Meredith Whittaker – president of the Signal Foundation, which runs the end-to-end (E2EE) messaging app of the same name – criticized the European Union’s latest proposals on Monday to require messaging services to check whether users are sharing child abuse material.
Her complaint follows the publication of an internal document from the European Council – the EU body that sets the bloc’s political direction – revealing its position in late May on a proposed regulation to “prevent and combat the sexual exploitation of children”.
The EU document, published online by civil society groups, is now not the latest version of the Council’s negotiating position. Once the final position is agreed, probably already this week, it will then be published and further negotiations between the Council and the newly elected European Parliament will begin.
According to the publicly available version, the Council recognizes that E2EE is a “necessary means of protecting fundamental rights” but warns that services using it must not “inadvertently become safe zones where child sexual exploitation material can be shared or disseminated without possible consequences “.
It suggests: “Therefore, child sexual abuse material should remain detectable on all interpersonal communication services through the use of proven technologies when uploaded, provided that users give their express consent according to the provider’s terms for the specific feature to be used.” to such a finding in the relevant service.’
Users who do not consent to this so-called “upload moderation” should “still be able to use the part of the service that does not involve submitting visual content and URLs,” the document says.
The document does not prescribe specific technologies, such as the hash-based client-side scanning proposed by Apple, which was withdrawn after complaints from civil society and criticism from some of the world’s most respected information security experts in a document called Bugs in Our Pockets.
“E2EE reporting providers may, in accordance with Union law, design and implement measures based on their existing procedures for detecting online child sexual abuse in their services,” the Council’s discussion paper states.
Despite this, Signal’s Whittaker argues: “There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in the underlying infrastructure that would have global implications far beyond Europe’s borders.” ”
Similar legislation has been passed in the UK, where the Online Safety Act includes a provision that could require messaging platforms to use “accredited technology” to identify child abuse content if brought to the attention of the communications regulator. Currently, no such technology is accredited.
Whittaker dismissed the possibility of finding a technological solution to the problem: “Whether that is through manipulation, such as generating the random numbers of an encryption algorithm, or implementing a third-party escrow system, or forcing communications to pass through a tracking system before they are encrypted […] each of these approaches creates a vulnerability that can be exploited by hackers and hostile nation-states, removing the protection of unbreakable mathematics and replacing it with a high-value vulnerability.”
📣Official statement: the new EU proposal for mass scanning chat control is the same old surveillance with a new brand.
Whether you call it a backdoor, front door, or “upload moderation,” it undermines encryption and creates significant vulnerabilities https://t.co/g0xNNKqquA pic.twitter.com/3L1hqbBRgq
— Meredith Whittaker (@mer__edith) June 17, 2024
Recorded future
Intelligence Cloud.
Find out more.