An investigation uncovers a web of influence in the powerful coalition aligned behind the European Commission’s proposal to scan for child sexual abuse material online, a proposal leading experts say puts rights at risk and will introduce new vulnerabilities by undermining encryption.
I don’t understand how “client-side scanning” - i.e. an invasive piece of code pushed by OS makers to YOUR computer or mobile device to scan YOUR files without your consent - is even being discussed.
This is tantamount to an Apple or Google rep forcibly entering your house, sitting on the couch next to you in your living room and reporting to the mothership or the police what you watch on TV. People would take to the street if this was mandated by law. Yet they seem to be waiting for the Apple or Google rep to sit on their device and report what files you have in it with complete resignation.
How did we get here? This obscene proposal would have been a major scandal not 25 year ago. Actually it wouldn’t even have been proposed at all. But today it’s on the verge of becoming law! The mind boggles…
After about thirty years, politicians have realised that you can’t break encryption without also leaking their own secrets, eventually.
If the system was transparent, open, and provided an easy way to get false positive sorted, I wouldn’t necessarily even have a problem with the concept.
If the choice is between this or banning E2EE like the EU and UK tried to do, I would prefer client side scanning. However, this fake binary is exactly what politicians want you to think of.
You know how illegal shit gets shared to the masses? Telegram channels. Unencrypted, tied to phone numbers, publicly available if you just know the link. Sure, a bunch of pedos will use top of the line encryption and try to get perfect OPSEC, but that’s extremely hard to pull off, even for seasoned professionals.
Automatic scanning isn’t a solution to a lack of knowledgeable officers and a lack of public prosecutors getting their shit together. Politicians don’t like the idea of someone using encryption to get away with disgusting shit, and that’s enough for them to come up with ridiculous laws.
How can you even say that?
This is what baffles me the most: how does anyone even entertain the idea of letting a third-party scan their own files on their own device uninvited? Even if the process is transparent and there’s a 100% fool-proof way of taking care of false positives, the very idea of letting anyone scan anything on my computers in the first place is completely unacceptable!
People would have never deeemed anything like this even remotely acceptable 25 years ago. But in 2023, enough people have internalized the idea enough that this actually has a chance to become law without creating an outrage. I am utterly distressed by what society is willing to accept nowadays.
That’s why I put the conditions “if the system was transparent, open, and provided an easy way to get false positive sorted” on there. That’s like saying “if people were good, I’d believe in communism”. In the real world, these conditions will never be met.
We have antivirus software and it works just fine without sending samples to the mothership (though it does work a lot better if you let it upload stuff to their sandboxes). The theory behind the system is solid and well-intentioned people working together can make a real difference.
A big problem I’m seeing with this debate is that politicians aren’t going to give up on trying to enforce scannability of all messages. “I don’t want nothing of the government on my device!” is how you get a 2030 law banning Linux on the desktop. Every politician of every political party has heard every argument by every activist. Everyone in the general public has heard how bad the concept is. Nobody is capable of stopping the inevitable legal attack on properly private messages.
I think we can get more people behind this if messenger apps are willing to work together and show people the implications in terms they understand. If WhatsApp shows “Ursula von der Leyen (EU) has been added to the chat” to every chatroom and adds a label “No problem, only
x
% chance of child porn content” on every image or meme shared (wherex
is just the percentage of pixels with a skin color hue), people would riot. Maybe add random emoji responses by “Ursula” too just to remind everyone that she’s watching. Of course no app will ever want to spook their users like that, but I think it’s the only way to stop this movement.I’m very pessimistic about the future. We’ve had useful encryption for about 20 years after it being considered a military secret for hundreds or even thousands of years, and I think we’ll eventually lose it again.
Your entire line of thinking hinges on the premise that the politicos (and presumably, whichever oligopolies their do the biddings of) will have their way one way or the other. What you’re saying is, if we don’t make concessions on the client-side scanning and accept some implementation of it, the privacy-respecting tools we have now will be banned.
My question is this: why is any of this inevitable?
None of what’s being proposed here solves any problem. Pedo material can be fought with the legal and technical tools we have now, as demonstrated by the news of entire pedo rings being dismantled, and pedophiles going to jail as a result on a regular basis.
The fact that you’re willing to make compromises on solutions to a fake problem means that you’ve already acknowledged we’ve already lost.
The truth is, if people today were as outraged as people of my generation are over this, this false choice wouldn’t have to be made at all. Things are just fine the way they are today, and you don’t have to give up anything if you don’t assume you’ll have to give something up.
At what point have we gained freedoms and reduced government control over the internet since OpenPGP broke the international ban on cryptography? I only remember a downward curve.
Maybe it’ll take 50 years, maybe it’ll take 5, but I haven’t seen any attempt at all to protect end-to-end encryption by law. There have only been attacks on it. The EU’s upload filter made it into law, intelligence services are gaining more and more power to tap the internet all over the world, and gen-Z’s perception of privacy will let the big corporations win. The boomers and older gen-X’ers who don’t understand the internet are easily swayed with “think of the children” and gen-Z didn’t grow up with the core concept of privacy that previous generations knew.
The problem is that the criminals won’t use something monitored by the police. They aren’t dumb
Depends on the criminal. Some are smart enough to use Signal, but many others buy special crypto phones (which then get hacked by law enforcement because law enforcement isn’t dumb either).
You won’t catch the smartest criminals, but you will catch up the dumb ones who can provide you with information about criminal networks.
Google has been doing it on drive for years now. False positives have been several times reported to the police, despite a human reviewing it
Yeah but that’s different: you entrust files to Google drive. It’s their digital real estate: I expect them to do whatever they want with what you put on it. If you don’t want false-positives, don’t send your files to Google.
But your cellphone or your computer at home is your digital real-estate. It’s your home. I for one do not welcome Google in my home, and I absolutely refuse to let them see what’s inside my home.
Because really, client-side scanning is nothing more than home invasion.
Oh, something very similar has been proposed already some time ago, just under the guise of stopping terrorism. That excuse evidently doesn’t work anymore.
It’s already being discussed to be put in law but people still aren’t rioting. Chat control 2.0 is just this.