Encryption & Key Management , Legislation & Litigation , Security Operations
EU's LIBE Rejects Mass Content Scanning in CSAM Proposal
Committee Amends Bill to State It Doesn't Prohibit or Weaken End-to-End EncryptionA key European parliamentary committee on Tuesday voted to carve off encrypted communications from a legislative proposal directing online providers to diminish the risk of child sexual abuse material.
See Also: Reducing Complexity in Healthcare IT
The Child Sexual Abuse Material bill put forward by the European Commission in 2022 has faced a torrent of criticism for appearing to essentially outlaw end-to-end encryption through a mandate that digital communication services such as instant messenger apps scan for child sexual abuse material (see: EU Attorneys Question Legality of Chat App Scanning for CSAM).
European Parliament's Civil Liberties, Justice and Home Affairs Committee, aka LIBE, emphatically rejected any weakening of end-to-end encryption, amending the bill to state that nothing in it "shall be interpreted as prohibiting, weakening or undermining end-to-end encryption."
It also added language stating that the regulation cannot be interpreted as undermining "the prohibition of general monitoring under Union law" or as introducing new data retention obligations.
Committee members voted 51-2, with one member abstaining, to send the draft position to the full Parliament for approval.
The amended bill proposed "targeted detection," for CSAM, meaning that law enforcement would first have to seek judicial authorization for a time-limited order to scan for CSAM.
It also calls for the establishment of a new EU Center that will work with companies to develop alternative detection technology and coordinate the CSAM detection activities.
"This agreement strikes a balance between protecting children and protecting privacy as providers will have to assess if there is a risk of abuse in their services and mitigate those with tailor-made measures," said LIBE Chairman Javier Zarzalejos.
Although the LIBE proposal is not final, privacy and security experts have hailed the proposed amendments.
"This is a strong and clear protection to stop encrypted message services from being weakened in a way that could harm everyone that relies on them - a key demand of civil society and technologists," European digital rights group EDRi said.
Signal Foundation President Meredith Whittaker, a staunch critic of the CSAM proposal, tweeted that the committee amendments are "welcome" and "heartening."
Despite the latest measures, the draft proposal continues to pose privacy loopholes, EDRi said. They include clauses that allow Europol to access sensitive data to train its algorithms and proposed measures allowing the new EU Center to carry out web crawling to identify CSAM content.
"It should be clarified that this should only apply to the search for known material and on a case-by-case basis. Otherwise, there is a risk of mass scanning of public-facing communications using tools that are known to be unreliable at scale," EDRi said.
The rights group also said the new EU Center should be "free of the interests of entities that develop or provide scanning technologies," a concern that became salient after a media investigation revealed an American developer of CSAM identification tools and a British-based anti-CSAM group allegedly had lobbied European Commissioner for Home Affairs Minister Ylva Johansson to influence the outcome of the proposal (see: EU Lawmakers Press Johansson on CSAM Proposal Drafting).