"There is no prosecution at any cost."

Germany opposes client-side scanning planned by EU - it would create an unprecedented surveillance monster that violates fundamental rights.

2023-03-02

Client-side scanning would effectively undermine the most important digital protection tool - because compromised encryption is not, in effect, encryption.

On March 1, the German Parliament held a hearing in the Digital Committee on the EU Commission's draft law for client-side scanning to fight child sexual abuse online, also named 'chat control'. IT experts, civil libertarians, law enforcement officials and even child protectors agree: the EU's proposal does not protect children, but poses major risks to fundamental rights.

Germany against EU client-side scanning

While the UK is trying to undermine encryption with the Online Safety Bill, in Germany, the reservations against breaking up encryption to allow client-side scanning are very high.

This has been proven once again during the German Parliament's Digital Committee hearing on March 1st. While the German Parliament, however, does not have a say on the EU Commission's proposal to fight child sexual abuse material (CSAM) online, the results of this hearing have been overwhelming:

All experts, including child protector organizations, agree that the EU proposal for client-side scanning goes too far and that it would undermine fundamental human rights protected by the EU Constitution.

So, what's the point of passing a law that will be overturned again by the European Court of Justice (ECJ)?

While the German Parliament itself is not directly involved with the EU Commission's proposal to make client-side scanning of encrypted communication mandatory for online services, the hearing was still a great success for digital rights groups and privacy activists.

The draft law itself is being negotiated between the EU Commission, the European Parliament and the member states in the Council of Ministers. In this context, the German government can have a deciding influence in the Council of Ministers.

And, to the very least, the German government wants the removal of client-side scanning, i.e. the examination of communications content on end devices, from the proposal.

It has historical reasons that Germany wants to become the encryption site number one.

Read here how the EU Commission lies to push for CSAM scanning.

What is the EU draft about

The EU Commission's draft law to fight child sexual abuse online, also named Chat control in Germany, wants to stop and prevent the sharing of sexual abuse material (CSAM) online.

The EU proposal covers three types of sexualized abuse, such as depictions of abuse, previously unknown material, but also so-called grooming, i.e. targeted contact with minors with the intention of abuse.

The draft law is currently in the European process of becoming a law. If passed in its current form, it would force online service providers to scan all chat messages, emails, file upload, chats during games, video conferences etc. for child sexual abuse material. This would undermine everybody's right to privacy and weaken the level of security online for all EU citizens.

No prosecution at any cost

The EU's plans for client-side scanning would weaken encryption. This becomes a real threat to everyone depending on privacy like activists and whistleblowers.

During the hearing, one major voice came from Senior Public Prosecutor Markus Hartmann, Head of the Central and Contact Point Cybercrime North Rhine-Westphalia (ZAC NRW):

"There is no prosecution at any cost." The state would also not place a camera in every bedroom.

Hartmann warned against weakening end-to-end encryption through client-based content scanning. "By doing so, the commission is in effect undermining the most important digital protection tool," the investigator said, "because compromised encryption is not encryption in the end." Even if two suspects were communicating in encrypted form, it was enough for investigators to identify one of them "in some other way and find intelligence from him or her on the scene, he said. The much-publicized "going dark" scenario is "a bit overblown." The draft as a whole is disproportionate and "not conducive to law enforcement."

The problem with AI supported client-side scanning is also its high error rate. 10-20 per cent of mistakenly flagged content is to be expected.

Martin Steinebach of the Fraunhofer Institute for Secure Information Technology (SIT) explained: "These error rates, which are to be expected, mean that many millions of pieces of content have to be checked manually."

This is an intolerable invasion of privacy for millions of innocent EU citizens. In addition, there is the question of how this can be managed on a daily basis, given that law enforcement have a limited number of personnel.

Why client-side scanning isn't the answer

Experts criticize EU proposal because client-side scanning is not the answer to protect the children. The measure goes way too far, it harms freedom of speech and the right to privacy, and there are better ways to protect the children and catch criminals than general surveillance of the whole population.

The spokeswoman Elina Eickstädt of the Chaos Computer Club says:

"What we are getting is the blueprint for a surveillance structure that is unprecedented." The draft is based on a "gross overestimation of the capabilities of technologies," especially with regard to the recognition of unknown material.

The Chaos Computer Club (CCC) is a German organization of IT experts and people interested in digital technologies, who are known for fighting for a better digital world, better security and the right to privacy. The Club regularly points out better options for digital policies and also scrutinizes software for security weaknesses. For instance, the CCC has published a formulation aid for the coalition agreement in 2021. The German government used large parts of the CCC's formulations when drafting their coalition agreement, which now includes the "right to encryption" - a huge success for the digital rights activists.

Even the German Kinderschutzbund rejects the EU proposal. Confidential communication is "a pillar of free expression and thus of democracy," said board member Joachim Türk. Children should grow up free of fear, without the worry of surveillance. Thus, "it impossible for us to accept warrantless chat control as an option." In view of the enormous dark field in the close range of child abuse via family, associations, relatives or babysitters, prevention, close observation and research are more important than automated Ai-based filters.

Felix Reda of the Society for Civil Liberties said: "The damage to everyone's privacy would be immense." He added that warrantless surveillance violates the essence of the right to privacy and thus cannot be justified by any fundamental rights balancing. Images of consensual sexting could also end up on the desks of EU officials and law enforcement agencies.

Conclusion

There has rarely been a law proposed by the EU Commission that has met with such unison rejection from experts. It is time for the EU Commission to stop pushing for undermining encryption and start respecting its citizens' right to privacy.

In the current debate, there is a ray of hope: With resistance in Germany, Ireland, Austria and the Netherlands to the EU proposal, a blocking minority is within reach.

Author

Black and white picture of Hanna being shocked a bit.

Hanna is part of the Tuta team since the launch of the secure email client Tutanota in 2014. Over the years she has become an expert in explaining cryptography to the average internet user, making sure that everyone understands why privacy matters and how encryption helps to protect ones data on the web.