scanning (CSS), were met with criticism from many quarters, which was also reflected in the assessments of the experts: the majority of the invited experts emphasized that the project [went] too far in crucial places.”
On May 11, 2022, the European Commission proposed a plan to combat CSEM by scanning digital correspondence and stored files.
A voluntary scanning regime, Chat Control 1.0, is already in place in the EU. As explained by Patrick Breyer, a Member of Parliament in the EU (Pirate Party, Germany) who opposes the scheme, some US-based service providers of unencrypted communications services participate in this system, including Gmail, Facebook/Instagram Messenger, Skype, Snapchat, iCloud Mail and XBox.
Chat Control 2.0 would make content scanning mandatory, even for encrypted communications – which would mean either content scanning prior to encryption or encryption keys managed by the service provider instead of the end user.
Two years ago, Apple was considering such a scheme for its devices but reversed course after widespread opposition. In the UK, similar legislation, the Online Safety Bill, is being considered.
Chat Control 2.0 scanning would also be applied to cloud storage services. In addition, the proposed law calls for age restrictions on communications and storage apps, and in app stores, to prevent minors from accessing apps that could convey harmful content. It would cover all commercial services, regardless of size, exempting non-commercial services that are not ad-funded (e.g., many open source projects).
The EU plan has been vigorously opposed by academics, rights groups, and privacy-focused technology vendors like Tutanota, which noted the opposition to Chat Control 2.0 in Germany’s Digital Affairs Committee hearing.
Policy and technical experts at the hearing like Felix Reda from the Society for Civil Rights challenged the proposal for the damage it would do to privacy rights.
Ella Jakubowska, policy advisor at European Digital Rights, said [PDF] the scanning proposal would likely violate the EU Charter of Fundamental Rights, the Digital Services Act (DSA), and the General Data Protection Regulation (GDPR), among other laws.
Elina Eickstädt, computer scientist and representative of The Chaos Computer Club, warned [PDF, German] that the capabilities of scanning technology are being overestimated and that the technology would produce a huge number of false positives, something police in The Netherlands already consider a burden under the current reporting system.
The challenge of dealing with false positives was also cited by professor Martin Steinebach from the Fraunhofer Institute for Secure Information Technology.
Markus Hartmann, senior public prosecutor for cybercrime in the North Rhine-Westphalia region of Germany, said that encryption can pose an obstacle to investigators. “Nonetheless, end-to-end encryption of perpetrator communication in the crime area of online child abuse considered here proves to be a thorough investigation obstacle only in a clearly insignificant number of cases,” he said, as algorithmically translated.
The main obstacle to prosecuting criminal offenses, he said, is not encryption but “insufficient technical and human resources in the law enforcement agencies.”
Breyer, in response to the German hearing, said, “With Chat Control [2.0], the EU is planning a mass surveillance system that is so extreme that it exists nowhere else in the free world. The only country that practices such indiscriminate searches is authoritarian China.”
According to Tutanota, there’s resistance to the proposal in Austria, Germany, Ireland, and the Netherlands. It’s unclear however whether that will be enough to prevent the proposal from being adopted. ®