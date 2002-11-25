Once Again, Chat Control Flails After Strong Public Pressure:
The European Union Council pushed for a dangerous plan to scan encrypted messages, and once again, people around the world loudly called out the risks, leading to the current Danish presidency to withdraw the plan.
EFF has strongly opposed Chat Control since it was first introduced in 2022. The zombie proposal comes back time and time again, and time and time again, it's been shot down because there's no public support. The fight is delayed, but not over.
It's time for lawmakers to stop attempting to compromise encryption under the guise of public safety. Instead of making minor tweaks and resubmitting this proposal over and over, the EU Council should accept that any sort of client-side scanning of devices undermines encryption, and move on to developing real solutions that don't violate the human rights of people around the world.
As long as lawmakers continue to misunderstand the way encryption technology works, there is no way forward with message-scanning proposals, not in the EU or anywhere else. This sort of surveillance is not just an overreach; it's an attack on fundamental human rights.
The coming EU presidencies should abandon these attempts and work on finding a solution that protects people's privacy and security.
From Malware Bytes Blog
On May 11, 2022, the EU will publicize a proposal for a law on mandatory chat control. The European Commission wants all providers of email, chat and messaging services to search for suspicious messages in a fully automated way and forward them to the police in the fight against child pornography.
[...] Similar developments are taking place in the US and the supporting narrative has expanded from domestic terrorism to other illegal content and activity, such as child sexual exploitation and abuse, terrorism, foreign adversaries‚ and attempts to undermine democratic values and institutions.
[...] What most, if not all, of these activities have in common is that you usually won't see the criminals using the same platforms as those of us that want to stay in touch with friends and relatives. They are already conducting their "business" in illegal marketplaces on the Dark Web, or they are using encrypted phone services.
[...] Since client-side scanning technologies may represent the most powerful surveillance system ever imagined, it is imperative that we find a way to make them abuse-resistant and auditable before we decide to start using them. Failures from the past have taught us that it's often the other way around. We learn from our mistakes, but how costly are they?
MEP Patrick Breyer (Germany, Pirate Party), one of the few representatives fighting for preserving rights online rather than against them, has posted a summary about the EU Parliament's assessment of the proposed "Chat Control" legislation. In short, the "Chat Control" proposal violates basic human rights:
The experts made clear that an "increase in the number of reported contents does not necessarily lead to a corresponding increase in investigations and prosecutions leading to better protection of children. As long as the capacity of law enforcement agencies is limited to its current size, an increase in reports will make effective prosecution of depictions of abuse more difficult."
In addition, the study finds: "It is undisputed that children need to be protected from becoming victims of child abuse and depictions of abuse online... but they also need to be able to enjoy the protection of fundamental rights as a basis for their development and transition into adulthood." It warns: „With regards to adult users with no malicious intentions, chilling effects are likely to occur."
There is an obfuscated link at the bottom of his post to the study, Proposal for a regulation laying down the rules to prevent and combat child sexual abuse: Complementary Impact Assessment. He also has older overview of the problems with the proposed legislation at his blog, too.
Signal, MEPs Urge EU Council To Drop Encryption-Eroding Law
Arthur T Knackerbracket has processed the following story:
On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.
[...] Known to detractors as Chat Control, the proposal seeks to prevent the online dissemination of child sexual abuse material (CSAM) by requiring internet service providers to scan digital communication – private chats, emails, social media messages, and photos – for unlawful content.
The proposal [PDF], recognizing the difficulty of explicitly outlawing encryption, calls for "client-side scanning" or "upload moderation" – analyzing content on people's mobile devices and computers for certain wrongdoing before it gets encrypted and transmitted.
The idea is that algorithms running locally on people's devices will reliably recognize CSAM (and whatever else is deemed sufficiently awful), block it, and/or report it to authorities. This act of automatically policing and reporting people's stuff before it's even had a chance to be securely transferred rather undermines the point of encryption in the first place.
Europe's planned "regulation laying down rules to prevent and combat child sexual abuse" is not the only legislative proposal that contemplates client-side scanning as a way to front-run the application of encryption. The US Earn-It Act imagines something similar.
In the UK, the Online Safety Act of 2023 includes a content scanning requirement, though with the government's acknowledgement that enforcement isn't presently feasible. While it does allow telecoms regulator Ofcom to require online platforms to adopt an "accredited technology" to identify unlawful content, there is currently no such technology and it's unclear how accreditation would work.
With the EU proposal vote approaching, opponents of the plan have renewed their calls to shelve the pre-crime surveillance regime.
In an open letter [PDF] on Monday, Meredith Whittaker, CEO of Signal, which threatened to withdraw its app from the UK if the Online Safety Act disallowed encryption, reiterated why the EU client-side scanning plan is unworkable and dangerous.
"There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe," wrote Whittaker.
European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label
"Instead of accepting this fundamental mathematical reality, some European countries continue to play rhetorical games.
[...] Threema said if it isn't allowed to offer encryption, it will leave the EU.
And on Tuesday, 37 Members of Parliament signed an open letter to the Council of Europe urging legislators to reject Chat Control.
"We explicitly warn that the obligation to systematically scan encrypted communication, whether called 'upload-moderation' or 'client-side scanning,' would not only break secure end-to-end encryption, but will to a high probability also not withstand the case law of the European Court of Justice," the MEPs said. "Rather, such an attack would be in complete contrast to the European commitment to secure communication and digital privacy, as well as human rights in the digital space." ®
Scientists urge EU governments to reject Chat Control rules:
As the final vote draws closer, an open letter has highlighted significant risks that remain in the EU's controversial 'Chat Control' regulation.
617 of the world's top scientists, cryptographers and security researchers have released an open letter today (10 September) calling on governments to reject the upcoming final vote on the EU's 'Chat Control' legislation.
The group of scientists and researchers – hailing from 35 countries and including the likes of AI expert Dr Abeba Birhane – has warned that the EU's proposed legislation targeting online child sexual abuse material (CSAM), known colloquially as Chat Control, would undermine the region's digital security and privacy protections and "endangers the digital safety of our society in Europe and beyond".
The group also warned that the new rules will create "unprecedented capabilities" for surveillance, control and censorship, and has an "inherent risk for function creep and abuse by less democratic regimes".
This is not the first time this collective has warned against the regulation, having previously published its recommendations in July 2023, May 2024 and September 2024.
The proposed legislation would require providers of messaging services such as WhatsApp, Signal, Instagram, email and more to scan its users' private digital communications and chats for CSAM material. This scanning would even apply to end-to-end encrypted communications, regardless of a provider's own security protections.
Any content flagged as potential CSAM material by the scanning algorithms would then be automatically reported to authorities.
Currently, 15 EU member states have issued support for the legislation – including Ireland. Six member states oppose the rules, while six remain undecided in their stance.
While the latest draft of the legislation has been amended to exclude the detection of audio and text communications – limiting detection to "visual content", such as images and URLs – the scientists argue that the legislation in its current form is still unacceptable.
The group argues that none of the legislation's changes address its major concerns, namely the infeasibility of scanning hundreds of millions of users for CSAM content with appropriate accuracy, the undermining of end-to-end encryption protections and the heightened privacy risks to EU citizens.
While the latest draft of the regulation has reduced the scope of targeted material (limited to visual content and URLs), the group of scientists states that this reduction will not improve effectiveness.
"There is no scientific basis to argue that detection technology would work any better on images than on text," reads the letter, with further assertions that CSAM detection methods can be easily evaded. The group states that just changing a few bits in an image is "sufficient to ensure that an image will not trigger state-of-the-art detectors".
The group also criticises the EU's proposal of using AI and machine learning to detect CSAM imagery due to the technology's unreliability.
(Score: 0) by Anonymous Coward on Tuesday November 04, @06:47AM
I was still in the big glassy boxes when phrase "insider threats" emerged. I was participating in the writing of software to handle them, but was known to voice the notion that a more robust solution would be to hire ethical people, pay them well, and be mindful of unusual behavior when it arises rather than pour so much money in to a technical solution. Of course I still cashed the checks.
Anyway, I'm reminded of that. Hey government, if you're not mis-behaving, you have nothing to be afraid of. Plainly the spy agencies of various countries are not going to pay attention to this. They'll move whatever they need via "numbers stations", "stego" or even a diplomatic pouch full of thumb drives. Secret communications by your allies aren't threatening, are they?
Good. Then consider the citizens your allies, and treat them at least as well if not better. You should have very few problems.