Endpoint Security , Governance & Risk Management , Legislation & Litigation

EU's Proposed CSAM Bill Poses Hacking Risks

Hackers Would Exploit Client-Side Scanning, LIBE Committee Hears
EU's Proposed CSAM Bill Poses Hacking Risks

Members of a European Parliament committee heard Thursday an assessment warning them that a bill intended to fight child sexual abuse material would instead weaken online security.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The Child Sexual Abuse Material proposal unveiled by the European Commission in May 2022 faces a barrage of opposition from industry and civil liberty groups concerned that its mandate for digital communication services such as instant messenger apps to scan for CSAM is incompatible with end-to-end encryption.

Bart Preneel, a cryptography professor at Catholic University of Leuven in Belgium, told the Committee on Civil Liberties, Justice and Home Affairs, or LIBE, the only way mandatory scanning is compatible with end-to-end encryption by scanning for images on devices before they're transmitted across the web. Preneel is co-author of an assessment of the CSAM proposal commissioned by the committee.

"The only way you could actually detect CSAM would be by scanning on the device of the user. You would have to insert additional software in the user device, and such a software will create new vulnerabilities that are open to attack and abuse," he said.

Scanning communications would violate a right to confidential communications while client-side scanning "violates the essence of the right of protection for personal data in the form of data security," said Niovi Vavoula, a professor at Queen Mary University in the United Kingdom and an assessment co-author.

The independent assessment mirrors objections raised by the European Data Protection Board and European Data Protection Supervisor in a July 2022 report.

European tech associations have also criticized the proposal, writing earlier this month that "encryption is fundamental to providing safe and secure private communications to internet users and ensuring strong cybersecurity and data protection."

During the hearing, Oliver Onidi, European Commission deputy director general of the Directorate-General for Migration and Home Affairs, defended the proposal.

Addressing end-to-end encryption, Onidi said that "the proposal doesn't mandate any prescribed solution on this. It is just important that a proposal will sustain the development over time, remains technologically neutral and indeed if there is any risk that this would lead to diminishing the level of protection of privacy communication, I'm fully with you to reinforce a number of provisions in the proposal in order to ensure that the coordinated work of the different actors in the chain who will ultimately vet the type of technology that would be active in an end-to-end encryption environment would actually not impede on the quality and the significant continuous improvement of private communications."

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.