The EU Commission is working on a legislative package to combat child sexual abuse, which it plans to present soon. One part of the planned law deals with the dissemination of pictures and videos of child abuse on the internet. The law could also target private and encrypted communication, for example via messenger apps. Critics call this form of preventative mass surveillance a danger to privacy, IT security, freedom of speech and democracy.
An overview:
- What are the plans of the EU Commission and the Council Presidency?
- How could this be implemented technically?
- What does chat control mean in concrete terms?
- Can the system be expanded?
- Is chat control even legal?
- What can I do against this project?
What are the plans of the EU Commission and the Council Presidency?
Olivier Onidi, Deputy Director General for Home Affairs, outlined what the EU Commission wants. He said the proposal would try to „include all means of communication in the scope“. After all, this was the true added value of the proposal, „to cover all forms of communication, including private communication“, Onidi answered a question from MEP Patrick Breyer (Pirates/Greens group). Breyer has given the project the name „chat control“.
Originally, the presentation of the controversial bill was scheduled for December 1st, but the item has since disappeared from the Commission’s calendar. When asked, a spokesperson only confirmed that the Commission was working on the proposal. However, she could not give a concrete date at the moment.
Member states could support the proposal. Slovenia, which currently holds the Council Presidency, has declared the fight against child abuse to be one of its main priorities. The Council Presidency wants to focus on the „digital dimension“, according to a Council paper from September published by Statewatch. End-to-end encrypted communication in particular makes life difficult for investigative authorities. Therefore, the role of „proactive measures“ – i.e. automated approaches that screen the content – should at least be discussed.
How the EU Parliament will position itself on the proposal is not certain yet. However, this year MEPs voted to allow online services such as Facebook, Skype or Gmail to continue scanning content. This has been done on a voluntary basis by many platforms and cloud services for some time, but recently strengthened data protection rules temporarily made the practice illegal. The hastily decided exemption is valid for three years for the time being, only concerns unencrypted content and could be replaced by the now planned law.
How could this be implemented technically?
Should the scanning obligation make it into the draft, it is unlikely that technical details will be determined there. The magic formula in Brussels is usually „proactive measures“, which were also supposed to remove terrorist content from the net, for example. The exact technical implementation is likely to be left to the providers themselves. For the time being, it also remains open whether all providers of messengers could be affected or only those with a certain number of users.
In principle, they could use existing approaches, such as the PhotoDNA software developed by Microsoft and the database of the US organisation National Center for Missing and Exploited Children (NCMEC). This contains digital fingerprints, so-called hashes, of pictures or videos that have already been identified as illegal. Before each message is sent, the hash of an attachment could be determined and compared with the database. If the file turns out to be known, it could be prevented from being sent and potentially trigger a tip-off to the police.
In combination with artificial intelligence, Microsoft uses PhotoDNA in a number of its products, such as Skype, OneDrive or Xbox. The manufacturer also makes the software available to other providers, including Google, Twitter and Facebook.
Apple is also planning measures against the dissemination of child sexual abuse material (CSAM). On the smartphone, these are to be checked against the NCMEC database by means of „client-side scanning“ before they can be uploaded to the cloud. In addition, Apple planned a „parental control“ running on the device. This would use artificial intelligence to detect „sexually explicit“ images when sending messages and notify parents if necessary. However, after a wave of protests worldwide, the plans are on hold for the time being.
One surveillance technology that could follow from the EU law is called Client-Side-Scanning (CSS). Most recently, in a joint study, world-renowned IT security researchers and encryption system inventors have strongly criticised all plans for content scanners on end-users‘ devices. The experts conclude: client-side scanning is a threat to privacy, IT security, freedom of speech and democracy as a whole.
Technically, CSS still allows end-to-end encryption, but this is questionable if the message is scanned for targeted content before it is sent. Moreover, CSS creates security vulnerabilities and gateways for players such as state hackers and criminals.
What does chat control mean in concrete terms?
No matter how the technical implementation turns out in detail: The intrusion into privacy would be very deep. Every single message would be automatically searched, regardless of suspicion, evaluated and, when indicated, reported to the providers and authorities.
This would inevitably include countless quite normal, legitimate photos and videos that people send to each other. Should the automatic recognition, which is unreliable for the time being, raise alarm, the content would have to be checked by humans in any case. This would not only violate the right to privacy, but would also be another gateway for abuse.
For providers, this would also have massive consequences. They would either have to connect to an already existing infrastructure or develop solutions themselves to comply with the law. This would play into the hands of larger providers who have enough resources to implement such requirements. Alternatively, some providers could withdraw from the EU if the effort is too much for them.
Can the system be extended?
The intervention on the devices through chat control would already be considerable, even if only depictions of abuse were searched for, as currently planned. IT experts fear that even if client-side scanning were initially only used to search for such content, there would be enormous political and social pressure to expand its scope.
Their argument here is that once a surveillance infrastructure is introduced, it wakes desires, and after its introduction, there would be hardly any possibility to resist the expansion or to control the misuse of the system. Technically, an expansion is very easy to implement. Therefore, IT experts conclude that CSS is an invasion of privacy that is even worse than previous proposals to weaken encryption. Edward Snowden argued similarly against Apple’s plans to implement such surveillance technology on end devices. The whistleblower fears unprecedented mass surveillance.
Is chat control even legal?
Automated scanning could be illegal, according to a legal opinion by Prof. Dr. Ninon Colneric (PDF). Generally, in the EU, surveillance without any reason or suspicion is prohibited because it violates fundamental rights. The European Court of Justice has repeatedly confirmed this view and, for example, repeatedly reprimanded data retention.
Nevertheless, attempts to revive the zombie of data retention with legal tricks have not died down. The demand is regularly found in Council papers of the EU countries. This kind of mass surveillance is also still included in the German Telecommunications Act, even if it is currently suspended.
What can I do against this project?
So far, there are no broad civil society alliances against the proposal, but the protest is just getting louder. The EU Pirate MEP Patrick Breyer has put together an action page at chatkontrolle.de. He calls on people to contact representatives of the EU Commission, such as the EU Commissioner for Home Affairs, Ylva Johannson, or the EU Commission President, Ursula von der Leyen, via telephone and e-mail and to express their protest. In the coming weeks, civil society alliances and other forms of protest could also emerge. For this, it can be helpful to get involved yourself and contact civil rights and digital organisations about the issue of chat control.
Translation from German to English: Franziska Rau.
Hilf mit! Mit Deiner finanziellen Hilfe unterstützt Du unabhängigen Journalismus.
0 Commentaires