Chaos Computer Club: Massive criticism of EU chat control plans


Probably on Wednesday, the EU Commission intends to present a draft law for chat control. The goal: In the future, encrypted messenger services should also have to scan user content in order to discover child pornography. The plans have been massively criticized, and they are also considered to be ineffective.

The chat control should actually come now

What the EU Commission is currently planning is what is known as client-side scanning. As with Apple's plans, messenger and e-mail services should scan the user's device for child pornography.

Internet services are already allowed to fully automatically scan content for child pornography. But this is done voluntarily, with the new regulation it would be mandatory. The corresponding draft law has been postponed several times, but is now due to be published on Wednesday.

Technically, two instruments are provided that should enable fully automated monitoring. The first is a comparison of hash values. The image material on the smartphone is checked to see whether these values ​​match the hash values ​​of known child pornography material. Child protection organizations operate such databases. There are also plans to use AI processes to automatically recognize child pornography. If the system works, control bodies or police authorities should be informed directly.

“Fully automated real-time monitoring”

The plans have been heavily criticized. Patrick Breyer, Member of Parliament for Pirates, speaks of “fully automated real-time monitoring”. The Chaos Computer Club (CCC) calls chat control an “unprecedented surveillance tool” with little prospect of success in view of the ultimate goal.

Both the hash value comparison and the AI ​​recognition are considered error-prone and immature. The problem: If the law comes, it would affect all WhatsApp messages that are sent across the EU. Even the smallest error rates would lead to a large number of false reports.

In addition, chat control is a deep encroachment on fundamental rights because the measure undermines the integrity of the device and the encryption. It would be breaking up the secrecy of letters and telecommunications. What would be lost would be basic trust in the device. In addition, it is currently unclear who defines and controls the databases and algorithms.

Such an opaque system can and will be easily extended after its introduction. It is already foreseeable today that the rights exploitation industry will be just as interested in the system as anti-democratic governments.

Chaos Computer Club

More target-oriented approach in the fight against child pornography

What the CCC is calling for as a more effective measure is sufficient police capacity to have child pornography deleted. The problems are illustrated by research by NDR and Spiegel from November. Accordingly, investigators had shut down the pedo-criminal platform “Boystowm” and arrested the operator. However, photos and content were still available online. The reason: The platform was accessible via the Darknet, but the data stocks were so large that the operators stored them with normal hosting providers – albeit encrypted and made unrecognizable. While the respective providers did not know what content was stored on the servers, the respective links were distributed via the Darknet platforms.

According to the research, many of these links still worked months after Boystown was shut down and continued to be distributed in the relevant forums. However, the content itself was not pursued by the police because the BKA works in a perpetrator-oriented manner. “We try to get the users. We don't collect any links,” said Hans-Joachim Leon, who heads the “Violent and Sexual Offenses” group at the Federal Criminal Police Office.

However, NDR journalists managed to have a large amount of content deleted with little effort. In one of the largest forums for pedophile content, journalists collected around 80,000 links, which they reported to the respective hosting providers. Both domestic and foreign providers then removed the content within a period of hours to a maximum of two days.

The German child protection association also rejects projects

The German Child Protection Association also considers the interventions in the encrypted communication to be unnecessary. Scanning private messages from messenger services or e-mails without cause would be neither proportionate nor expedient, says board member Joachim Türk according to a report by Bayerischer Rundfunk. Because corresponding material is not shared via messenger services, but forums and platforms. The EU Commission must take this into account.

The CCC therefore also explains that the chat control is aimed at expulsion methods that criminals do not use anyway. Along with the technical weaknesses, the use cannot be justified. “Chat control is to be rejected as a fundamentally misguided technology,” says the statement.

What the EU Commission is presenting on Wednesday is a draft of the law. The Council of the EU and the EU Parliament would then have to discuss and approve it.