The EU Commission is planning automatic CSAM scanning of your private communication – or total surveillance in the name of child protection.

This would be the worst surveillance apparatus outside of China, and completely disproportionate.

EU Commission plans worst surveillance laws outside of China.

In its draft law to combat child sexual abuse, the EU Commission describes one of the most sophisticated mass surveillance apparatuses ever deployed outside China. Even if an AI scans your private messages, it remains warrantless mass surveillance of everyone. Once again, the EU Commission is using child protection as a pretext to introduce mass surveillance without any reason.


EU surveillance proposal

In its proposal the EU Commission is planning to abolish online privacy altogether. It proposes a new mass surveillance system that would read private text messages, not only to detect CSAM (Child Sexual Abuse Material), but to detect “grooming”.

Surveillance to detect CSAM and grooming must read every message.

To detect “grooming” the AI would need to read all our private messages, always.

This would be the worst surveillance mechanism ever established outside of China, and all in the pretext of protecting children.

Cryptography professor Matthew Green said that the EU proposal “describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration.”

What could possibly go wrong?

We need to look very carefully at what could go wrong with such extensive surveillance measures as the EU Commission has just proposed.

We all need to be aware that, according to the Commission’s plans, we are all to be secretly monitored - all the time. The list of images and content that will be searched for can be adjusted.

Once a law forces communication providers to implement client-side scanning, the tool that does it could theoretically search for anything and everything.

So the list can be expanded on demand. In the beginning, the laws will say that providers must scan for child pornography - this is what politicians always claim when they need the broadest possible consensus for new surveillance capabilities. But in the next step, the authorities will also look for other things: terrorists, human traffickers, drug dealers, gang criminals.

And in some countries also after opposition members or journalists.

This list can be continued indefinitely.

”To protect the children”?

The EU Commission claims that this AI-based scanning is a balanced approach between protecting people’s privacy and protecting children. In the German the Spiegel EU Commissioner Dubravka Šuica said: One in five children is a victim of sexual abuse and suffers “from the traumatic experience often for life.”

However, publicly available data shows that most surveillance orders are issued in regards to drug related crimes, and not to protect the children.

This data makes one question whether the EU Commission’s plan is only about protecting the children, or about introducing surveillance capabilities that can then, once established, also be used for other investigations.

In Germany, more than 47.3 per cent of the measures for the surveillance of telecommunications according to § 100a StPO were ordered to find suspects of drug related offenses in 2019. Only 0.1 per cent of the orders - or 21(!) in total - where issued in relation to child pornography.

Comparison of the percentage of wiretap orders for child pornography and drug offenses in Germany, 2009-2019.

Comparison of the percentage of wiretap orders for child pornography and drug offenses in Germany, 2009-2019. Source

In most cases, the surveillance of telecommunications was ordered to prosecute drug-related crimes. No other area had so many surveillance measures ordered. In Germany, just under half of all telecommunication surveillance measures were carried out for drug offenses in recent years. This is shown in the annual statistics of the Federal Office of Justice (BfJ).

Backdoor for the ‘good guys only’

An important issue - and one that is completely neglected by the European Commission. Cybersecurity.

Ways will be found to hack the process of client-side scanning. Malicious attackers could, for example, inject images or documents onto devices of people they want to discredit. Or malicious attackers might find a way to siphon off the data that is scanned on our devices and use it for cyberattacks.

In the end, it must be clear to all of us that a “back door only for the good guys” is not possible.