Previous slide Next slide Toggle fullscreen Open presenter view
Chatcontrol: Every private message is suspicious
There is a new mass surveillance law underway
The European Commission wants to scan pretty much all private messages and private files stored on the internet.
They argue this is needed to fight sexual abuse of children on the internet
Sexual abuse of children ...
Children are abused and do not only suffer in the moment,
but they are also traumatized for life.
Many children develop severe psychological disorders like PTSD.
... on the internet
Pedophiles exchange images of abuse
Distribution is very hard to stop
Grooming of minors through the internet is another serious problem
Police can identify and rescue abuse victims
Eradication of media on the internet is near impossible
Pedophiles get inspired to produce new and more extreme content
Current solutions
This is a real problem that needs to be addressed
But the solutions have to make sense
Law enforcement is already fighting it
Many digital service providers automatically detect illegal content and offer ways to report it
ePrivacy Directive (2002): You may not scan private messages!
Article 5.1: Confidentiality of Information
Article 6: Storing of traffic-related data
Digital service providers are not allowed to listen/tap into personal communication !
But they (especially US services) have been doing that nevertheless for many years!
Chatcontrol I (Feb. 2021)
» The proposed regulation is a temporary measure aimed at allowing tech companies to continue to voluntarily track child sexual abuse material«
Chatcontrol I was approved in July 2021
Chatcontrol I Expiry date: 3 August 2024
Chatcontrol II was already being drafted at the time
Final title for Chatcontrol II: "Proposal for a Regulation laying down rules to prevent and combat child sexual abuse"
Upcoming european elections: 6 to 9 June 2024
Chatcontrol II (May 2022)
Law
Type
Scanning of public data
Scanning of private data
ePrivacy
Directive
Voluntary
Forbidden
Chatcontrol I
Regulation
Voluntary
Voluntary
Chatcontrol II
Regulation
Required
Required
Putting required scanning into perspective
(for illustration purposes only, actual data unavailable)
Scan and identify ...
Known CSAM
Unknown CSAM
Grooming attempts
In Media:
Images, Video
Text (grooming)
Audio: Maybe. Potential distiction between live and stored audio messages
What about encryption?
End-to-End encryption is explicitly named as a technology in the chatcontrol II proposal
"Security Through Encryption and Despite Encryption"
Client-side scanning or encryption backdoors will be required
Reporting of suspicious content
The new EU CSAM centre is needed because even the commission admits that there will be false positives!
Who's behind chatcontrol?
Zensursula (2009)
Zensursula (2009)
Claim: Hosting providers don't delete CSAM -> we need to block
List of CSAM pages was leaked
All CSAM was deleted in short time. Argument debunked
Zensursula (2009)
Lots of press coverage in Germany
Very successful petition to stop the law
The law never came into effect and was abolished by next government
Ylva Johansson
EU Commissioner for Home Affairs
Is in charge of the chatcontrol proposal
Won the Dutch Big Brother Award 2022 (Bits of Freedom)
Insists that chatcontrol II is absolutely necessary
Ashton Kutcher
American Actor and founder of the Thorn foundation
Child protection advocate with a focus on technical solutions
Popular visitor at EU institutions
Ashton Kutcher
Claims that he has technical solutions to the problem
Claims that no one wants to talk about the topic, because no one understands the technology
Notable critics of chatcontrol
Deutscher Kinderschutzbund (The Federal Association of the Child Protection Association in Germany)
MOGIS e.V. (Missbrauchsopfer gegen Internetsperren/Child abuse victims against internet censorship)
Activism
Chatcontrol.dk
online activism for Denmark
Illustrate how chatcontrol will impact our daily lives
Independent Dutch translation of the website: https://chatcontrole.nl/
Talk to me after the presentation!
Legal and technical reality
Listening to the experts ...
Legal Service of the Council of the EU (1/2)
With this regard, it must be taken into consideration that interpersonal communication services are used by almost the entire population and may also be used for the dissemination of CSAM and/or for solicitation of children.
source
Legal Service of the Council of the EU (2/2)
Detection orders addressed to those services would entail a variable but in almost all cases very broad scope of automated analysis of personal data and access to personal and confidential information concerning a very large number of persons that are not involved, even indirectly, in child sexual abuse offences .
source
Scientific service of german parliament:
Zudem wäre eine Ausweitung der Überwachung auch auf andere Bereiche möglich und zu befürchten
Vor dem Hintergrund der bisherigen Rechtsprechung [..] ist davon auszugehen, dass an die Verordnung 2022/0155 (COD) hohe Anforderungen zu stellen sind und der Verordnungsentwurf in seiner aktuellen Fassung so nicht in Kraft treten dürfte .
source
Professor Stefan Axelsson
(Prof. digital forensik och cybersäkerhet, Stockholms Universitet)
Inte ens Östtysklands säkerhetspolis Stasi hade övervakning på den här nivån.
De pedofiler som man verkligen vill komma åt, de kommunicerar inte på det här viset. De kommunicerar på Darknet och andra liknande ställen.
source
Professor Mathew Green
(Prof. of Cryptography @JHU, USA)
source
Professor Mathew Green
(Prof. of Cryptography @JHU, USA)
My impression is that the authors do not understand , at a purely technical level, that they are asking technology providers to deploy systems that none of them know how to build safely. Nor has the Commission consulted people with the technical and scientific expertise that would be needed to make this proposal viable
source
Open Letter (1/3)
Signed by Cryptographers like Ronald Rivest, Martin Hellman, Bruce Schneier, ..., (source)
Research has shown that for all known perceptual hash functions, it is virtually always possible to make small changes to an image that result in a large change of the hash value which allows evasion of detection (false negative).
Open Letter (2/3)
Moreover, it is also possible to create a legitimate picture that will be falsely detected as illegal material as it has the same hash as a picture that is in the database (false positive). This can be achieved even without knowing the hash database . Such an attack could be used to frame innocent users and to flood Law Enforcement Agencies with false positives – diverting resources away from real investigations into child sexual abuse.
Open Letter (3/3)
Even if such a CSS system could be conceived, there is an extremely high risk that it will be abused . We expect that there will be substantial pressure on policymakers to extend the scope, [..] the hash values give no information on the content itself , it would be impossible for outsiders to detect this abuse .
Chatcontrol & life in the EU
It is no longer just the nerds who live on the internet.
Dangers to FOSS repositories (1/2)
Chapter II, Section 1, Article 6:
Providers of software application stores shall:
(a) make reasonable efforts to assess , where possible together with the providers of software applications, whether each service offered through the software applications that they intermediate presents a risk of being used for the purpose of the solicitation of children ;
Dangers to FOSS repositories (2/2)
Chapter II, Section 1, Article 6:
Providers of software application stores shall:
(b) take reasonable measures to prevent child users from accessing the software applications in relation to which they have identified a significant risk of use of the service concerned for the purpose of the solicitation of children; (c) take the necessary age verification and age assessment measures to reliably identify child users on their services , enabling them to take the measures referred to in point (b).
How to grow up if ...
you do not learn how to navigate the world in the information age?
you do not learn when/how to talk to strangers offline & online?
How to grow up if ...
you cannot freely share secrets with the people you trust?
you cannot find peers outside of your village/city that share your interests/concerns?
Circumventing chatcontrol
Encrypt data outside of communication program
Block the CSAM reporting server in firewall
Patch open source software so that it doesn't spy on you
People who deeply care about circumventing chatcontrol will be able to do so.
Chatcontrol does not work and has serious negative side-effects!
The way forward
Society needs to empower children through education
Ongoing discussions in the LIBE committee. Write to your MEP (in LIBE)!
Potential vote in the parliament in the coming months
Talk to the press. This needs more coverage in more EU countries, because this affects basically everyone
Thank you for your attention
Appendix: Enforcing Chatcontrol
Chapter III, Section 2, Article 27:
[..] Coordinating Authorities shall have the following powers of investigation , [..]:
(b) the power to carry out on-site inspections of any premises that those providers or the other persons [..] in order to examine, seize, take or obtain copies of information relating to a suspected infringement of this Regulation in any form, irrespective of the storage medium;
this will affect almost everyone
a lot of innocent persons will have their confidentiality violated
Expansion of surveillance is very likely.
The current proposal is not compatible with existing laws
It is easy fool detection algorithms to not report images
It is easy fool detection algorithms to falsy report images
This will take away resources from law enforcement
There is a high risk of abuse of the law, because hashes can represent anything
The internet supports the single market, travel, work, live freely within the union
Chatcontrol is highly anti-european
"Group of diverse people using smartphones" by Rawpixel Ltd is licensed under CC BY 2.0.
[point 14]‘software application stores’ means a type of online intermediation services, which is focused on software applications
as the intermediated product or service;
Volunteers have to review thousands of software packages that they offer. This is not feasible.
Children will not be able to use software with "significant" risk of solicitation.
Chatcontrol disempowers children!
public service
Software repositories need to introduce age control
"That's my Doctorate finished. Will make much more sense than me writing it myself ☺ #student #baby #child #computer #typing #doctorate #phd #maternityleave" by elliemcc11 is licensed under CC BY-SA 2.0.
The fact that we can connect to any other human on the planet regardless of age, gender, sexual orientation, skin color and other factors is not a bug but a feature!
"That's my Doctorate finished. Will make much more sense than me writing it myself ☺ [..] by elliemcc11 is licensed under CC BY-SA 2.0.