It is pointed out that the EU's 'chat regulation law' is a dangerous bill that disables encryption not only for messaging apps but also for a wide range of digital services under the guise of child sexual abuse content countermeasures
Metalhearf, a systems engineer based in France, explains the dangers of the proposed EU 'chat regulation law.'
ChatControl wants to scan all your private messages · Metalhearf's Blog
The Child Sexual Abuse Prevention and Combat Regulation (CSAR), commonly known as ChatControl, proposed by the European Commission in May 2022, builds on the surveillance technology deployed by major technology companies.
For example, Meta analyzes all Messenger conversations and unencrypted WhatsApp data (such as profile pictures and group descriptions). Apple announced similar scans of iCloud content in 2021, but this was later postponed.
Apple announces delay of 'feature to detect child pornography images on iPhone' - GIGAZINE
Metalhearf points out that the Chat Regulation Act aims to turn the monitoring systems implemented by these companies into mandatory monitoring systems ordered by legal authorities.
The EU originally proposed a 2021 interim regulation that allowed platforms to voluntarily scan content for three years, but this regulation expires in 2024, leading to the proposal of a new law regulating chat. While the interim regulation only permitted content scanning, the proposed law would require scanning under certain conditions, which has led to concerns that its impact would be broader.
The Chat Regulation Act applies not only to messaging apps like Signal, WhatsApp, and Telegram, but also to all providers of services that involve interpersonal communication. This includes email providers, dating apps, games with chat features, social media, file hosting services, app stores, and even small community hosting services, making it a platform where people can communicate in any way. 'As a result, virtually every digital service is subject to oversight,' Metalhearf said.
Specifically, chat enforcement uses client-side scanning , which simply means analyzing content before it is encrypted.
'This represents a fundamental shift from traditional surveillance systems that intercept messages in transit,' Metalhearf said. 'Under chat laws, every message would be automatically checked and everyone would be presumed guilty until proven innocent, effectively overturning the presumption of innocence.'
Under the Chat Regulation Act, the monitoring system will automatically scan for content that falls into three categories:
1: Known illegal content
Images or videos that have been catalogued by authorities as
2: Unknown potential content
Photos and videos that may be CSAM but have not previously been identified. AI algorithms analyze visual elements (such as exposed skin) and flag potentially problematic content based on statistical models.
3. Grooming behavior
AI-powered text analysis identifies communication patterns that match predefined indicators of adult seductive behavior, including scanning the actual content of private conversations.
Once flagged, it's automatically reported to authorities, without any human pre-screening, as with billions of messages exchanged every day.
The unique feature of chat enforcement is that it bypasses encryption entirely, rather than breaking it. Messages are encrypted during transmission, but the system inspects the content before encrypting them. Therefore, Metalhearf points out, 'True end-to-end encryption means that only you and the recipient can read the message. No government, no company, no algorithm can peek inside. That defeats the purpose of end-to-end encryption.'
In fact, privacy software developer Proton has
As a result, even encrypted messaging apps can turn into spyware that spies on users' movements, Metalhearf points out.
The Chat Act will also set up a centralised ' EU Child Sexual Abuse Centre ' to receive all reports, but EU regulators will not have control over the scanning technology itself.
However, in addition to providing scanning technology, service providers will also be required to conduct 'risk assessments to evaluate and minimize the likelihood of illegal content being shared on their platforms,' which will require collecting detailed information about users (such as age group and type of content), something that many privacy-focused services purposely avoid collecting.
The Chat Regulation Act also seeks to make the implementation of age verification systems mandatory, to which Metalhearf responded, 'There is currently no technology that can provide practical age verification while respecting privacy. Such a system would eliminate online anonymity and require users to prove their identity when accessing digital services.'
Metalhearf points out that existing scanning systems almost always produce false positives. Research has shown that around 80% of algorithmic reports are false positives, meaning harmless content is mistakenly identified as illegal. Irish law enforcement corroborates this data , reporting that of 4,192 cases reported by an automated detection system as illegal, only 20.3% actually contained illegal content.
Even if a detection system could detect illegal content with 99% accuracy, Metalhearf points out, scanning billions of messages every day would result in millions of false accusations, and police resources would be overwhelmed investigating innocent families sharing vacation photos, instead of focusing on their primary duties.
In addition, more than 600 cryptographers, security researchers and others from 35 countries have signed an open letter warning that the chat ban is 'technically unfeasible,' poses 'dangers to democracy,' and 'would completely jeopardize' the safety and privacy of EU citizens.
'Danger to Democracy': 500+ Top Scientists Urge EU Governments to Reject 'Technically Infeasible' Chat Control – Patrick Breyer
https://www.patrick-breyer.de/en/danger-to-democracy-500-top-scientists-urge-eu-governments-to-reject-technically-infeasible-chat-control/
The Graduate School of Security also points out that 'client-side scanning fundamentally breaks encryption and cannot distinguish between legitimate and illegitimate content without creating vulnerabilities that malicious actors can exploit.'
However, Metalhearf pointed out that the European Commission has not presented any research evidence demonstrating how effective, reliable, or appropriate chat censorship laws are in protecting children.
Metalhearf said, 'It's a laughing matter that the EU, which enacted the General Data Protection Regulation (GDPR) to protect digital privacy, is now designing chat laws to systematically dismantle it. What was once a fundamental human right could be turned into compulsory surveillance. This law represents a historic choice for Europe, and we must choose between becoming the first democratic country to normalize mass surveillance of private communications, or protecting the digital rights that make Europe a global privacy leader.'
A variety of opinions have also been expressed on the social message board Hacker News regarding chat regulation laws, with comments such as, 'I believe the challenge facing society here is not simply to reject these attempts , but to prevent them from being repeated over and over again until they are approved under certain circumstances,' 'I believe the government should be transparent and the public should be opaque . Otherwise, the government will lose its legitimacy,' and ' 'It's important to know that EU politicians are excluding themselves from the chat law (page 36, section 2a),' commented , 'It's clear that the Danish Minister of Justice, Pouter Hummelgaard, who designed the bill, doesn't understand end-to-end encryption,' commented , 'The problem is that whoever controls the proprietary parts of the chat law (including lists of illegal content) can use it for any imaginable purpose, such as detecting political opponents. I'm just asking for a valid counterargument to the chat law. I've seen a lot of unfounded arguments that don't help convince politicians that chat law is a bad idea. Politicians need to understand the real reasons why it's a bad idea.' 'I think many people outside the EU just ignore this as an EU thing and don't think much about it. But if you've ever texted someone in the EU, you could be subject to chat law surveillance . The EU invests billions of dollars in other countries to promote EU values. It's possible that the EU will argue that they need to accept chat law to continue receiving this support.'
・Continued
A site developed by a single engineer that sends spam to lawmakers and other stakeholders is circumventing EU chat control laws - GIGAZINE
Related Posts:
in Software, Web Service, Security, Posted by logu_ii