Today at 3 p.m. EU Commission to introduce worst surveillance legislation: Mandatory client-side scanning of child sexual abuse material (CSAM).
Analysis of the data shows that no monitoring orders are issued for “child pornography” – which makes sense as “most abused children know the perpetrator” according to the tutanota.com
tutanota's analysis clearly shows that while surveillance measures can be issued after an initial suspicion, this is not done for child pornography, but only for other crimes, notably drugs. This shows that blanket surveillance is completely disproportionate and will take away the right to privacy from every citizen – and every business!
Matthias Pfau, CEO of encrypted email service Tutanota and cryptography expert warns that disproportionate surveillance of all citizens will have serious consequences:
“We need to look very carefully at what could go wrong with the following surveillance measures proposed by the EU Commission:
- First of all, we must realize that under the Commission's plans, every chat message, every email we send will be secretly monitored, constantly. The list of images and content to be searched will be customizable. Once a law forces carriers to implement client-side scanning, the tool that does so could theoretically search everything. So the search list could be expanded on demand. At first, they'll scan for child pornography, but in a next step, the authorities will start looking for more and more: terrorists, human traffickers, drug dealers. This list could go on and on.
-
It is not clear from the European Commission's draft who will determine the list and who will have access to the content of the searches. However, we can assume that it will be at least all European governments, which also includes countries like Poland (which just banned abortion) and Hungary (which is known for its media crackdown). We will not mention anything about Greece....
-
An important issue that is completely neglected by the European Commission is cyber security. Ways may be found to hack the client-side scanning process. Malicious attackers could, for example, insert images or documents into the devices of people they want to defame. Otherwise, malicious attackers could find a way to extract the data scanned from the devices and use it in cyber exposure attacks.
In the end, we all have to realize that a backdoor is a backdoor, there can't be a "good guys only backdoor".