News: 1718749326

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

EU attempt to sneak through new encryption-eroding law slammed by Signal, politicians

(2024/06/19)


On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.

The vote had been set for Wednesday but got [1]pushed back [PDF].

Known to detractors as [2]Chat Control , the proposal seeks to prevent the online dissemination of child sexual abuse material (CSAM) by requiring internet service providers to scan digital communication – private chats, emails, social media messages, and photos – for unlawful content.

[3]

The [4]proposal [PDF], recognizing the difficulty of explicitly outlawing encryption, calls for "client-side scanning" or "upload moderation" – analyzing content on people's mobile devices and computers for certain wrongdoing before it gets encrypted and transmitted.

[5]

[6]

The idea is that algorithms running locally on people's devices will reliably recognize CSAM (and whatever else is deemed sufficiently awful), block it, and/or report it to authorities. This act of automatically policing and reporting people's stuff before it's even had a chance to be securely transferred rather undermines the point of encryption in the first place.

We've been here before. Apple [7]announced plans to implement a client-side scanning scheme back in August 2021, only to face withering [8]criticism from the security community and civil society groups. In late 2021, the iGiant essentially [9]abandoned the idea .

[10]

Europe's [11]planned "regulation laying down rules to prevent and combat child sexual abuse" is not the only legislative proposal that contemplates client-side scanning as a way to front-run the application of encryption. The [12]US Earn-It Act imagines [13]something similar .

In the UK, the [14]Online Safety Act of 2023 includes a content scanning requirement, though with the government's [15]acknowledgement that enforcement [16]isn't presently feasible . While it does allow telecoms regulator Ofcom to require online platforms to adopt an "accredited technology" to identify unlawful content, there is currently no such technology and it's unclear how accreditation would work.

With the EU proposal vote approaching, opponents of the plan have renewed their calls to shelve the pre-crime surveillance regime.

[17]Arm security defense shattered by speculative execution 95% of the time

[18]Researchers find Meta's withdrawal of misinformation tool hard to swallow

[19]Microsoft Research chief scientist has no issue with Windows Recall

[20]Encrypted mail service Proton hands suspect's personal info to local cops

In an [21]open letter [PDF] on Monday, Meredith Whittaker, CEO of Signal, which threatened to withdraw its app from the UK if the Online Safety Act disallowed encryption, reiterated why the EU client-side scanning plan is unworkable and dangerous.

"There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe," wrote Whittaker.

European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label

"Instead of accepting this fundamental mathematical reality, some European countries continue to play rhetorical games.

"They’ve come back to the table with the same idea under a new label. Instead of using the previous term 'client-side scanning,' they’ve rebranded and are now calling it 'upload moderation.'

[22]

"Some are claiming that 'upload moderation' does not undermine encryption because it happens before your message or video is encrypted. This is untrue."

The Internet Architecture Board, part of the Internet Engineering Task Force, [23]offered a similar assessment of client-side scanning in December.

Encrypted comms service Threema published [24]its open variation on this theme on Monday, arguing that mass surveillance is incompatible with democracy, is ineffective, and undermines data security.

"Should it pass, the consequences would be devastating: Under the pretext of child protection, EU citizens would no longer be able to communicate in a safe and private manner on the internet," the biz wrote.

EU citizens would no longer be able to communicate in a safe and private manner on the internet

"The European market’s location advantage would suffer a massive hit due to a substantial decrease in data security. And EU professionals like lawyers, journalists, and physicians could no longer uphold their duty to confidentiality online. All while children wouldn’t be better protected in the least bit."

Threema said if it isn't allowed to offer encryption, it will leave the EU.

And on Tuesday, 37 Members of Parliament signed [25]an open letter to the Council of Europe urging legislators to reject Chat Control.

"We explicitly warn that the obligation to systematically scan encrypted communication, whether called 'upload-moderation' or 'client-side scanning,' would not only break secure end-to-end encryption, but will to a high probability also not withstand the case law of the European Court of Justice," the MEPs said. "Rather, such an attack would be in complete contrast to the European commitment to secure communication and digital privacy, as well as human rights in the digital space." ®

Get our [26]Tech Resources



[1] https://data.consilium.europa.eu/doc/document/ST-11316-2024-INIT/en/pdf#page=4

[2] https://www.patrick-breyer.de/en/posts/chat-control/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnJX5rydTSESWco5oZTcPQAAANY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.patrick-breyer.de/wp-content/uploads/2024/04/2024-03-28-conseil-csam-compromis-presidence-belge.pdf

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnJX5rydTSESWco5oZTcPQAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnJX5rydTSESWco5oZTcPQAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2021/08/09/apple_csam_faq/

[8] https://www.theregister.com/2021/08/19/apple_csam_condemned/

[9] https://www.theregister.com/2021/12/16/apple_deletes_csam_scanning_plan/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnJX5rydTSESWco5oZTcPQAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN

[12] https://www.congress.gov/bill/118th-congress/senate-bill/1207/text

[13] https://www.internetsociety.org/resources/internet-fragmentation/earn-it-act/

[14] https://bills.parliament.uk/bills/3137

[15] https://www.theregister.com/2023/09/07/uk_government_clause_online_safety_bill/

[16] https://www.theregister.com/2023/09/20/uk_online_safety_bill_passes/

[17] https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/

[18] https://www.theregister.com/2024/06/18/metas_decision_to_withdraw_misinformation/

[19] https://www.theregister.com/2024/06/06/microsoft_research_recall/

[20] https://www.theregister.com/2024/05/13/infosec_in_brief/

[21] https://signal.org/blog/pdfs/upload-moderation.pdf

[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnJX5rydTSESWco5oZTcPQAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[23] https://www.theregister.com/2023/12/19/iab_ietf_oppose_clientside_scanning/

[24] https://threema.ch/en/blog/posts/stop-chat-control

[25] https://www.patrick-breyer.de/en/lawmakers-across-the-eu-call-on-eu-council-to-reject-the-chat-control-proposal/

[26] https://whitepapers.theregister.com/



Sora2566

But but but

think of the children

Well, well, well!

Anonymous Coward

Everyone's favourite, wholesome and ever-benevolent multinational organisation caught acting in an underhand way?

But of course, as we're constantly reminded, it makes perfect sense to hand over ever increasing amounts of state sovereignty to this shady cabal!

Re: Well, well, well!

TheMaskedMan

"But of course, as we're constantly reminded, it makes perfect sense to hand over ever increasing amounts of state sovereignty to this shady cabal!"

Shady cabal it certainly is. Unfortunately, this otherwise excellent reason to have as little as possible to do with the buggers is massively undermined by the fact the British government is at least as shady, and quite possibly more so.

It doesn't matter which batch of shady, self serving incompetents are in power, they just can't resist the urge to read private messages, and can't understand why it's not possible. Make no mistake, Starmers mob will be just as eager as Sunak's - remember that the term Database State first arose on Blair's watch, with Cameron's shower promising an end to same if only we could see our way clear to electing them. Funny how that didn't happen, and his former home secretary, once - and even before - she found herself inexplicably promoted to PM, couldn't wait to increase surveillance. They're all the bloody same:(

The Central Scrutinizer

And the clown car of encryption busting ideas just keeps on driving full tilt towards the edge of the cliff.

I was totally against this.

David 132

And then I read that it’s to protect children, and of course immediately suspended my outrage and indeed critical faculties. Because for such a noble goal, how can any of us be against this? It’s not as if the EU would ever extend the law to encompass other forms of evil, such as terrorism, voting for the wrong political party, saying uncomplimentary things about political leaders, or putting bins out early.

So let’s give this our unqualified and unquestioning support. It’s for the children.

(Please note icon.)

Anonymous Coward

As long as there are ZERO exceptions, and all government employees get the first models. Imagine being able to scan military, parlimentary, and judicial comms on a real-time basis. Just a slight modification of the code, for example if its transmitted from the device to Der Spiegel/Le Monde/EL Mundo/etc before its scanned...

All the evidence concerning the universe has not yet been collected,
so there's still hope.