![](\"https:\/\/media.wired.com\/photos\/627bd8eeb6048c47d506c6c1\/master\/pass\/Laser_Sec_GettyImages-1169691904.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Wed, 11 May 2022 15:45:20 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n All of your<\/span> WhatsApp photos<\/a>, iMessage texts<\/a>, and Snapchat videos could be scanned to check for child sexual abuse images and videos under newly proposed European rules. The plans, experts warn, may undermine the end-to-end encryption<\/a> that protects billions of messages sent every day and hamper people\u2019s online privacy.<\/p>\n The European Commission today revealed<\/a> long-awaited proposals aimed at tackling the huge volumes of child sexual abuse material, also known as CSAM, uploaded to the web each year. The proposed law creates a new EU Centre to deal with child abuse content and introduces obligations for tech companies to \u201cdetect, report, block and remove\u201d CSAM from their platforms. The law, announced by Europe\u2019s commissioner for home affairs, Ylva Johansson, says tech companies have failed to voluntarily remove abuse content, and it has been welcomed<\/a> by child protection and safety groups.<\/p>\n Under the plans, tech companies\u2014ranging from web hosting services to messaging platforms\u2014can be ordered to \u201cdetect\u201d both new and previously discovered CSAM, as well as potential instances of \u201cgrooming.\u201d The detection could take place in chat messages, files uploaded to online services, or on websites that host abusive material. The plans echo an effort by Apple last year to scan photos on people\u2019s iPhones for abusive content before it was uploaded to iCloud. Apple paused its efforts after a widespread backlash<\/a>.<\/p>\n If passed, the European legislation would require tech companies to conduct risk assessments for their services to assess the levels of CSAM on their platforms and their existing prevention measures. If necessary, regulators or courts may then issue \u201cdetection orders\u201d that say tech companies must start \u201cinstalling and operating technologies\u201d to detect CSAM. These detection orders would be issued for specific periods of time. The draft legislation doesn\u2019t specify what technologies must be installed or how they will operate\u2014these will be vetted by the new EU Centre\u2014but says they should be used even when end-to-end encryption is in place.<\/p>\n The European proposal to scan people\u2019s messages has been met with frustration from civil rights groups and security experts, who say it\u2019s likely to undermine the end-to-end encryption that\u2019s become the default on messaging apps such as iMessage<\/a>, WhatsApp<\/a>, and Signal<\/a>. \u201cIncredibly disappointing to see a proposed EU regulation on the internet fail to protect end-to-end encryption,\u201d WhatsApp head Will Cathcart tweeted<\/a>. \u201cThis proposal would force companies to scan every person's messages and put EU citizens' privacy and security at serious risk.\u201d Any system that weakens end-to-end encryption could be abused or expanded to look for other types of content, researchers say<\/a>.<\/p>\n \u201cYou either have E2EE or you don\u2019t,\u201d says Alan Woodward, a cybersecurity professor from the University of Surrey. End-to-end encryption protects people\u2019s privacy and security by ensuring that only the sender and receiver of messages can see their content. For example, Meta, the owner of WhatsApp, doesn\u2019t have any way to read your messages or mine their contents for data. The EU\u2019s draft regulation says solutions shouldn\u2019t weaken encryption and says it includes safeguards to ensure this doesn\u2019t happen; however, it doesn\u2019t give specifics for how this would work.<\/p>\n \u201cThat being so, there is only one logical solution: client-side scanning where the content is examined when it is decrypted on the user's device for them to view\/read,\u201d Woodward says. Last year, Apple announced it would introduce client-side scanning\u2014scanning done on people\u2019s iPhones rather than Apple\u2019s servers\u2014to check photos for known CSAM being uploaded to iCloud. The move sparked protests from civil rights groups and even Edward Snowden about the potential for surveillance, leading Apple to pause its plans a month after initially announcing them<\/a>. (Apple declined to comment for this story.)<\/p>\n For tech companies, detecting CSAM on their platforms and scanning some communications is not new. Companies operating in the United States are required to report any CSAM they find or that is reported to them by users to the National Center for Missing and Exploited Children (NCMEC), a US-based nonprofit. More than 29 million reports<\/a>, containing 39 million images and 44 million videos, were made to NCMEC last year alone. Under the new EU rules, the EU Centre will receive CSAM reports from tech companies.<\/p>\n \u201cA lot of companies are not doing the detection today,\u201d Johansson said in a press conference introducing the legislation. \u201cThis is not a proposal on encryption, this is a proposal on child sexual abuse material,\u201d Johansson said, adding that the law is \u201cnot about reading communication\u201d but detecting illegal abuse content.<\/p>\n At the moment, tech companies find CSAM online in different ways. And the amount of CSAM found is increasing as tech companies get better at detecting and reporting abuse\u2014although some are much better than others<\/a>. In some cases, AI is being used to hunt down previously unseen CSAM<\/a>. Duplicates of existing abuse photos and videos can be detected using \u201chashing systems,\u201d where abuse content is assigned a fingerprint that can be spotted when it\u2019s uploaded to the web again. More than 200 companies, from Google to Apple, use Microsoft's PhotoDNA hashing system<\/a> to scan millions of files shared online. However, to do this, systems need to have access to the messages and files people are sending, which is not possible when end-to-end encryption is in place.<\/p>\n \u201cIn addition to detecting CSAM, obligations will exist to detect the solicitation of children (\u2018grooming\u2019), which can only mean that conversations will need to be read 24\/7,\u201d says Diego Naranjo, head of policy at the civil liberties group European Digital Rights. \u201cThis is a disaster for confidentiality of communications. Companies will be asked (via detection orders) or incentivized (via risk mitigation measures) to offer less secure services for everyone if they want to comply with these obligations.\u201d<\/p>\n Discussions about protecting children online and how this can be done with end-to-end encryption are hugely complex, technical, and combined with the horrors of the crimes against vulnerable young people. Research from Unicef, the UN\u2019s children\u2019s fund, published in 2020<\/a> says encryption is needed to protect people\u2019s privacy\u2014including children\u2014but adds that it \u201cimpedes\u201d efforts to remove content and identify the people sharing it. For years, law enforcement agencies<\/a> around the world have pushed to create ways to bypass or weaken encryption. \u201cI\u2019m not saying privacy at any cost, and I think we can all agree child abuse is abhorrent,\u201d Woodward says, \u201cbut there needs to be a proper, public, dispassionate debate about whether the risks of what might emerge are worth the true effectiveness in fighting child abuse.\u201d<\/p>\n Increasingly, researchers and tech companies have been focusing on safety tools that can exist alongside end-to-encryption. Proposals include using metadata from encrypted messages<\/a>\u2014the who, how, what, and why of messages, not their content\u2014to analyze people\u2019s behavior and potentially spot criminality. One recent report by the nonprofit Business for Social Responsibility, which was commissioned by Meta, found that end-to-end encryption is an overwhelmingly positive force for upholding people's human rights<\/a>. It suggested 45 recommendations for how encryption and safety can go together and not involve access to people\u2019s communications. When the report was published in April, Lindsey Andersen, BSR's associate director for human rights, told WIRED: \u201cContrary to popular belief, there actually is a lot that can be done even without access to messages.\u201d<\/p>\n