A controversial legislative push within the European Union is stirring heated debates among experts and policymakers, as lawmakers consider mandating messaging platforms to conduct intrusive scans of private communications for child sexual abuse material (CSAM).
However, this move has sparked concern among over 270 security and privacy experts, who warn of dire consequences and millions of false positives each day.
The EU’s proposal, which has been in the pipeline for two years, faces mounting criticism from a wide array of stakeholders, including independent experts, members of the European Parliament, and even the bloc’s own Data Protection Supervisor. At its core, the plan would compel messaging platforms to not only detect known CSAM but also employ unspecified scanning technologies to identify unknown CSAM and grooming activities in real-time.
Critics argue that the proposal rests on shaky technological grounds and could backfire, potentially compromising internet security and user privacy. Moreover, they contend that the mandate for blanket surveillance, particularly through unproven technologies like client-side scanning, is both impractical and ethically dubious.
Despite the outcry, the EU appears determined to press forward with its agenda. Recent amendments proposed by the European Council fail to assuage concerns raised by experts, who argue that these revisions still pave the way for unprecedented levels of surveillance and control over internet users’ communications.
Billions of users, millions of false positives
Among the amendments under scrutiny is the proposal to target detection orders based on risk categorization, coupled with automated assessments. However, experts caution that this approach is likely to generate an overwhelming number of false alarms, given the sheer volume of messages exchanged on platforms like WhatsApp, which sees billions of messages sent daily.
Furthermore, attempts to safeguard encryption have been met with skepticism from security professionals, who argue that any form of detection in end-to-end encrypted services undermines the very essence of encryption protection. Police chiefs across Europe have voiced similar concerns, calling for measures to enable “lawful access” to encrypted data, albeit without specifying viable technical solutions.
As the EU deliberates on the future of its proposed regulation, the stakes are high. Should the legislation proceed unchanged, experts warn of far-reaching consequences, including a chilling effect on online interactions and potential erosion of privacy rights. Ultimately, the outcome of these deliberations could reshape digital services and have profound implications for democracies worldwide.