The Dutch secret service is opposed to client-side scanning.
Posted: Wed Dec 18, 2024 9:05 am
Another month, another attempt: Although Hungary had to cancel the last EU Council vote on the Child Sexual Abuse Regulation (CSA) in June 2024 because there was no majority among the member states, it tried again on Wednesday – without success. The turning point was that the Dutch secret services clearly expressed their opinion on the enormous threat to everyone's security should end-to-end encryption be weakened. Encryption is paramount for digital resilience in Europe.
Why “chat control” threatens encryption
At the core of the CSA Regulation is the implementation of “upload moderation,” or client-side scanning. In fact, upload moderation is nothing more than a euphemism by EU politicians to curb ongoing public resistance against this dangerous law . Client-side scanning – if required by law – would ask tech companies to scan communications for illegal content on the client before encryption occurs and send suspicious content to authorities. The Hungarian Presidency claims that this can co-exist with end-to-end encryption, but this is fundamentally false.
End-to-end encryption ensures that only the sender communication email list and recipient can read a message. However, with client-side scanning, messages are scanned before being encrypted, which defeats the purpose of encryption itself. In practice, this would force encryption to be weakened, which would be incredibly dangerous for our digital resilience in Europe. Currently, there are no technical solutions that can preserve the security of end-to-end encryption while also meeting the demands of the CSA proposal on content discovery.
Why this matters more than ever
The current CSA proposal thus introduces alarming new risks to digital security and privacy. By requiring users to scan encrypted messages, the proposal exposes users to a number of new vulnerabilities.
Malicious attackers steal your data before it's encrypted : Client-side scanning creates opportunities for hackers to exploit system vulnerabilities and access private and sensitive data before it's encrypted.
Distributed Denial of Service (DDoS ) attacks: The more complex systems become, the more points of failure exist. By implementing client-side scanning, service providers could become vulnerable to DDoS attacks, disrupting availability.
CSAM system manipulation : Systems used to detect illegal content could be manipulated, leading to false accusations or criminal exploitation of faulty detection mechanisms.
Why “chat control” threatens encryption
At the core of the CSA Regulation is the implementation of “upload moderation,” or client-side scanning. In fact, upload moderation is nothing more than a euphemism by EU politicians to curb ongoing public resistance against this dangerous law . Client-side scanning – if required by law – would ask tech companies to scan communications for illegal content on the client before encryption occurs and send suspicious content to authorities. The Hungarian Presidency claims that this can co-exist with end-to-end encryption, but this is fundamentally false.
End-to-end encryption ensures that only the sender communication email list and recipient can read a message. However, with client-side scanning, messages are scanned before being encrypted, which defeats the purpose of encryption itself. In practice, this would force encryption to be weakened, which would be incredibly dangerous for our digital resilience in Europe. Currently, there are no technical solutions that can preserve the security of end-to-end encryption while also meeting the demands of the CSA proposal on content discovery.
Why this matters more than ever
The current CSA proposal thus introduces alarming new risks to digital security and privacy. By requiring users to scan encrypted messages, the proposal exposes users to a number of new vulnerabilities.
Malicious attackers steal your data before it's encrypted : Client-side scanning creates opportunities for hackers to exploit system vulnerabilities and access private and sensitive data before it's encrypted.
Distributed Denial of Service (DDoS ) attacks: The more complex systems become, the more points of failure exist. By implementing client-side scanning, service providers could become vulnerable to DDoS attacks, disrupting availability.
CSAM system manipulation : Systems used to detect illegal content could be manipulated, leading to false accusations or criminal exploitation of faulty detection mechanisms.