Encryption & Key Management , Governance & Risk Management , Privacy
European CSAM Scanning Proposal Runs Into Opposition
Council of the European Union Cancels VoteA proposal requiring online chat providers to scan images and links for child pornography failed to garner majority support Thursday from European Union trading bloc governments.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The Council of the European Union postponed a scheduled vote on the proposal, which has been dogged by opposition from security and privacy advocates since its 2022 introduction by the European Commission. The Council, made up of direct representatives of European governments, was set to vote on a compromise version put forth June 14 by Belgium, which holds the six-month presidency of the council until the end of this month. Countries including Germany, Austria, Poland, the Netherlands and the Czech Republic were expected to abstain or oppose the law over cybersecurity and privacy concerns, reported Politico.
Approval by the council is a necessary step to opening talks between it, the European Parliament and the European Commission on the bill's final language. Parliament amended the bill last fall to include privacy protections including protecting end-to-end encryption (see: EU's LIBE Rejects Mass Content Scanning in CSAM Proposal).
"The EU governments would have decided today in favor of totalitarian indiscriminate chat control, burying the digital privacy of correspondence and secure encryption," said Patrick Breyer, a German Pirates Party member and a staunch critic of the proposal.
The bill as written by the commission would have meant "that even encrypted messaging can be broken for the better protection of children," said European Commission Vice President Věra Jourová on Thursday.
The Belgian presidency proposal would require users to consent to having images and URLs scanned for child sexual abuse material before being able to send them. Users of end-to-end encrypted apps who withhold consent would not be able to send images or links.
"We have done our utmost by addressing the concerns raised by the member states. We have offered compromise solutions to make detection orders more targeted and provide additional safeguards protecting fundamental rights, including end-to-end encryption," said Annelies Verlinden, Belgian minister of the interior, during a council hearing last week.
Privacy critics including Signal Foundation President Meredith Whittaker rejected the Belgian compromise, calling it just another way to undermine end-to-end encryption. "Mandating mass scanning of private communications fundamentally undermines encryption. Full stop," Whittaker said in a Monday statement. "We can call it a backdoor, a front door, or 'upload moderation.' But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states."
A spokesperson for Threema, a European encrypted instant messaging app, told Information Security Media Group the proposal will force companies to backdoor their systems, which will increase the risk of hacking. "Think of it as an API for hackers," the spokesperson said.
Despite the concerns over content scanning and data interception, the European Council's Law Enforcement Working Party recently published a data retention plan that would require digital devices such as smartphones and IoT devices to implement "access by design" for law enforcement to obtain data.