Europe proposes tackling child abuse by killing privacy, strong encryption

If we're gonna go through this again, can we just literally go back in time?

Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

If rubber-stamped, the rules will apply to online hosting services and interpersonal communication services, such as messaging apps, app stores, and internet access providers.

"If this proposal were to come to pass, it could result in countries banning true end-to-end encryption," EFF Senior Policy Analyst Joe Mullin told The Register, noting that requiring service providers to detect suspected child grooming requires them to analyze all private messages.

"The EU proposal is incompatible with end-to-end encryption and with basic privacy rights," Mullin continued. "There's no way to do what the EU proposal seeks to do, other than for governments to read and scan user messages on a massive scale. If it becomes law, the proposal would be a disaster for user privacy not just in the EU but throughout the world."

Here's what the proposal says service providers would need to do after receiving a "detection order" to scan for, report and remove any CSAM or grooming activity:

This regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders … That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.

It's worth noting that this finding-and-stopping-pedophiles argument is frequently used to oppose E2E encryption and drum up support for mass-surveillance proposals — like Apple's plan to scan photos on iPhones and iPads for CSAM, which it subsequently and quietly walked back late last year. 

EU 'war on E2E encryption'

"In case you missed it, today is the day that the European Union declares war upon end-to-end encryption, and demands access to every persons private messages on any platform in the name of protecting children," tweeted Alec Muffet, who architected and led Facebook Messenger's end-to-end encryption effort.

He has first-hand experience with this. The UK government's ongoing rumblings against end-to-end encryption also relies heavily on similar think-of-the-children and Facebook-harbors pedophiles rhetoric. 

Matthew Green, a cryptography professor at Johns Hopkins University, called the Euro proposal "the most terrifying thing I've ever seen."

If signed into law, this regulation would likely require service providers to use AI to read entire text messages to figure out if a user is "grooming" children for sexual abuse, he added.

"It is potentially going to do this on encrypted messages that should be private. It won't be good, and it won't be smart, and it will make mistakes," he said. "But what's terrifying is that once you open up 'machines reading your text messages' for any purpose, there are no limits." ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022