German Parliament Rejects EU Commission Call For Client-Side Scanning

Everybody agrees child sexual abuse material is a serious problem. Unfortunately, far too many supposedly serious people are coming up with very unserious solutions" to the problem.

Pressure applied by lawmakers and law enforcement led to Apple deciding to get out ahead of the seemingly-impending mandates to do something" about the problem. In August 2021, it declared its intent to engage in client-side scanning of users' content which would search for illegal material on users' devices as well as their cloud storage accounts. After receiving a ton of backlash, Apple backpedaled, putting its scanning plans on ice for the foreseeable future.

Apple recognized the problem, albeit after the fact. Legislators pushing for client-side scanning don't appear to be getting any smarter about the issue, despite having a real-world example to learn from. A bunch of security researchers wrote a report detailing all the security and privacy issues client-side scanning introduces, noting that any tradeoffs in effectiveness of shutting down CSAM were extremely limited.

This too has been ignored. Government officials all over the world still think the best thing for the children is something that would reduce the security and privacy of children who own smartphones and are almost always connected to the internet. Two GCHQ employees wrote a paper suggesting the smart thing to do was mandate client-side scanning wherever it was needed. Bundled with that proposal was the implicit suggesting that end-to-end encryption was no longer an option - not when there are children to protect.

Less than a month after this paper was published, an EU commissioner composed an incomprehensible defense of client-side scanning, one presumably provoked by the EU Data Protect Board's rejection of the entire premise, which pointed out the numerous violations of enshrined personal privacy rights client-side scanning would result in.

Somehow, despite all of this, the EU Commission is trying to move forward with mandated client-side scanning. Here's what at least some members of the Commission want, as described by Hanna Bozakov in a blog post at Tutanota:

The EU proposal covers three types of sexualized abuse, such as depictions of abuse, previously unknown material, but also so-called grooming, i.e. targeted contact with minors with the intention of abuse.

The draft law is currently in the European process of becoming a law. If passed in its current form, it would force online service providers to scan all chat messages, emails, file upload, chats during games, video conferences etc. for child sexual abuse material. This would undermine everybody's right to privacy and weaken the level of security online for all EU citizens.

Broad. Sweeping. Dangerous. These are all suitable terms for this proposal. And let's not forget the children it's supposed to help, who will be just as victimized by the law as the people who wrote it.

Fortunately, there's already some strong opposition to this proposal. The German Parliament has soundly rejected this push for client-side scanning, saying there's no way it's willing to inflict this privacy invasion on its constituents.

While the German Parliament itself is not directly involved with the EU Commission's proposal to make client-side scanning of encrypted communication mandatory for online services, the hearing was still a great success for digital rights groups and privacy activists.

The draft law itself is being negotiated between the EU Commission, the European Parliament and the member states in the Council of Ministers. In this context, the German government can have a deciding influence in the Council of Ministers.

And, to the very least, the German government wants the removal of client-side scanning, i.e. the examination of communications content on end devices, from the proposal.

So, if the EU Commission ratifies this proposal, the German government likely won't enforce it. In fact, it will probably challenge the law in the EU human rights court, which will almost certainly find it a violation of rights guaranteed by other EU laws. This is a losing proposal for several reasons, but especially in a continent where this same commission has created sweeping privacy protections for European residents. It can't just undo those because it wants to solve a problem it didn't consider during its erection of other privacy protections.

Now that an entire country has rejected client-side scanning, the EU Commission needs to go back to the drawing board. Yes, CSAM is a problem that needs to be addressed. But it simply can't be solved by turning everyone accessing the internet into a suspect.