AWhen Apple published a plan in August to take action against images of child abuse on its devices, the company apparently expected little resistance. At first glance, the concern of the group appeared to be a good thing: The Apple developers wanted to prevent the dissemination of images and videos showing child abuse – but at the same time to keep the encryption of their users’ chats and files unrestricted.
Apple called the solution for this, “Client Side Scanning”. The images and chat content should therefore already be recorded and checked on the users’ devices before the data is encrypted for transmission.
Apple was all the more astonished when privacy advocates and security researchers unleashed a storm of indignation. Because with the technology, Apple would, according to the criticism of renowned researchers at the Massachusetts Institute of Technology (MIT) and the University of Cambridge, install surveillance software on an industrial scale on the devices of all users.
According to the critics, what they are looking for is entirely in the hands of Apple – and in that of national legislators and security authorities that could put Apple under pressure. Whether the criticism, Apple withdrew the project, for the time being.
But at least in the European Union, CSS surveillance technology could soon end up on users’ devices, warn EU parliamentarians such as Pirate MP Patrick Breyer. Because the EU member states want to enforce a control of chats and media content in the networks of the large Internet companies sooner rather than later. EU Interior Commissioner Ylva Johansson is currently pursuing a corresponding draft law.
“US corporations like Facebook have been secretly using chat controls on their servers for years,” explains Breyer in an interview with WELT. But now almost all messenger services are based on end-to-end encryption. This is why it is no longer possible to control WhatsApp or Signal. In addition, Internet services are now covered by telecommunications secrecy, so manufacturers are no longer allowed to scan – actually.
Chat control should become mandatory
But that offends EU security politicians. And corporations also want to continue to control what their services are used for. “The US providers presented to the EU Commission in 2020 and wanted to have this legalized. As a result, an exemption for scanning personal chat content was issued last autumn, ”explains Breyer.
The temporary exception regulation was linked to an announcement that should affect all providers: The EU wants to add permanent legislation that should make chat control mandatory.
According to the current draft, all providers of chat programs would have to run control software on the device itself, which uses artificial intelligence to detect whether prohibited images are being exchanged. So-called cybergrooming, i.e. the illegal seduction of children by adults, should also be recognized.
Almost exactly a year ago, a similar proposal at the EU level caused a sensation, which wanted to weaken the encryption. The reason was a draft resolution of the German Council Presidency to the delegations of the member states in the European Council.
The reason at that time was not the fight against child abuse, but the terrorist attack in Vienna. The attack initially had nothing to do with encrypted messages that terrorists write to messenger services such as WhatsApp, Signal and Telegram. And yet this was exactly what was discussed.
The document said the EU continues to support strong encryption. However, a “better balance” must be created between protecting privacy on the one hand and fighting organized crime and terrorism on the other.
Responsible security and law enforcement authorities, it said further, should be able to access data. The technical solutions for this would have to correspond to “the principles of legality, transparency, necessity and proportionality”. Governments, industry, research and science should work together “to strategically strike this balance”.
The tool can easily be misused
How exactly this should work is not defined in the current draft law. But CSS is the only technology that fulfills the requirement not to break the encryption on the one hand, but on the other hand to enable control.
The fact that the EU of all things is implementing a technology on all smartphones among Internet devices that could then also be used in authoritarian states to control dissidents or to persecute religious minorities apparently falls under the table. Opposition to the EU’s advance is nevertheless extremely difficult, comments Breyer: “Anyone who considers this to be dangerous and counterproductive will be pushed into the corner of the protection of perpetrators.”
Experts from the police and academia are rather critical of the EU’s project: on the one hand, they fear many false reports from the scanners, and on the other, the law will act as an alibi. Daniel Kretzschmar, spokesman for the federal board of the Bund Deutscher Kriminalbeamter, says that the fight against child abuse is “extremely important” to his association, but he is skeptical.
“An automated scan for incriminated content by private companies and a reporting obligation that is very difficult to control by security authorities carries the risk that on the one hand unsuspecting people come into the focus of investigations and on the other hand, incomprehensible selections of the reports are made by the companies.”
At the same time, the privatization of these initiative investigations would mean a “dependency of the criminal prosecution on these companies, which is actually a state and sovereign task.”
Thomas-Gabriel Rüdiger, head of the institute for cybercriminology at the University of Police in Brandenburg, is also rather critical of the EU project. “In the end it will probably mainly hit minors again,” he told WELT. Rüdiger refers to figures from the crime statistics, according to which 43 percent of the recorded crimes in the area of child pornographic content go back to children and adolescents themselves.
Real perpetrators would probably not be caught
This is the case with so-called “sexting” and “schoolyard pornography” when 13- and 14-year-olds send each other suggestive pictures. In other words, if a 13-year-old sends her 14-year-old boyfriend very revealing recordings, that would fall under child pornography.
WhatsApp group chats are another problem: If someone sends a problematic picture and participants in the chat have activated the automatic download, all participants can commit a criminal offense.
Real perpetrators who you actually want to catch would probably not be caught. “They are aware of what they are doing and are resorting to alternatives. Presumably, USB sticks and other data carriers will then be used more often again, ”Rüdiger continues.
Another problem is that every country has different guidelines and it is currently unclear how an artificial intelligence wants to recognize and differentiate this. Instead, Rüdiger advocates raising the awareness of minors by imparting media skills – and if an analysis is carried out, this should only be focused on so-called hash tables, i.e. that media are compared with known child pornographic images.
On the other hand, those who focus on protecting against child abuse see it differently. Like Rainer Becker, honorary chairman of Deutsche Kinderhilfe. Basically, he says, he understands data protection concerns about the EU plans. “But the critics of this measure fail to emphasize that it is about hundreds of thousands of depictions of abuse and hundreds of thousands of children affected by sexual violence, who thereby at least have a chance to get them out of the dangers that threaten them.”
If one weighs the protection of these children against the right to privacy in messenger services, a decision can only be made in favor of child protection.
The EU Commission wanted to present the law presumably on December 1st, which was already on the schedule of Interior Commissioner Johansson. But in view of the headwind, the date was canceled for the time being – now it should be improved again.
.