EU's Client-Side Scanning Plans Could be Unlawful

Written by

EU plans to force tech companies to scan the private messages of their customers for child abuse (CSEA) content are likely to be struck down by the courts, the bloc’s legal advisors have reportedly warned.

Proposed “chat control” regulations are similar in nature to the controversial Clause 110 of the UK’s Online Safety Bill. Providers offering end-to-end encrypted messages could be served “detection orders” requiring them to scan customer messages for CSEA content on the device before they are encrypted.

This would most likely be done by some form of “client-side scanning” – technology that checks videos, images and text against a database of prohibited content.

Read more on the Online Safety Bill: WhatsApp, Signal Claim Online Safety Bill Threatens User Privacy and Safety.

However, leaked advice from the legal service of the council of the EU has reportedly warned that the proposals pose “particularly serious limitation to the rights to privacy and personal data,” and that there is a “serious risk” of them being struck down by judges.

Given that the European court of justice has previously ruled that even communications metadata could only be screened in cases of national security, it is unlikely that current proposals would be proportionate in a CSEA context, it is believed.

They “would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution,” according to the advice, published in The Guardian.

Privacy advocates have many issues with client-side scanning. They claim that:

  • Researchers have already worked out it could generate too many false positives to be useful and could be hacked in other ways
  • If client-side scanning were targeted by foreign governments or cyber-criminals, it would put private data potentially at risk
  • If client-side scanning comes into force, child abusers will simply gravitate to unpoliced apps, as criminals have in the past with services like EncroChat
  • The technology could be used in the future to police other content types without the knowledge of users

In addition, the bosses of several big-name messaging apps have publicly stated they would rather exit the UK than comply with client-side scanning provisions, which would also make domestic firms and consumers less secure.

EU lawyers are reportedly also concerned that the bloc’s proposals would require messaging providers to introduce age verification, which in turn would mean mass profiling of users, potentially including their biometric information.

What’s hot on Infosecurity Magazine?