24 May 2023
The EU's proposed Child Sexual Abuse Material (CSAM) Regulation is perfectly legal, the European Commission has argued, in response to the Council Legal Service's arguments that the "detection orders" set out in the proposal would be illegal.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
The Commission argues that "the content is the crime", and so access to the content of encrypted communications is necessary.
The CSAM proposal foresees a regime of "detection orders" that could be issued against providers of "interpersonal communication services" - for example, messaging services such as Signal and Whatsapp.
In a widely-reported leaked opinion (pdf), the Council Legal Service (CLS) argues that the regime of detection orders set out in the proposal is "not being sufficiently clear, precise and complete."
Furthermore, it would either "[compromise] the essence of the above-mentioned fundamental rights in so far as it would permit generalised access to the content of interpersonal communications," or fail to meet the proportionality requirement due to:
In a note (pdf) circulated in the Council on 16 May, the Commission sets out why it thinks otherwise:
"The Commission services are of the view that there are numerous elements that, especially when considered in their totality, likely justify the conclusion that the proposed system of detection orders is proportionate."
The Commission seeks to use the same case law as the CLS to argue that the CSAM proposal would in fact be entirely legal.
The CLS opinion also notes that:
"...the providers would have to consider (i) abandoning effective end-to-end encryption or (ii) introducing some form of 'back-door' to access encrypted content or (iii) accessing the content on the device of the user before it is encrypted (so-called 'client-side scanning')."
As has been pointed out multiple times, this would fatally undermine the way the internet works, putting the privacy and security of all users at risk - but this point does not appear to be a deterrent to the Commission.
On the issue of undermining encryption - and thus the privacy and security of communication via the internet more generally - the Commission's paper remains silent.
The minutes of the recent EU-US Senior Officials Meeting on Justice and Home Affairs, held in Stockholm on 16 and 17 March, demonstrate cooperation on a vast range of topics - including a "proof of concept" of the "Enhanced Border Security Partnership" involving the transatlantic sharing of biometric data, the need to "reinforce law enforcement’s legitimacy to investigate" in debates around breaking telecoms encryption, and US "concerns on radicalisation among police forces."
Negotiations are proceedings on the EU's proposed Regulation laying down rules to prevent and combat child sexual abuse, which will oblige communications service providers to undermine encryption and use unproven automated detection technologies in the hope of detecting online child abuse imagery. In mid-October, the Czech Presidency of the Council circulated compromise proposals on Chapter III, dealing with supervision, enforcement and cooperation. Two weeks later, proposals on Chapter I (general provisions) followed. They are published here.
At a recent event hosted by Europol's Innovation Hub, participants discussed questions relating to encrypted data and the ability of law enforcement authorities to access digital information. One issue raised was a possible "EU Vulnerability Management Policy for Internal Security," which could allow for "temporary retention of vulnerabilities and their exploitation by the relevant authorities." In effect, this would mean identifying weaknesses in software and, rather than informing the software developers of the problem, exploiting it for law enforcement purposes.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.