In May 2022 the European Commission published a proposal for preventing and combating child sexual abuse. This proposal is well-intentioned and seeks to increase child safety online by imposing new obligations on online communication service providers. However, the current draft of the proposal includes an obligation that providers scan all private communications to detect instances of child sexual abuse which, in practice, would require the violation of strong encryption, including end-to-end encryption.
The loss of secure communication technologies like end-to-end encryption will create new vulnerabilities that put European Internet users, including children, at risk. This will have harmful implications for European trust in the Internet and could derail Europe’s economic ambitions for a Digital Decade. The Internet Society’s analysis of these risks can be found here.
The Internet Society is not alone in these concerns.
The European Data Protection Supervisor (EDPS) has recognised encryption as a main tool for guaranteeing the security of our information, building the digital economy and protecting our fundamental rights:
“While law enforcement requires the means to fight crime on the internet, any new measure would have to first pass the test for necessity and proportionality, based on substantiated evidence. While encryption makes bulk data collection and mass surveillance difficult, it is not a limiting factor in more targeted and specific measures. Restrictions on encryption pose significant risks to the economy and society in general.”
Likewise, the United Nations Human Rights Council voiced support for encryption as a key enabler of privacy and security as well as an essential tool for safeguarding rights:
“In recent years, various Governments have taken actions, which, intentionally or not, risk undermining the security and confidentiality of encrypted communications […] the impact of most encryption restrictions on the right to privacy and associated rights are disproportionate, often affecting not only the targeted individuals but the general population.
Outright bans by Governments, or the criminalisation of encryption in particular, cannot be justified as they would prevent all users within their jurisdictions from having a secure way to communicate […] Without in-depth investigation and analysis, it seems unlikely that [mandated general client-side scanning] could be considered proportionate under international human rights law, even when imposed in pursuit of legitimate aims, given the severity of their possible consequences.”
We have been informed that a US-based child safety tech organisation will be visiting European capitals to hold meetings with policymakers over the coming weeks and months. While discussions on ways to improve child safety on the Internet are welcome, we are concerned that these lobbying meetings may not provide a complete view. Client-side scanning –the solution fostered by this tech organisation through a proprietary commercial tool– negates the value of end-to-end encryption and, as we have analysed, is not a viable solution. Moreover, the European Court of Justice has prohibited the general and indiscriminate surveillance of the public that such technologies would entail as a violation of fundamental rights.
We, the Internet Society Catalan Chapter share the concerns of the Internet Society and other stakeholders. Established in 1996, we are a group of about 240 volunteers from the technical community that work for an open, globally connected, secure and trustworthy Internet in Europe and in our country. We support strong encryption and believe that efforts to combat and prevent child sexual abuse can and should be compatible with strong encryption. We are available for further discussions.
La entrada Comunicat sobre la iniciativa legislativa de la UE sobre CSAM se publicó primero en Catalan Chapter of the Internet Society.