Client-side scanning or Child Protection? – watch the talk on Youtube

The top item on the digital policy agenda in the European Parliament is the Child Sex Abuse Regulation (CSAR), being proposed by Commissioner Johannson. It will undermine end-to-end encryption by taking power to mandate client-side scanning, not just for illegal images (as Apple proposed last year) but also for text messages. In the name of child safety, a similar power is proposed in Britain’s Online Safety Bill. A paper by GCHQ’s Ian Levy and Crispin Robinson also argues in favor.

In his talk Client-side scanning or Child Protection? at Digitalize in Stockholm 2022, Anderson analyses such proposals in detail. Population-scale text scanning cannot be effective for the claimed purposes, as the level of false alarms would swamp the police. It could also not be legal as it would contravene the European courts’ ban on bulk surveillance without warrant or suspicion.

Crimes of violence against children mostly occur in the family. They are associated with violent crimes against women and with misogyny in general. Both require a different and local response involving police, social workers, teachers, and family members. And the most effective means of detecting abuse online is by making it easier for users to report it. Policymakers should not pretend that client-side scanning will help protect children; they should decide whether they want to protect children or prefer the mass interception of communications.

Ross Anderson is a Professor of Security Engineering at the universities of Cambridge and Edinburgh. He is a Fellow of the Royal Society and the Royal Academy of Engineering and won the Lovelace Medal, Britain’s top award in computing.