Meredith Whittaker – president of the Signal Foundation, which runs the eponymous end-to-end encrypted (E2EE) messaging app – on Monday criticized the European Union’s latest proposals to require messaging services to check whether users shared child abuse material.
Her complaint follows the publication of an internal document by the European Council – the EU body that sets the bloc’s political direction – revealing its position from the end of May on a proposed regulation to ‘prevent and prevent child sexual abuse to fight’.
The EU document, which was published online by civil society groups, is now not the final version of the Council’s negotiating position. Once a final position has been agreed, possibly as soon as this week, it will be published and further negotiations between the Council and the newly elected European Parliament will begin.
According to the publicly available version, the Council recognizes that E2EE is “a necessary means to protect fundamental rights” but warns that services using it should not “inadvertently become safe zones where child sexual abuse material can be shared or distributed without possible consequences.”
It proposes: “Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of controlled technologies, when uploaded, provided that users give their express consent under the provider’s terms and conditions for applying of a specific functionality. to such a detection in the relevant service.”
Users who do not consent to this so-called “upload moderation” should “still be able to use that part of the service that does not involve sending visual content and URLs,” the document said.
The document does not prescribe specific technologies, such as Apple’s proposed hash-based client-side scanning, which was withdrawn after complaints and civil society criticism from some of the world’s most respected information security experts in an article titled Bugs in Our Pockets.
E2EE messaging “providers are free to design and implement, in accordance with Union law, measures based on their existing practices to detect online child sexual abuse in their services,” the Council negotiating document said.
Nevertheless, Signal’s Whittaker argues: “There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in the core infrastructure that would have global implications far beyond Europe.”
Similar legislation has been passed in the UK, where the Online Safety Act includes a provision that could require messaging platforms to use ‘accredited technology’ to identify child abuse content if the communications regulator is notified to do so. Currently, such technology is not accredited.
Whittaker dismissed the possibility of finding a technological solution to the problem: “Whether this is done by tampering with, for example, the generation of random numbers through an encryption algorithm, or by implementing a key-keeping system, or by forcing communications through into a surveillance system before they are encrypted […] Each of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and replacing it with a high-level vulnerability.”
📣Official statement: The new EU chat control proposal for mass scanning is the same old surveillance with new branding.
Whether you call it a backdoor, a front door or ‘upload moderation’, it undermines encryption and creates significant vulnerabilitieshttps://t.co/g0xNNKqquA pic.twitter.com/3L1hqbBRgq
— Meredith Whittaker (@mer__edith) June 17, 2024
Recorded future
Intelligence cloud.
Learn more.