A controversial proposal put forth by the European Union (EU) to scan users' private messages for detection of child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name. "Mandating mass scanning of private communications fundamentally undermines encryption. Full Stop," Whittaker said in a statement on 17 June 2024. "Whether this happens via tampering with, for instance, an encryption algorithm's random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they're encrypted."
https://redskyalliance.org/xindustry/how-far-will-us-law-enforcement-go-to-get-information
The response comes as lawmakers in Europe are putting forth regulations to fight CSAM with a new provision called "upload moderation" that allows messages to be scrutinized ahead of encryption. A recent report from Euractiv revealed that audio communications are excluded from the ambit of the law and that users must consent to this detection under the service provider's terms and conditions. "Those who do not consent can still use parts of the service that do not involve sending visual content and URLs," it further reported.[1]
In late April 2024, Europol called on the tech industry and governments to prioritize public safety. It warned that security measures like E2EE could prevent law enforcement agencies from accessing problematic content, reigniting an ongoing debate about balancing privacy vis-à-vis combating severe crimes. It also called for platforms to design security systems so they can still identify and report harmful and illegal activity to law enforcement without delving into the implementation specifics.
iPhone maker Apple famously announced plans to implement client-side screening for child sexual abuse material (CSAM) but abandoned the idea in late 2022 following sustained blowback from privacy and security advocates. "Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types," the company said at the time, explaining its decision. It also described the mechanism as a "slippery slope of unintended consequences."
Signal's Whittaker further said calling the approach "upload moderation" is a word game tantamount to inserting a backdoor (or a front door), effectively creating a security vulnerability ripe for exploitation by malicious actors and nation-state hackers. "Either end-to-end encryption protects everyone and enshrines security and privacy, or it's broken for everyone," she said. "Breaking end-to-end encryption, particularly at such a geopolitically volatile time, is disastrous."
Encrypted service providers Proton and Threema have also come out strongly against the so-called Chat Control bill, stating the passage of the law could severely hamper the privacy and confidentiality of EU citizens and civil society members. "It doesn't matter how the EU Commission is trying to sell it – as 'client-side scanning,' 'upload moderation,' or 'AI detection' – Chat Control is still mass surveillance," the Swiss company said. "And regardless of its technical implementation, mass surveillance is always an incredibly bad idea."
Several other organizations, including Access Now, the Electronic Frontier Foundation, Internet Freedom Foundation, the Center for Democracy and Technology, Mozilla, and Privacy International, have also signed a joint statement urging the EU to reject proposals that scan user content.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our services can help detect cyber threats and vulnerabilities. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://thehackernews.com/2024/06/signal-foundation-warns-against-eus.html
Comments