Chat control/Child Sexual Abuse Regulation expert hearing: warnings from all sides
The Digital Affairs Committee of the German Bundestag today organised a public hearing on the controversial chat control/Child Sexual Abuse Regulation proposal currently being negotiated at EU level. The EU project met with unanimous criticism not only from data protection and digital experts, but also from child protection groups and law enforcement:
For Joachim Türk, representative of the German Child Protection Association (Kinderschutzbund Bundesverband e.V)., the EU regulation “goes too far in key points”. The association clearly opposes the screening of private communication content. “Above all, the indiscriminate scanning of private communication in messenger services (such as WhatsApp or Signal) or emails is neither proportionate nor effective,” its statement says.[1] Chat control was “a deep intrusion into the fundamental right of freedom of communication” also of children. The association instead proposes to extend the voluntary chat control interim regulation.
Public prosecutor Markus Hartmann, representing the Central and Contact Point for Cybercrime (ZAC) in North Rhine-Westphalia, warns that “all services and devices of digital communication are likely to be covered by the provisions of the draft regulation.” He speaks of “considerable and, in the end, reasoned concerns […] with regard to the necessity of at least part of the measures associated with the detection order, especially insofar as they are directed against end-to-end encrypted communications.” With regard to unencrypted communications, he considers it „unlikely that general interception of individual communications would withstand the scrutiny of (European) fundamental rights“. [2]
During the hearing, he notes that “[t]here is no law enforcement at any price. We don’t install a camera in every private home.” The “error rates concerning false positives, even in a single-digit percentage range, [were] still so high in absolute figures that an inacceptable number of persons wrongly came into the focus of authorities.” Hartmann continues: “By breaking encryption, the Commission is in fact undermining the most important digital means of protection. As the head of a technical cybercrime unit that also deals with the protection of critical infrastructures of authorities and companies, I can tell you that compromised encryption is ultimately no encryption.”
Ella Jakubowska of European Digital Rights (EDRi) calls for the proposal to be “outright rejected” as it is incompatible with EU law.[3]
Elina Eickstädt from the Chaos Computer Club (CCC) makes it clear right at the beginning of the hearing that the CCC “fundamentally rejects the CSAR regulation”. The “technical implementation of the regulation means the establishment of an unprecedented surveillance infrastructure (…) that deeply interferes with IT security principles and deprives users of any control over their digital communication.[4]
Felix Reda of the Society for Freedom Rights (GFF) clarifies: “Rejecting client-side scanning is not enough. From a fundamental rights perspective, it makes no difference whether scanning is done on the server or on the device.” He is convinced that the draft law violates the EU Charter of Fundamental Rights in “crucial points.” The “chat control proposal (…) not only threatens to keep law enforcement agencies busy with numerous reports of false positives. Moreover, there is also the risk that reports of consensual sexting among young people will increase.”[5]
Pirate Party MEP Patrick Breyer, who is negotiating the planned regulation for his group in the lead committee on home affairs, comments:
“With chat control, the EU is planning a mass surveillance system that is so extreme that it exists nowhere else in the free world. The only country that practices such indiscriminate searches is authoritarian China.
The scathing criticism even from the Child Protection League and law enforcement today clearly shows: chat control threatens to destroy the fundamental right to digital privacy of correspondence and must not be introduced in this form. No one is helping children with a regulation that will inevitably fail before the European Court of Justice because it violates the Charter of Fundamental Rights.
What we really need instead of totalitarian chat control and ID obligations for age verification is a long overdue obligation for law enforcement agencies to have known abuse material on the internet removed, as well as Europe-wide standards for effective prevention measures, victim support and counselling, and swife r criminal investigations.”