A cop in every pocket: client-side scanning in the UK and Europe
Governments are touting client-side scanning as a solution to child abuse material but the solutions are short-sighted and actively…
Governments are touting client-side scanning as a solution to child abuse material but the solutions are short-sighted and actively dangerous.
We all have our own routine, but, like clockwork, muscle memory usually kicks in as we leave our homes for the day. A tap of the jeans or a fumble in a jacket and those barely audible exhalations, “keys-phone-wallet”. But these banal yet essential items will soon be joined by a decidedly less useful presence that will live, faceless and nameless, on your person: your very own pocket cop with powers that can easily be abused.
Translations: Français // Русский // 日本 // Türkçe
This is what the EU and British government has in store. And it’s looking like both the EU and UK will plough ahead with ‘client-side scanning’, endangering the basic right to private communications.
The encryption-busting legislation in the UK’s Online Safety Bill is proceeding completely against the advice of academia, business, and civil society groups. There is no silver bullet technical solution to prevent harms to children but, as it turns out, client side scanning is highly prone to errors and will do very little to stop the spread of harmful material online. What this technology will do is decrease security on everyone’s devices.
In response, Apple, Signal and WhatsApp threatened to withdraw services from the UK, bringing to mind repressive regimes where people have to use VPNs in order to access information and services needed in their daily lives.
The proposed laws underscore how easily security in the realm of global digital infrastructures is misunderstood: opening a backdoor to authorities is to open a backdoor full stop, one that can and will be abused. In contrast, stronger privacy ensures stronger security overall, as it prevents profiling, targeting, misinformation and disinformation.
The internet should be a public, safe utility where the government helps to secure our infrastructure rather than forcing it to become less secure. Unfortunately the UK is not alone, and the EU has floated a similar proposal.
Nym stands for privacy by default and always will.
Read on to learn more about client-side scanning, the proposed laws, and where Nym fits in:
Online Safety Bill: What is client-side scanning?
Things were less complicated back in 2003 when CSS either stood for Cascading Style Sheets or Cansei de Ser Sexy. A couple of decades later and we now have ‘client-side scanning’ to contend with, a technology that automatically mines messages for illegal content (the scanning part) on the user’s device (that’s the client-side part).
The long-running saga of the Online Safety Bill has evolved and swelled over the years from the Online Harms whitepaper released in 2019. Part of the wide-reaching Bill now proposes granting new powers to UK telecoms regulator Ofcom, which would allow the body to mandate tech companies to install CSS on laptops, tablets, and smartphones, effectively creating a backdoor into each device should the regulator use its powers.
When a user uploads an image on their smartphone, client-side scanning software compares it against a database of prohibited content. This database doesn’t actually contain images but something called neural hashes — a bit like digital fingerprints, as the Open Rights Group explains — and if there’s a match, the system removes or reports the upload to authorities.
While the system of encryption itself is not tampered with, the Open Rights Group notes that it does break the premise of encryption that communications shouldn’t be interfered with.
“The scale of the deployment means this is a mass surveillance tool,” said the Open Rights Group. “It would be on every smartphone in the country, operating 24/7, checking for matches against all of our content. It is a vastly disproportionate measure, and given the uncertainties around the technology, should be approached by policy-makers with caution.”
With the ever-increasing sophistication of cyber crime gangs, many of which have their own HR departments and complicated tech stacks, the criminals the Bill claims to target will continue to exist and grow more savvy in their evasion capabilities, but the rights of ordinary people will be severely eroded.
In addition to the disregard for the rights of citizens there are operational difficulties with implementing the technology. Quite an obvious problem is creating the technology to actually match hashes accurately and differentiate between illegal content and everyday communications.
In fact, researchers have already demonstrated weaknesses in Apple’s NeuralHash scanning technology, which checks hashes against those in known Child Sexual Abuse Material. By using machine-learning algorithms to add ‘adversarial noise’ to an image, the hash distribution of that image can be changed dramatically, but look essentially the same. Or by using ‘hash collision’, it’s possible to create entirely new images with this ‘noise’ that register the same hashes as the original image, tricking the scanning technology.
Online Safety Bill encryption-busting: Can it be stopped?
In the upper chambers of Parliament, members of the House of Lords failed to pass any amendments that would protect the premise of encryption, while one that would force Ofcom to consult with the Information Commissioner’s Office before using its powers also failed. This was the last stage where the Online Safety Bill was likely to face significant challenges or roadblocks in government.
Lord Parkinson introduced an amendment but this was a government proposal. This ‘chickens secure in barn, says fox’ amendment states that Ofcom will have to consult an external ‘skilled person’ before issuing a mandate, but details are thin and fail to address the fundamental security problem of intrusive backdoors on citizens’ devices.
The Online Safety Bill is not far from being enshrined in law. In September, it will go to the ‘third reading’ in the House of Lords, followed by the penultimate stage in the House of Commons before it’s finally put in front of the UK’s brand new King where his signature will make it law (‘Royal Assent’).
Ofcom has said it will only issue a mandate in extreme circumstances, but the history of extraordinary powers suggests that more often than not their use is normalised rather quickly.
Civil society groups will continue to agitate against the Bill but it is unlikely they will have much luck against a government determined to break encryption and an opposition with seemingly little interest in opposing it. Legal action from civil society groups can reasonably be expected should Ofcom try to use its newfound powers.
And if all that wasn’t enough, the UK followed up with new proposed changes to the Investigatory Powers Act (colloquially known as the Snoopers’ Charter) which would allow the government to secretly demand any messaging app security features be disabled without the knowledge of users.
WhatsApp, Apple, and Signal have all threatened to pull their operations from the UK should the encryption-busting sections of the Online Safety Bill be written into law. This would threaten to hobble overnight the social and economic fabric of Britain plus complicate the free flow of data and business communications.
For a country that often boasts of its commitment to the values of free speech and democracy it’s not without some irony that everyday WhatsApp users in the UK could need to connect to VPNs in order to access basic messaging services, just as they would in authoritarian regimes decried by the British government.
If you’re in Britain and want to access basic services like WhatsApp, Signal, and the Apple portfolio, the decentralised NymVPN will be available for you to use securely with a zero-knowledge framework, without having to entrust paid VPN companies to guard against data breaches nor tolerating free VPNs selling your data.
EU’ll never walk alone
Sadly, the UK is not a rogue state flying solo in its anti-privacy mission.
Hundreds of experts, academics, and researchers including Nym Chief Scientist Claudia Diaz, cryptographer at KU Leuven and Nym Advisors Bart Preneel at KU Leuven and Carmela Troncoso of EPFL as well as Nym Chief Strategy Officer Jaya Brekke have warned of the European Union’s plans to introduce CSS too.
Upcoming European Union legislation, the Child Sexual Abuse regulation, aims to stop the spread of child sexual abuse material and the grooming of children online. A worthy cause, but the means to achieve it are misguided: app or online service providers would be empowered to scan messages, pictures, emails, voicemail or any other user activities, as well as introducing client-side scanning to get around encryption on users’ devices.
The experts point out that existing scanning technologies, as well as those on the horizon, are deeply flawed. Client-side scanning will not only be ineffective but actively dangerous when taken in the global context, risking rippling effects that will create wider harms for people online and making the internet more dangerous, not safer.
“It is not feasible or tenable to require private companies to use technologies in ways that we already know cannot be done safely — or even at all,” the letter states. “Given the horrific nature of child sexual abuse, it is understandable, and indeed tempting, to hope that there is a technological intervention that can eradicate it. Yet, looking at the issue holistically, we cannot escape the conclusion that the current proposal is not such an intervention.”
In response, international advocacy group EDRi has published a set of principles that would help defend children in the digital age without compromising the rights of EU citizens.
In its current state, the Child Sexual Abuse regulation would join Britain in setting a global precedent for the filtering of the internet and controlling its access, as well as removing the few tools that are available for people to protect their right to a private life in the digital realm, ultimately creating a chilling effect on society.
As Bart Preneel previously said, the EU has ‘two faces’ — one that’s pro-privacy with regulations like the GDPR, and the other working to undermine privacy with extreme data retention and law enforcement or intelligence-led snooping. The UN has recognised that internet access is essential to freedom of expression, while the UN Declaration of Human Rights states that people have a right to privacy in correspondence. Proposals like the Online Safety Bill and the Child Sexual Abuse regulation would threaten both.
Anti-privacy hell and how to fight it
Governments have historically traded on consumer ignorance and fear, and in an increasingly surveillance-saturated world post-9/11, the mantra that if people had nothing to hide, they had nothing to fear was widely repeated.
Until relatively recently, the internet was seen as a separate realm to our everyday existence. But that’s not true today. Just as we wouldn’t accept government agents leaping from the bushes to pull down our pants for on-the-spot safety inspections, we don’t want them reading all of our private messages or combing through our smartphones for some abstract, unprovable guarantee of security.
Nym cannot solve client-side scanning as the Nym network protects your traffic in transit rather than on the actual device. What Nym can offer for an eventual future with CSS is the powerful NymVPN, to enable continued open access to services and information.
Privacy and openness go hand in hand. Once you compromise privacy, you have started down the slippery slope of repression and control. Make your voice heard and get involved in campaigns to pressure policymakers to protect democratic rights like privacy.
Support the friends of Nym who are organising to protect everyone’s privacy, security, and integrity:
Privacy loves company
Discord // Telegram // Element // Twitter
The internet is global and so is Nym: join the Nym Community wherever you are and help build the private internet today.
English // 中文 // Русский // Türkçe // Tiếng Việt // 日本 // Française // Español // Português // 한국인
