28 May 2024

The undersigned organizations, companies, and cybersecurity experts, many of whom are members of the Global Encryption Coalition, [1] issue the following statement in response to news of the Belgian Presidency’s latest compromise proposal, dated May 2024, on the Regulation on Child Sexual Abuse (CSA). [2]

Child sexual abuse and its distribution online is a serious crime that can only be effectively addressed if EU member states take a measured approach that is informed by expert evidence. The EU Parliament has already done this by adopting language that excludes end-to-end encrypted services from the scope of the regulation. [3] We praise this step towards recognising the importance of encryption in ensuring security and guaranteeing human rights and fundamental freedoms. We welcome this positive approach by the EU Parliament, as end-to-end encryption is a vital technology that protects adults, children, businesses, and governments from becoming the victims of malicious actors.

We are concerned that the Council of the EU is not following the same path. The Belgian Presidency continues to advocate for the use of scanning technologies for encrypted messaging services, as well other disproportionate limitations on digital rights. [4] Content detection has been a contentious issue for a number of EU member states who have until now opposed client-side scanning technologies, because they rightly understand that it creates serious security and privacy risks, permitting general monitoring, and undermining human rights. We thank Ministers in the Council for their recognition of the importance of encryption and efforts to protect it.

In an effort to find a solution, the Belgian presidency has now rebranded this approach using the term “upload moderation”. This is a mere cosmetic change, as it still fails to address the security and rights concerns raised by experts with regard to client-side scanning. [5] Scanning at the upload point defeats the end-to-end principle of strong encryption, could easily be circumvented, and would create new security vulnerabilities that third parties could exploit. [6] In short, it will not solve the problem of the online spread of child sexual abuse material, but will introduce significant security risks for all citizens, companies, and governments.

The Belgian Presidency’s latest compromise text has sought to find consensus by proposing that:
- Client-side scanning only be applied to visual content (photos and videos) and URLs; and
- Users of communication services would need to give their consent to scanning, otherwise they would not be permitted to upload or share photos and videos using the service.

In today’s digital societies, the exchange of photos and videos is a standard activity. If the user has no real choice, feels compelled to consent, or would defacto be barred from the service if they do not consent, then the consent given will not be freely given. Coerced consent is not freely given consent. Moreover, the proposal is unfit for purpose, and can easily be circumvented, simply by embedding photos or videos on a different type of file, like a text document, or a presentation.

We call on Ministers in the Council of the EU to reject all scanning proposals that are inconsistent with the principle of end-to-end encryption, including client-side scanning and upload moderation, and to guarantee the protection of digital rights throughout the proposal. These intrusive techniques would only jeopardize the security and the rights of Internet users.

Any questions in relation to this statement can be directed to the Global Encryption Coalition Steering Committee at ge-admin@globalencryption.org.

[1] Global Encryption Coalition, 27 May 2024, www.globalencryption.org/
[2] “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Laying down Rules to Prevent and Combat Child Sexual Abuse.” EUR Lex - Access to European Union Law, 11 May 2022, ec.europa.eu/home-affairs/proposal-regulation-laying-down-rules-prevent-and-combat-child-sexual-abuse_en.
[3] Breyer, Patrick. “Historic Agreement on Child Sexual Abuse Proposal (CSAR): European Parliament Wants to Remove Chat Control and Safeguard Secure Encryption.” Patrick Breyer, 26 Oct. 2023, www.patrick-breyer.de/en/historic-agreement-on-child-sexual-abuse-proposal-csar-european-parliament-wants-to-remove-chat-control-and-safeguard-secure-encryption/.
[4] Meister, Andre. “Internes Protokoll: Belgien Will Nutzer Verpflichten, Chatkontrolle Zuzustimmen.” Netzpolitik.Org, 22 May 2024, netzpolitik.org/2024/internes-protokoll-belgien-will-nutzer-verpflichten-chatkontrolle-zuzustimmen/.
[5] Landau, Susan. “Bugs in Our Pockets: The Risks of Client-Side Scanning.” Tufts University, The Fletcher School, fletcher.tufts.edu/news-events/news/bugs-our-pockets-risks-client-side-scanning. Accessed 27 May 2024.
[6] Hooda, Ashish, et al. “Experimental Analyses of the Physical Surveillance Risks in Client-Side Content Scanning.” NDSS Symposium, 12 Mar. 2024, www.ndss-symposium.org/ndss-paper/experimental-analyses-of-the-physical-surveillance-risks-in-client-side-content-scanning/.