A leaked European Union proposal shows plans to mandate CSAM scanning for child protection in all encrypted messaging services.
In 2021, Apple eventually backed down over its own plans to introduce scanning for child sexual abuse material (CSAM), and agreed to postpone it following severe criticism of its dangers to all privacy. Notably, the UK government backed Apple's plans, albeit after Apple had withdrawn them, and chiefly as part of its own wish to get backdoors into end-to-end encryption.
Now it appears that many of the UK's former fellow EU member countries have been planning their own CSAM measures. These plans have been such that the EU intends to impose a single pan-European solution, both to standardize the measures, and because it says that voluntary ones have not been sufficient.
Security consultant Alec Muffett has tweeted a copy of a draft EU proposal about "laying down rules to prevent and combat child sexual abuse."
Well, this is some interesting reading for the afternoon.https://t.co/1z96uE1REx pic.twitter.com/X8Fybvv4fj
— Alec Muffett (@AlecMuffett) May 10, 2022
"Despite the important contribution made by certain providers," says the proposal, "voluntary action has thus proven insufficient to address the misuse of online services for the purposes of child sexual abuse."
"As a consequence, several Member States have started preparing and adopting national rules to fight against online child sexual abuse," it continues.
The proposal reports that "divergent national requirements" over CSAM would also lead "to an increase in the fragmentation of the Digital Single Market for services."
European Union regulators therefore propose imposing rules in order "to guarantee children's fundamental rights," but also "to establish a fair balance" over the right of privacy for users in general.
The plan is for an "EU Center," which would "create, maintain and operate databases of indicators of online child sexual abuse that providers will be required to use."
Breaking end to end encryption
No specific services are mentioned in the proposal's more than 55,000 words of detail, but it does state that these "measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services."
"That includes the use of end-to-end encryption technology," continues the proposal, "which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children."
"When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation," says the proposal, "nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users."
The plan appears to propose that end-to-end encryption be broken by messaging service providers, in order to scan messages for CSAM.
This is the main issue that security experts had against Apple's CSAM system. They argue that once scanning for CSAM is allowed, governments would be able to require scanning for any other information they desire.
Matthew Green, cryptography teacher at Johns Hopkins University, has described the leaked plans as "the most terrifying thing I've ever seen."
This document is the most terrifying thing I've ever seen. It is proposing a new mass surveillance system that will read private text messages, not to detect CSAM, but to detect "grooming". Read for yourself. pic.twitter.com/iYkRccq9ZP
— Matthew Green (@matthew_d_green) May 10, 2022
The leaked EU proposal has no date, but its appendices include a potential timetable that would see the plans introduced from 2022 to 2027.