Bart Preneel

The Belgian presidency has drafted yet another tweaked #chatcontrol proposal. In summary, the proposal remains completely unacceptable.

TLDR: All the problems pointed our in our earlier open letters are still there
https://nce.mpi-sp.org/index.php/s/eqjiKaAw9yYQF87
https://docs.google.com/document/d/13Aeex72MtFBjKhExRTooVMWN9TC-pbH-5LEaAbMF91Y/

a) the risk of abuse of the solution for other applications (including political purposes)
b) the huge number of false positives (no waiting for 2 alerts does not work)
c) the fact that the real targets will use other technologies (e.g. sharing links to encrypted files).
d) chilling effect on teenagers.

Summary of latest proposal:
1) Detection of known CSAM and of new CSAM using AI (2 hits before you are reported) remain fully unacceptable because it just does not work for technical reasons pointed out earlier.
2) Grooming detection in text and audio is abandoned; information is pseudonymized before it is reported (presumably identity of the user is known)
3) User has to give consent before the client side scanning; details are not known but it is unclear what happens if consent is not given – is the message not sent? Why do policy makes believe that popups solve problems (cookies anyone)?

Source (in German):
https://netzpolitik.org/2024/internes-protokoll-belgien-will-nutzer-verpflichten-chatkontrolle-zuzustimmen/

I co-authored a new open letter signed by more than 270 scientists from 33 countries warning for the risks of the modified CSAM (child sexual abuse) regulation proposed by the Belgian presidency.
http://www.csa-scientist-open-letter.org

Two major changes: target detection based on risk and require more than one hit to reduce false positives will not have meaningful impact on protection of fundamental rights.

So-called targeted detection will affect billions of users on widely used apps such as WhatsApp and Signal. Detection of information in content prior to encryption is unreconcilable with the essence of end-to-end encryption. Major risk for abuse by undemocratic regimes. The technology does not achieve its goal for various reasons (insecure perceptual hash functions, huge number of false positives, framing of innocent users, easy to bypass). In addition, it will have a chilling effect on teenagers.

There is no practical and widely deployed solution yet for privacy friendly age verification; not clear that eIDAS 2.0 will solve it given that unlinkability protection in the future digital identity wallet is optional.
Unclear why some governments keep pushing for this rather than focussing on prevention of sexual abuse of children.

Overall lack of transparency in the process and no open engagement with academic community and civil society on the problem. Likely part of the global war on encryption with as main target terrorism, organized crime and (in some countries) political opposition and human rights advocates. But CSAM plays to emotions thus easier to sell to broader public.

@GossiTheDog@cyberplace.social

And vice versa.
A new version of MADness (Mutually Assured Destruction) under development