A contentious proposal by the European Union to scan private messages for identifying child sexual abuse material (CSAM) is raising concerns about the impact on end-to-end encryption (E2EE), according to Meredith Whittaker, president of the Signal Foundation, the organization behind the privacy-focused messaging app Signal.
“Mandating mass scanning of private communications fundamentally undermines encryption. Full Stop,” Whittaker stated on Monday.
“This could be achieved through tampering with encryption algorithms’ random number generation, implementing a key escrow system, or requiring communications to go through a surveillance system before encryption.”
The EU lawmakers are introducing regulations to combat CSAM, including a new provision called “upload moderation” that allows messages to be reviewed before encryption.
A recent report by Euractiv revealed that audio communications are not covered by the law, and users must agree to this detection in the service provider’s terms and conditions.
“Users who do not consent can still use parts of the service that do not involve sending visual content and URLs,” the report added.
In late April 2024, Europol urged the tech industry and governments to prioritize public safety, cautioning that E2EE could hinder law enforcement from accessing problematic content, reigniting the debate on balancing privacy and combating serious crimes.
It also called for platforms to develop security systems that can identify and report harmful and illegal activity to law enforcement without compromising encryption.
Apple had previously announced plans to implement client-side screening for CSAM but canceled the initiative in late 2022 due to backlash from privacy and security advocates.
“Scanning for one type of content could lead to mass surveillance and might prompt searches across encrypted messaging systems for other types of content,” the company explained when justifying its decision, referring to the practice as a “slippery slope of unintended consequences.”
Whittaker from Signal criticized the term “upload moderation,” stating that it effectively creates a security vulnerability that could be exploited by malicious actors and state-sponsored hackers.
“Either end-to-end encryption protects everyone and upholds security and privacy, or it’s compromised for everyone,” she emphasized. “Breaking E2EE, especially in the current geopolitical climate, is a disastrous idea.”