EU Commission Asks EU Council Lawyers If Compelled Client-Side Scanning Is Legal, Gets Told It Isn't:
Lots of ideas have been floated by legislators and others in hopes of limiting the distribution of child sexual abuse material (CSAM). Very few of these ideas have been good. Most have assumed that the problem is so horrendous any efforts are justified. The problem here is that governments need to actually justify mandated mass privacy invasions, which is something that they almost always can't do.
It's even a fraught issue in the private sector. Apple briefly proposed engaging in client-side scanning of users' devices to detect CSAM and prevent its distribution. This effort was put on hold when pretty much everyone objected to Apple's proposal, stating the obvious problems it would create — a list that included undermining the security and privacy protections Apple has long used as evidence of its superiority over competing products and their manufacturers.
Not that legislators appear to care. The EU Commission continues to move forward with "for the children" client-side scanning mandate, despite the multitude of problems this mandate would create. Last year, the proposal was ripped to shreds by the EU Data Protection Board and its supervisor in a report that explained the mandate would result in plenty of privacy invasion and data privacy law violations that simply could not be excused by the Commission's desire to limit the spread of CSAM.
[...] So, the proposal continues to move forward, ignoring pretty much every rational person's objections and the German government's flat-out refusal to enforce this mandate should it actually become law.
The Commission has ignored pretty much everyone while pushing this massive privacy/security threat past the legislative goal line. But it may not be able to ignore the latest objections to its proposal, given that they're being raised by the EU government's own lawyers.
[...] The legal opinion [PDF] makes it clear there's very little that's actually legal about compelled client-side scanning. The entire thing is damning, but here's just one of several issues the legal Council says the EU Commission is wrong about:
[...] A shotgun approach to CSAM detection is civil rights disaster waiting to happen, especially in cases where the government decides all users of a service are guilty just because some users are using the service to distribute illegal content.
The proposed legislation requires the general screening of the data processed by a specific service provider without any further distinction in terms of persons using that specific service. The fact that the detection orders would be directed at specific services where there is evidence of a significant risk of the service being used for the purpose of online child sexual abuse would be based on a connection between that service and the crimes of child sexual abuse, and not, even indirectly, on the connection between serious criminal acts and the persons whose data are scanned. The data of all the persons using that specific service would be scanned without those persons being, even indirectly, in a situation liable to give rise to criminal prosecutions, the use of that specific service being the only relevant factor in this respect.
And this would set off a chain of events that could easily result in permanent surveillance of millions of people's communications across multiple internet-based services. Not so much mission creep as mission sprint.
Furthermore, since issuing a detection order with regard to a specific provider of interpersonal communication services would entail the risk of encouraging the use of other services for child sexual abuse purposes, there is a clear risk that, in order to be effective, detection orders would have to be extended to other providers and lead de facto to a permanent surveillance of all interpersonal communications.
[...] The Council sums up its report by saying that if this proposal hopes to survive even the most cursory of legal challenges, it needs to vastly decrease its scope and greatly increase the specificity of its targeting. Otherwise, it's just a bunch of illegal surveillance masquerading as a child protection program. The Commission may be able to ignore security professionals and the occasional member state, but it seems unlikely it can just blow off its own lawyers.
(Score: 1, Interesting) by Anonymous Coward on Thursday May 18, @05:41PM (1 child)
A good lawyer doesn't tell you whether something is or isn't legal. A good lawyer tells you how you can do what you want to do in a legal fashion.
The fact that the EU Commission's own lawyers couldn't find that way, is rather telling.
While not entirely applicable, every time this type of thing comes up, I am reminder of this quote:
One can easily imagine "client-side scanning" turning into "client-side mandatory applications" to "with this residence, we can dump our stuff on yours and then round you up for having illegal content". While this certainly sounds like a Slippery Slope Argument, I'll just remind you that ever single fucking time that a slippery slope argument has been raised when it comes to this particular type of behavior, instead of heading the warning, the reaction was more akin to "Look! Super-happy-fun slide... let's go down it... wheeeeeeeeeee". I think we should take the "Slippery Slope Argument" out of the 'fallacies' list and dump it in the "pay fuckin' attention".
(Score: 4, Insightful) by sjames on Thursday May 18, @06:36PM
The problem is that slippery slope IN A VACUUM is a fallacy, but coupled with external supporting arguments like legislators and law enforcement that are proven suckers for temptation, especially if the slippery slope reduces auditability, it's a darned strong argument.
In most debates, slippery slope is not so much a fallacy but a shorthand for entire books worth of arguments against a thing based on authorities repeatedly demonstrating that they cannot be trusted.
For the most part, the rules of formal debate assume that both sides are debating in good faith. That assumption hasn't held in politics for a long time now.
(Score: 2, Interesting) by pTamok on Thursday May 18, @05:46PM
The lawyers interpret the law as made by the lawmakers.
If the lawyers view is that the current law cannot be construed to cover the situation the lawmakers want, the lawmakers can make new laws.
Who are the lawmakers in this instance?...
(Score: 5, Funny) by Anonymous Coward on Thursday May 18, @05:58PM
I suggest a pilot of this program: since every population (according to those who push this type of 'solution' as a fix against CSAM) contains a certain percentage of CSAM peddlers, and because the European Commission and Parliament are obviously entirely and fairly representative of the general population of the EU, taking a purely statistically approach, there ought to be at least 1 (probably even more) CSAM peddlers among them. Right? Because, aren't we told that this is super prevalent, hence warranting this very approach? That's 705 MEPs plus 27 commissioners, plus the president of the European Council, so a population of roughly 733 subjects?
So let the program prove itself: subject each and every MEP and Commissioner to this for, let's say MAX(2 years, their duration as commissioner or MEP). If the program proves itself to work by identifying clearly and publicly who they caught, including everyone, every single person, they were in contact with - because obviously, those individuals are also implicated and deserve scrutiny, then we can consider thinking about further discussing this particular proposal to mandate client-side scanning. Heck, let's broaden the pool and toss in anyone who has publicly stated support for this idea to broaden the chances of catching the targeted demographic.
If it fails to do so, well, then it clearly wouldn't work in the bigger world either, and so we can abandon the whole idea and premise forever...
I should go into politics, vote AC today!
(Score: 5, Interesting) by JustNiz on Thursday May 18, @06:12PM (1 child)
Is anyone here naive enough to truly believe that CSAM is what this is actually all about?
It seems to me that once in place, this mechanism is inevitably going to get extended to other uses than anti-CSAM (probably without the end-user's permission or even knowledge, until some hacker inevitably figures it out) and once again the mass majority of public will just keep buying products that have this enabled because they are gullible enough to believe it's actually about protecting kids.
Even Orwell didn't predict that citizens being spied on by governments would happily pay for the devices out of their own pockets and voluntarily install them in their own homes.
(Score: 3, Insightful) by deimtee on Thursday May 18, @09:36PM
Obviously, once the mechanism is in place, there will be a very strong push by the copyright industry to use it as well.
They will be keeping quiet at the moment, probable statement; "CSAM is very bad and we support every effort to catch those responsible. Who, us? Use it to catch those damn pirates? Never considered it."
No problem is insoluble, but at Ksp = 2.943×10−25 Mercury Sulphide comes close.
(Score: 5, Insightful) by Rosco P. Coltrane on Thursday May 18, @07:20PM (3 children)
it's "client side scanning" - which is basically someone other than you taking control of your electronic property and sifting through your data.
I don't see the difference between that and home invasion. Even the police needs a warrant to enter someone's property. Yet for some reason, Apple, Microsoft and Google are allowed to intrude everybody's digital homes with total impunity.
Someone at those companies should be doing hard time for even suggesting this. Yet the best we can do to curb these companies' incredible capabilities and appetite for invasiveness is a meek pushback. This is so dystopian... How did we get to this point?
I don't care if a few pedos slip through the cracks: if the price to pay to catch then is global corporate fascism, the price is way too high.
(Score: 2) by aafcac on Friday May 19, @12:38AM (2 children)
I don't really understand how it makes any substantive difference whether it's my personal computer that they scan or my data on a company's server that they scan. This is the EU, so the US constitutional rights don't apply, but this is the same basic issue. For a continent where people are so picky about privacy, this seems even crazier than it being a loophole around several US constitutional rights.
(Score: 2) by Rosco P. Coltrane on Friday May 19, @11:39AM (1 child)
First of all, what if I don't put my data on their server?
Besides, If I go to the gym and I put my smelly underwear in one of their lockers, the gym has the right to open the locker and inspect the content. It's their lockers. That doesn't give the gym the right to enter my home and check if I also have smelly underwear in my drawers. And it CERTAINLY doesn't give the gym that right if I don't even use their lockers.
If you don't see the difference, you're really a product of the dystopian present through and through. Jeez... I can't even believe I have to spell it out.
(Score: 2) by aafcac on Friday May 19, @11:48AM
You're a pretty dim bulb, aren't you? The only way to not put anything on their servers is to not go online at all. Other than that, it's just a matter of degrees of invasion of privacy. Having to have an entirely separate computer for private things is a level of security that apparently exceeds what MSI or DARPA are able to achieve.