The existence of all “our ” formal and informal data sharing alliances makes all this chatter somewhat farcical.
BY:
Salvatore Nicci
Technology Analyst / Reporter
PROJECT COUNSEL MEDIA
13 May 2022 (Rome, Italy) – Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a “disaster” for digital privacy and strong encryption, say cybersecurity experts.
A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the “detection, removal, and reporting of previously-known and new child sexual abuse material and grooming.” These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish – essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone. If rubber-stamped, the rules will apply to online hosting services and interpersonal communication services, such as messaging apps, app stores, and internet access providers. EFF Senior Policy Analyst Joe Mullin:
“If this proposal were to come to pass, it could result in countries banning true end-to-end encryption. Requiring service providers to detect suspected child grooming requires them to analyze all private messages. The EU proposal is incompatible with end-to-end encryption and with basic privacy rights. There’s no way to do what the EU proposal seeks to do, other than for governments to read and scan user messages on a massive scale. If it becomes law, the proposal would be a disaster for user privacy not just in the EU but throughout the world.”
Here’s what the proposal says service providers would need to do after receiving a “detection order” to scan for, report and remove any CSAM or grooming activity:
1. This regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders. That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children.
2. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.
It’s worth noting that this finding-and-stopping-pedophiles argument is frequently used to oppose E2E encryption and drum up support for mass-surveillance proposals – like Apple’s plan to scan photos on iPhones and iPads for CSAM, which it subsequently and quietly walked back late last year.
EU ‘war on E2E encryption’
A typical Tweet came from Alec Muffet who architected and led Facebook Messenger’s end-to-end encryption effort:
“In case you missed it, today is the day that the European Union declares war upon end-to-end encryption, and demands access to every persons private messages on any platform in the name of protecting children”.
As we have noted in previous posts, he has first-hand experience with this. The UK government’s ongoing rumblings against end-to-end encryption also relies heavily on similar think-of-the-children and Facebook-harbors pedophiles rhetoric.
And Matthew Green, a cryptography professor at Johns Hopkins University, jumped on Twitter and called the EU proposal
“the most terrifying thing I’ve ever seen. If signed into law, this regulation would likely require service providers to use AI to read entire text messages to figure out if a user is ‘grooming’ children for sexual abuse. It is potentially going to do this on encrypted messages that should be private. It won’t be good, and it won’t be smart, and it will make mistakes. But what’s terrifying is that once you open up ‘machines reading your text messages’ for any purpose, there are no limits”.
POSTSCRIPT
Like many of our readers, we use PGP encryption for much of our work. PGP encryption is the gold standard for encrypted communication and has been used by everyone from nuclear activists to criminals since its invention in 1991. While the execution is complex, the concept is simple: you can encrypt text, making it unreadable to anyone who doesn’t have the key to decode it. Although to be frank, I’m quite sure that most of the Five Eyes can decrypt anything given the key harvesting that they have been engaged in for the last decade or so. Even countries like Sweden happily provide data collection facilities to feed the data mines with raw feeds. Add the fact that China hoovers up the vast majority of data flowing on the Internet already, regardless of whether they can currently decrypt it or not, and you begin to get an idea of the scale of the mass surveillance system which is already in place. Data privacy? Don’t make me laugh.
So this latest EU proposal? The existence of all these formal and informal data sharing alliances giving countries the ability to spy on their own citizens, even when that is specifically illegal, makes talk of privacy and encryption somewhat farcical. Add all the data which private companies collect about people through their pervasive surveillance systems to the pot and you end up with the ability to build a comprehensive profile of anyone’s daily life and social network already.
So the fact that we have the EU attempting to remove the last vestiges of privacy from the day-to-day lives of their population will make anyone who uses illegal encryption systems (as they will become) stick out like a sore thumb in the data flows that are absorbed into the data mines. This proposal is just further proof (as if any was needed) of the contempt with which the ruling class treats the plebs these days.
And in answer to several readers who received this post earlier and responded with “But if you use the World Wide Web you must be aware that the vast majority of sites now use HTTPS, which provides End-to-End Encryption between you and the server. Most internet traffic is encrypted already”.
Ah, no. The thing about end to end is which ends your talking about.
Encryption between my browser and that “thing in the middle” which checks what I’m doing and spawns a new connection to my original destination is the problem. We have 2 valid end-to-end-encrypted-connections … but that “something in the middle” is still able to see everything I do and I am none the wiser. I find it hilarious when people think a VPN to some company on the internet adds some kind of enhanced security. You’re paying someone to handle your traffic and have no idea if they are breaking it, too. If you go through a corporate proxy, especially a cloud one, then your traffic is being inspected.
Yet again, the EU invites us to get out the 🍿.
