Chatcontrol: Every private message is suspicious

  • There is a new mass surveillance law underway
  • The European Commission wants to scan pretty much all private messages and private files stored on the internet.
  • They argue this is needed to fight sexual abuse of children on the internet

Sexual abuse of children ...

  • Children are abused and do not only suffer in the moment,
  • but they are also traumatized for life.
  • Many children develop severe psychological disorders like PTSD.

... on the internet

  • Pedophiles exchange images of abuse
  • Distribution is very hard to stop
  • Grooming of minors through the internet is another serious problem

Consequences of media sharing

  • Police can identify and rescue abuse victims
  • Eradication of media on the internet is near impossible
  • Pedophiles get inspired to produce new and more extreme content

Current solutions

  • This is a real problem that needs to be addressed
  • But the solutions have to make sense
  • Law enforcement is already fighting it
  • Many digital service providers automatically detect illegal content and offer ways to report it

ePrivacy Directive (2002): You may not scan private messages!

  • Article 5.1: Confidentiality of Information
  • Article 6: Storing of traffic-related data

Digital service providers are not allowed to listen/tap into personal communication!
But they (especially US services) have been doing that nevertheless for many years!

Chatcontrol I (Feb. 2021)

» The proposed regulation is a temporary measure aimed at allowing tech companies to continue to voluntarily track child sexual abuse material«

  • Chatcontrol I was approved in July 2021
  • Chatcontrol I Expiry date: 3 August 2024
  • Chatcontrol II was already being drafted at the time
  • Final title for Chatcontrol II: "Proposal for a Regulation laying down rules to prevent and combat child sexual abuse"
  • Upcoming european elections: 6 to 9 June 2024

Chatcontrol II (May 2022)

Law Type Scanning of public data Scanning of private data
ePrivacy Directive Voluntary Forbidden
Chatcontrol I Regulation Voluntary Voluntary
Chatcontrol II Regulation Required Required

Putting required scanning into perspective

(for illustration purposes only, actual data unavailable)

Scan and identify ...

  • Known CSAM
  • Unknown CSAM
  • Grooming attempts

In Media:

  • Images, Video
  • Text (grooming)
  • Audio: Maybe. Potential distiction between live and stored audio messages

What about encryption?

  • End-to-End encryption is explicitly named as a technology in the chatcontrol II proposal
  • "Security Through Encryption and Despite Encryption"
  • Client-side scanning or encryption backdoors will be required

Reporting of suspicious content

The new EU CSAM centre is needed because even the commission admits that there will be false positives!

Who's behind chatcontrol?

Zensursula (2009)

Zensursula (2009)

  • Claim: Hosting providers don't delete CSAM -> we need to block
  • List of CSAM pages was leaked
  • All CSAM was deleted in short time. Argument debunked

Zensursula (2009)

  • Lots of press coverage in Germany
  • Very successful petition to stop the law
  • The law never came into effect and was abolished by next government

Ylva Johansson

  • EU Commissioner for Home Affairs
  • Is in charge of the chatcontrol proposal
  • Won the Dutch Big Brother Award 2022 (Bits of Freedom)
  • Insists that chatcontrol II is absolutely necessary

Ashton Kutcher

  • American Actor and founder of the Thorn foundation
  • Child protection advocate with a focus on technical solutions
  • Popular visitor at EU institutions

Ashton Kutcher

  • Claims that he has technical solutions to the problem
  • Claims that no one wants to talk about the topic, because no one understands the technology

Notable critics of chatcontrol

  • Deutscher Kinderschutzbund (The Federal Association of the Child Protection Association in Germany)
  • MOGIS e.V. (Missbrauchsopfer gegen Internetsperren/Child abuse victims against internet censorship)

Activism

Chatcontrol.dk

  • online activism for Denmark
  • Illustrate how chatcontrol will impact our daily lives
  • Independent Dutch translation of the website: https://chatcontrole.nl/
  • Talk to me after the presentation!

Scanning private messages globally

see page 8 of https://www2.datainnovation.org/2022-E2EE-monitoring-obligations.pdf

Legal and technical reality

Listening to the experts ...

With this regard, it must be taken into consideration that interpersonal communication services are used by almost the entire population and may also be used for the dissemination of CSAM and/or for solicitation of children.

source

Detection orders addressed to those services would entail a variable but in almost all cases very broad scope of automated analysis of personal data and access to personal and confidential information concerning a very large number of persons that are not involved, even indirectly, in child sexual abuse offences.

source

Scientific service of german parliament:

Zudem wäre eine Ausweitung der Überwachung auch auf andere Bereiche möglich und zu befürchten

Vor dem Hintergrund der bisherigen Rechtsprechung [..] ist davon auszugehen, dass an die Verordnung 2022/0155 (COD) hohe Anforderungen zu stellen sind und der Verordnungsentwurf in seiner aktuellen Fassung so nicht in Kraft treten dürfte.

source

Professor Stefan Axelsson

(Prof. digital forensik och cybersäkerhet, Stockholms Universitet)

Inte ens Östtysklands säkerhetspolis Stasi hade övervakning på den här nivån.

De pedofiler som man verkligen vill komma åt, de kommunicerar inte på det här viset. De kommunicerar på Darknet och andra liknande ställen.

source

Professor Mathew Green

(Prof. of Cryptography @JHU, USA)

source

Professor Mathew Green

(Prof. of Cryptography @JHU, USA)

My impression is that the authors do not understand, at a purely technical level, that they are asking technology providers to deploy systems that none of them know how to build safely. Nor has the Commission consulted people with the technical and scientific expertise that would be needed to make this proposal viable

source

Open Letter (1/3)

Signed by Cryptographers like Ronald Rivest, Martin Hellman, Bruce Schneier, ..., (source)

Research has shown that for all known perceptual hash functions, it is virtually always possible to make small changes to an image that result in a large change of the hash value which allows evasion of detection (false negative).

Open Letter (2/3)

Moreover, it is also possible to create a legitimate picture that will be falsely detected as illegal material as it has the same hash as a picture that is in the database (false positive). This can be achieved even without knowing the hash database. Such an attack could be used to frame innocent users and to flood Law Enforcement Agencies with false positives – diverting resources away from real investigations into child sexual abuse.

Open Letter (3/3)

Even if such a CSS system could be conceived, there is an extremely high risk that it will be abused. We expect that there will be substantial pressure on policymakers to extend the scope, [..] the hash values give no information on the content itself, it would be impossible for outsiders to detect this abuse.

Chatcontrol & life in the EU

It is no longer just the nerds who live on the internet.

Dangers to FOSS repositories (1/2)

Chapter II, Section 1, Article 6:

Providers of software application stores shall:
(a) make reasonable efforts to assess, where possible together with the providers of software applications, whether each service offered through the software applications that they intermediate presents a risk of being used for the purpose of the solicitation of children;

Dangers to FOSS repositories (2/2)

Chapter II, Section 1, Article 6:

Providers of software application stores shall:
(b) take reasonable measures to prevent child users from accessing the software applications in relation to which they have identified a significant risk of use of the service concerned for the purpose of the solicitation of children; (c) take the necessary age verification and age assessment measures to reliably identify child users on their services, enabling them to take the measures referred to in point (b).

How to grow up if ...

  • you do not learn how to navigate the world in the information age?
  • you do not learn when/how to talk to strangers offline & online?

How to grow up if ...

  • you cannot freely share secrets with the people you trust?
  • you cannot find peers outside of your village/city that share your interests/concerns?

Circumventing chatcontrol

  • Encrypt data outside of communication program
  • Block the CSAM reporting server in firewall
  • Patch open source software so that it doesn't spy on you

People who deeply care about circumventing chatcontrol will be able to do so.

Chatcontrol does not work and has serious negative side-effects!

The way forward

  • Society needs to empower children through education
  • Ongoing discussions in the LIBE committee. Write to your MEP (in LIBE)!
  • Potential vote in the parliament in the coming months
  • Talk to the press. This needs more coverage in more EU countries, because this affects basically everyone

Thank you for your attention

Appendix: Enforcing Chatcontrol

Chapter III, Section 2, Article 27:

[..] Coordinating Authorities shall have the following powers of investigation, [..]:

(b) the power to carry out on-site inspections of any premises that those providers or the other persons [..] in order to examine, seize, take or obtain copies of information relating to a suspected infringement of this Regulation in any form, irrespective of the storage medium;

Appendix: Criticsm of Ylva Johansson

https://edri.org/our-work/commissioner-johansson-cannot-be-trusted-with-the-eus-proposed-csa-regulation/

this will affect almost everyone

a lot of innocent persons will have their confidentiality violated

Expansion of surveillance is very likely. The current proposal is not compatible with existing laws

It is easy fool detection algorithms to not report images

It is easy fool detection algorithms to falsy report images This will take away resources from law enforcement

There is a high risk of abuse of the law, because hashes can represent anything

The internet supports the single market, travel, work, live freely within the union Chatcontrol is highly anti-european "Group of diverse people using smartphones" by Rawpixel Ltd is licensed under CC BY 2.0.

[point 14]‘software application stores’ means a type of online intermediation services, which is focused on software applications as the intermediated product or service; Volunteers have to review thousands of software packages that they offer. This is not feasible.

Children will not be able to use software with "significant" risk of solicitation. Chatcontrol disempowers children! public service Software repositories need to introduce age control

"That's my Doctorate finished. Will make much more sense than me writing it myself ☺ #student #baby #child #computer #typing #doctorate #phd #maternityleave" by elliemcc11 is licensed under CC BY-SA 2.0.

The fact that we can connect to any other human on the planet regardless of age, gender, sexual orientation, skin color and other factors is not a bug but a feature! "That's my Doctorate finished. Will make much more sense than me writing it myself ☺ [..] by elliemcc11 is licensed under CC BY-SA 2.0.