EU Attorneys Question Legality of Chat App Scanning For CSAM
Encryption & Key Management , Endpoint Security , Governance & Risk Management
European Commission Legal Service Says Proposal Likely Violates Europeans’ Rights Akshaya Asokan (asokan_akshaya) • May 10, 2023 Image: Shutterstock
A European Commission effort to require instant messenger apps such as WhatsApp and iMessage to scan for child sexual abuse material would likely violate Europeans’ human rights and weaken encryption protections for consumers, a leaked document from the commission’s internal legal service says.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Child Sexual Abuse Material proposal, unveiled by the commission in May 2022, faces a barrage of opposition from industry and civil liberty groups concerned that it would lead to mass surveillance. European privacy watchdogs have called for the bill to amended. A European Parliament committee considering the bill recently heard from academics who concluded the bill would introduce additional cybersecurity vulnerabilities into smartphones (see: EU’s Proposed CSAM Bill Poses Hacking Risks).
The European Commission Legal Service in an April 26 opinion circulated confidentially to member states concluded that the proposal “constitutes a particularly serious limitation to the rights to privacy and personal data protection.”
The legal service questioned the legality of the “detection orders” stipulated under the bill that would allow law enforcement agencies to compel chat apps into scanning messages, photos, videos for child sexual abuse material using approved technology.
Detection implies “that content of all communications must be accessed and scanned, and be performed by means of available automated tools,” the service wrote.
Compliance with a detection order, whether explicitly required by statute or not, would require weakening end-to-end-encryption – likely clashing with fundamental rights and interfering with data security, the service also wrote.
Niche press agency Agence Europe appears to have obtained the opinion, which is marked “Limite” on May 5. British newspaper The Guardian reported on it May 8.
Precedent from the Court of European Justice holds that indiscriminate automated analysis of internet traffic and location data is acceptable only when member states face serious threat to national security. “It is difficult to see how this case law can serve as a basis to justify a measure which aims at combating criminal offences, which are indisputably serious, but are not related to threats to national security,” the service added.
European officials have said their goal is not to diminish end-to-end encryption, with one official telling the European Parliament committee considering the bill that the commission is open to “reinforce a number of provisions in the proposal in order to ensure that the coordinated work of the different actors in the chain who will ultimately vet the type of technology that would be active in an end-to-end encryption environment would actually not impede on the quality and the significant continuous improvement of private communications.”
A similar bill under consideration in the United Kingdom has led chat apps WhatsApp and Signal to threaten to leave the country should it become law (see: WhatsApp, Signal Preview UK Exit Over Threat to Encryption)
The service recommends rewriting the bill – should European governments still want to maintain chat apps in its scope – by linking surveillance to reasonable grounds of individualized suspicion. The draft should also provide for details about the technology used to comply with detection orders, it said.