EU Pitched Client-Side Scanning By Targeting Certain EU Residents With Misleading Ads
The EU Commission has been pushing client-side scanning for well over a year. This new intrusion into private communications has been pitched as perhaps the only way to prevent the sharing of child sexual abuse material (CSAM).
Mandates proposed by the EU government would have forced communication services to engage in client-side scanning of content. This would apply to every communication or service provider. But it would only negatively affect providers incapable of snooping on private communications because their services are encrypted.
Encryption - especially end-to-end encryption - protects the privacy and security of users. The EU's pitch said protecting more than the children was paramount, even if it meant sacrificing the privacy and security of millions of EU residents.
Encrypted services would have been unable to comply with the mandate without stripping the client-side end from their end-to-end encryption. So, while it may have been referred to with the legislative euphemism chat control" by EU lawmakers, the reality of the situation was that this bill - if passed intact - basically would have outlawed E2EE.
Fortunately, there was a lot of pushback. Some of it came from service providers who informed the EU they would no longer offer their services in EU member countries if they were required to undermine the security they provided for their users.
The more unexpected resistance came from EU member countries who similarly saw the gaping security hole this law would create and wanted nothing to do with it. On top of that, the EU government's own lawyers told the Commission passing this law would mean violating other laws passed by this same governing body.
This pushback was greeted by increasingly nonsensical assertions by the bill's supporters. In op-eds and public statements, backers insisted everyone else was wrong and/or didn't care enough about the well-being of children to subject every user of any communication service to additional government surveillance.
That's what happened on the front end of this push to create a client-side scanning mandate. On the back end, however, the EU government was trying to dupe people into supporting their own surveillance with misleading ads that targeted people most likely to believe any sacrifice of their own was worth making when children were on the (proverbial) line.
That's the unsettling news being delivered to us by Vas Panagiotopoulos for Wired. A security researcher based in Amsterdam took a long look at apparently misleading ads that began appearing on Twitter as the EU government amped up its push to outlaw encryption.
Danny Meki was digging into the EU's chat control" law when he began seeing disturbing ads on Twitter. These ads featured young women being (apparently) menaced by sinister men, backed by a similarly dark background and soundtrack. The ads displayed some supposed facts" about the sexual abuse of children and ended with the notice that the ads had been paid for by the EU Commission.
The ads also cited survey results that supposedly said most European citizens supported client-side scanning of content and communications, apparently willing to sacrifice their own privacy and security for the common good.
But Meki dug deeper and discovered the cited survey wasn't on the level.
Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants,he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn't be drawn from the survey, and the findings clashed with those ofindependentpolls.
This discovery prompted Meki to dig even deeper. What Meki found was that the ads were very tightly targeted - so tightly targeted, in fact, that they could not have been deployed in this manner without violating European laws that are aimed to prevent exactly this sort of targeting, i.e. by using sensitive data" like religious beliefs and political affiliations.
The ads were extremely targeted, meant to find people most likely to be swayed towards the EU Commission's side, either because the targets never appeared to distrust their respective governments or because their governments had yet to tell the EU Commission to drop its proposed anti-encryption proposal.
Meki found that the ads were meant to be seen by select targets, such astop ministry officials, while theywere concealedfrom people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and anti-Christians."
Meki then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.
A document leaked earlier this year exposed which EU members were in favor of client-side scanning and its attendant encryption backdoors, as well as those who thought the proposed mandate was completely untenable.
The countries targeted by the EU Commission ad campaign are, for the most part, supportive of/indifferent to broken encryption, client-side scanning, and expanded surveillance powers. Slovenia (along with Spain, Cyprus, Lithuania, Croatia, and Hungary) were all firmly in favor of bringing an end to end-to-end encryption.
The Netherlands fell somewhere in the middle, saying simply that it's not necessary to outlaw encryption because it can find other ways around it. Seems like a no" vote, but it was more a shrug. That government apparently didn't care whether or not the proposal was passed, but never stated any direct opposition to basically outlawing E2EE. So does Belgium, which stated no direct opposition to encryption-breaking, and simply stated it was fine with whatever but pointed out that encryption does not work the way the EU Commission seems to think it does.
The others on this list either weren't detailed in the leaked document (Sweden, Portugal) or offered some defense of encryption (Finland) while suggesting maybe all the culpability should lay at the feet of service providers (also Finland). The Czech Republic came down on the side of encryption, but tempered it a bit by suggesting that with general boundaries," perhaps some encryption backdoors would be okay.
While we're accustomed to politicians airing misleading ads during election runs, this is something different. This is the representative government of several nations deliberately targeting countries and residents it apparently thinks might be receptive to its skewed version of the facts, which comes in the form of the presentation of misleading survey results against a backdrop of heavily-implied menace. And that's on top of seeming violations of privacy laws regarding targeted ads that this same government body created and ratified.
It's a tacit admission EU proposal backers think they can't win this thing on its merits. And they can't. The EU Commission has finally ditched its anti-encryption mandates after months of backlash. For the moment, E2EE survives in Europe. But it's definitely still under fire. The next exploitable tragedy will bring with it calls to reinstate this part of the chat control" proposal. It will never go away because far too many governments believe their citizens are obligated to let these governments shoulder-surf whenever they deem it necessary. And about the only thing standing between citizens and that unceasing government desire is end-to-end encryption.