Even as the European Union is expected to revive and further deliberate a proposal that could see all messaging accounts screened for possible child abuse content, it has drawn criticism from tech and web security companies. However, whether that has any bearing on the debate, remains to seen, with some progress towards regulation, expected this week. The revised proposals have been dubbed “Chat Control 2.0”.
This will, when written as a law, becomes the next chapter illustration an about-turn by the European Union which had late last year, moderated its stance to include an exception for end-to-end encryption. The Belgian Presidency of the European Council, the tenure finishing end of this month, is pushing forward a revised proposal that changes the dynamics for encrypted communication. On popular messaging platforms such as WhatsApp, Google Message, Snapchat, Telegram, Signal, Facebook Messages and Apple iMessage, user accounts can be screened for possible child abuse content, or child sexual abuse material (CSAM).
Rewritten proposal widens scope
“It is crucial that services employing end-to-end encryption do not inadvertently become secure zones where child sexual abuse material can be shared or disseminated without possible consequences,” reads the revised proposal. “Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of vetted technologies, when uploaded, under the condition that the users give their explicit consent under the provider’s terms and conditions for a specific functionality being applied to such detection in the respective service,” it adds.
Also Read: As the world grapples with deepfakes, AI companies agree to a set of principles
There are suggestions that users who do not give their consent for having their communication scanned, should still be able to use a limited part of the messaging service, but will not be able to send any visual content such as photos or videos, as well as URLs or links to websites.
To implement CSAM screening, the revised proposals talk about upload moderation, which makes reporting any messaging platform mandatory, upon detection of online child sexual abuse on any of its services. These instances will be apart from those shared with messaging platforms, as part of removal orders. It is this implementation which would mean scanning and monitoring user communication, often sensitive or personal in nature, by service providers.
Quite how the likes of Meta, Google, Signal, Telegram and others are expected to collect this data, has been left in the realm of ambiguity. “They should be required to report on potential online child sexual abuse on their services, whenever they become aware of it, that is, when there are reasonable grounds to believe that a particular activity may constitute online child sexual abuse. In the interest of effectiveness, it should be immaterial in which manner they obtain such awareness,” reads the proposal.
The new proposals do talk about the importance of metadata, which often includes the specifics of the device an image was created or shared with, the internet protocol address, location and more. “Metadata connected to reported potential online child sexual abuse may be useful for investigative purposes and for the purpose to identify a suspect of a child sexual abuse offence,” says the proposal.
Concerns about user communication privacy
“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” says Meredith Whittaker, President of Signal, in a statement.
Whittaker, with what she calls “rhetorical games played by some European countries”, she points out how the new proposals have replaced the “client-side scanning” terminology to something that sounds less worrying at first glance, “content moderation”.
Swiss security company Treema points to a fear that the new regulations may become the reason for mass surveillance. “There’s no way of really knowing whether Chat Control would actually be (or remain) limited to CSAM. Once the mass-surveillance apparatus is installed, it could easily be extended to detect content other than CSAM without anyone noticing it. From a service provider’s point of view, the detection mechanism, which is created and maintained by third parties, essentially behaves like a black box,” they say, in a statement.
There is little debate that CSAM needs to be clamped down on, but the methodology and concern for user communication privacy, need refinement.
Last year, the German Child Protection Association (DKSB) which had “strongly welcomed” the earlier version of “Chat Control” action against sexualised violence against children, also pointed out that random scanning of private communication in messenger services or emails is neither proportionate nor effective.
They argue this infringes on the fundamental rights of all users including children, and fear scanning will criminalise children who at a young age may often send images that may be classified as CSAM, without understanding its consequences.
On the question of how messaging service providers are expected to keep a watch on the data that’s being shared on their platforms, the proposal’s wordings will concern users and privacy groups, while seemingly giving tech companies a free-er hand towards surveillance. “Activities conducted on the providers’ own initiative,” is how the proposal words it.
Secondly, there are fears that on-device scanning will be mandated, which will then use locally stored algorithms to detect your communication before it is encrypted by messaging services.
“Mandating mass scanning of private communications fundamentally undermines encryption. Full stop. Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted,” says Signal’s Whittaker.