What is chatcontrol?

• EU law to protect children against sexual abuse in the context of the internet
• Sounds good? Well, actually...

Let me use a meme ...

Let me use a meme ...

Let me use a meme ...

Let me use a meme ...

That doesn't make any sense?

We need to go back in time to explain this

The internet: Where people post cat pictures and bad stuff

Service providers: Keep a clean house

CSAM = Child sexual abuse material

• Terminology: "child pornography" sounds too harmless according to some
• A "child" is any person under the age 18
• Scope: Digital display of sexual acts and organs that include minors

Not only publicly shared contents

Chatcontrol 1.0 is born

Art. 5(1): Confidentiality of Communications
Art. 6: Confidentiality of traffic data

Chatcontrol 2.0

• Will supercede the temporary chatcontrol 1.0
• New: Services must scan when given a detection order
• Attack on encryption: Communication/original data must be scanned.
• Fundamental technical and legal problems:
  • Scanning contents not possible without breaking or circumventing encryption
  • Untargeted surveillance not compatible with EU law
  • Lots of experts from different areas say this is a bad idea

Chatcontrol: A logical fallacy

• CSAM on the internet is a real problem
• This does not imply that surveillance is the solution
• It implies that we need to think about meaningful solutions

Meaningful solutions require an understanding of the problem

• Child sexual abuse is a very difficult topic to talk about
• Limited public knowledge
• Legal minefield
• Very emotional topic (think of the children!)
• Do politicians understand the reality of the problem?

Reading literature

• Written by a journalist who reports on crimes in darknets
• Describes circumstances for child abuse offline and online
• Explains how predators think and operate

CSAM can be spread under many different circumstances

Trying to get a full picture

• Criminal pedophiles are a real problem that needs to be addressed
• About half of the suspects investigated by the police are minors according to German criminal statistics
• Laws need to take into consideration the side effects they have

https://netzpolitik.org/2024/sexualdelikte-zum-nachteil-von-minderjaehrigen-was-die-gestiegenen-fallzahlen-bedeuten/

Darknet CSAM forums

Achilles heel of CSAM forums: Storage

• Visual content is expensive: Space and bandwith
• Donations are risky, because they leave a trail. Very tight budget.
• The journalist reported all URLs to the file hosters. Very quickly taken offline!
• URL takedowns contributed significantly to downfall of the CSAM forum.

Why CSAM darknet forums are probably popular

• Anyone can join (as opposed to closed chat groups)
• More people can contribute content
• Content can be downloaded on demand, all local data is volatile
• Police is not issuing URL takedown requests
• People can move to another forum if one is taken down and repost URLs

What about end-to-end encryption in private chats?

Criminal pedophiles who chat with other criminal pedophiles ...

• know they are hated by everyone else
• apply additional layers of encryption
• prevent the software or network from reporting any hits

Chatcontrol will be very ineffective here

The 3 important EU institutions

The Commission's Chatcontrol 2.0. Proposal

• Mandatory detection in places on the internet with significant risk of CSA(M)
• Automatic reporting of hits to EU center (part of Europol)
• Encrypted communication must also be scanned

Negotiations in the (previous) EU parliament

• Lots of heated discussions
• Things that got removed: Untargeted surveillance, client-side scanning, mandatory age verification for communication services, blocking content (delete instead), age restrictions for messenger apps

Negotiations in the EU Council

• Failure to reach an agreement in the last 2 years
• Proposal from Commission mostly unchanged
• Hungary has presidency until end of year

Foul compromise: Upload moderation

• It's not legal to do mass scanning
• Get permission from people to have their messages scanned

️ URL scanning implies text scanning

Next step: The Trilogue

• Council finds compromise ️ Council, Parliament and Commission need to find an overarching compromise
• Trilogue not visible to the public
• Afterwards: Additional readings in parliament and council and potential adoption if there is enough agreement

• Much public criticism from digital right groups and the pirate party
• Several letters from world-leading cryptographers explaining that this is a terrible idea
• Statement from the german Kinderschutzbund that they don't think that chatcontrol helps children
• EDRi: Is this the most criticised draft EU law of all time?

Ashton Kutcher

• American TV Star
• Founded "NGO" Thorn. A software company to fight human trafficking and other abuse
• Has easy access to Commission

Hashes as indicators

• Chatcontrol proposal: "the EU Centre will create, maintain and operate databases of indicators of online child sexual abuse that providers will be required to use to comply with the detection obligations."
• Hashes ("Indicators") are inherently tied to a (possibly proprietary) algorithm
• If scanning becomes mandatory, there are only very few software companies that can provide scanning software

Commission does not adhere to good administrative standards

• Austria complained to EU ombudsman that not all meeting documents with Thorn were published
• Commission argues that "disclosure would undermine the comercial interests of the organisations concerned"
• Ombudman's Assessment: The law would very likely affect citizen's day-to-day life by limiting their right to privacy and that is why public discourse about these documents is meaningful.

12.7.2024: https://www.ombudsman.europa.eu/en/decision/en/189484

Ashton Kutcher resigns from Thorn

Writing a letter of support for a rapist didn't end well

A new EU commission?

• Current Commission will stay in office until around the end of the year
• Ursula von der Leyen got reelected yesterday and will rule for another 5 years
• Ylva Johansson will very likely be replaced by Jessika Roswall

What to do now?

• Keep talking about it. We need more media coverage!
• Support organisations that fight for digital rights.
• Suggest meaningful child protection on the internet

Meaningful child protection on the internet

• Anonymity is a virtue on the internet, especially for children.
• Education for teachers, parents & children about (online) abuse
• Sexual abuse is usually a question of power assymetry.
  Empowerment of potential victims helps prevention!
• Make it less taboo to talk about the risk of child abuse
• The police should delete content!
• Minors need to learn that sharing other's nudes, is neither funny nor okay

Meaningful use of AI for child protection

• Detect when the user wants to upload nudes and inform the user why this might be a bad idea (client-side)
• Detect grooming/sextortion and inform the user (client-side)
• Do NOT automatically send data to the authorities.
  -> Let user actively report or block instead
• Make your voice sound older with an AI

Apple tried to develop similar hashing software but gave up

https://thishashcollisionisnotporn.com/

hash of real CSAM: 59a34eabe31910abfb06f308

Hash collisions are impossible to avoid, because we try to project an infinite space into a finite one.

Upcoming dates

• 10-11 October 2024: Planned presentation of Council Presidency progress report and discussion of EU interior ministers on mandatory chat control (chat control 2.0)
• 12-13 December 2024: EU interior ministers scheduled to adopt mandatory chat control (chat control 2.0) position
• tbc: Envisaged trilogue negotiations on the final text of the Chatcontrol 2.0 legislation between Commission, Parliament and Council, as well as adoption of the result

Info from https://www.patrick-breyer.de/en/posts/chat-control/#timeline