Private communication still at risk due to planned EU regulation

The Council of European Professional Informatics Societies (CEPIS) calls on the EU member state governments to oppose the EU Council on the Child Abuse Regulation because it still harbours the risk of mass surveillance of private communications, and there are much more effective measures for effective and targeted child protection.

The planned EU regulation on preventing and combating child sexual abuse (CSA) still provides for client-side scanning, as current working documents from the Council of the European Union (WK 6697/2024 INIT and 9093/24 show. This undermines effective end-to-end encryption and harbours the considerable risk of mass surveillance of private communications. CEPIS has repeatedly criticised this since the beginning of the proposal (e.g., through its open letter in October 2022).

CEPIS, therefore, calls on the EU Governments and the European Council to reject the CSA Regulation in its current form.

Luis Fernandez-Sanz, CEPIS President, said: “The new proposal from the EU Presidency does not bring any substantial improvement with regard to the points of criticism.  In particular, the authorisation to monitor the private communications of all citizens in the EU will be retained. We, therefore, uphold our criticism and call on all EU governments to oppose the initiative.”

Kai Rannenberg, CEPIS Deputy President and Chair of the CEPIS Legal and Security Issues expert group, added: “It seems like new proposals and variants of the client-side-scanning approach, such as upload moderation, are coming up very quickly, possibly faster than one can react on individually. Therefore, it may be useful to state that any provision that enables the indiscriminate surveillance or scanning of the communication of people who are just communicating using the latest means and, ideally, the latest protection measures, is not helpful. Instead, it undermines trust in communication, including the communication of vulnerable groups. There is no technology that enables the scanning of messages without breaking their protection and exposing the messages to additional threats. Most of such scanning methods are also breaking the integrity of the respective communication technology.”

Together with other civil society organisations and experts, CEPIS is extremely critical of three points in particular:

  1. Although the new proposal from the EU Presidency contains some passages according to which providers should not be forced to not use encryption or to decrypt customer data (Art. 1, para. 5), there are still general clauses which ask for the monitoring and scanning of the data once decrypted in the in terminals (client-side scanning). Thus, secure end-to-end encryption would still not be feasible, since the providers would still be obliged to install a spying and monitoring function (Art. 10, para. 1 and Art. 50, para. 1a). At the same time, the ban on circumventing encryption has been removed (in Art. 1, para. 5 by deleting the term ‘circumvention’).
  2. The differentiation between “high-risk” services and other services does not help to protect legitimate communications because all services that are protected by end-to-end encryption are potentially categorised as high-risk services (see Chapter 2.b of WK-3036-REV-2).
    In any case, the choice of a service used is no justification for general monitoring of innocent users without cause.
  3. The fact that chats are only reported after two indications by the (extremely unreliable) image recognition algorithms does not help against unfounded alarms, as falsely reported beach photos or the consensual exchange of adult-content images or videos (‘sexting’) rarely involve just single images.
  4. There is now a so called “upload-moderation” approach (Articles 10 (Clause 4 aa) and Recital 26a). “Upload moderation” would force users of apps and services with chat functions to accept the indiscriminate scanning and possibly reporting of their privately shared images, photos and videos, or they would be blocked from sending or receiving images, photos, videos and links. Obviously this is a major reduction of the protection of personal communication. So the “upload moderation” cannot be considered as an adequate compromise that would make this scanning acceptable.

As a result, CEPIS concludes that the new proposal by the EU presidency does not bring any substantial changes to the central points of criticism. In particular, the authorisation to monitor the private communications of innocent citizens without cause will be retained. CEPIS, therefore, reiterates its criticism and calls on the European Government to uphold fundamental and human rights and to reject the current draft of the CSA Regulation. Instead, CEPIS would like to see effective and targeted child protection, as demanded by numerous experts and civil rights and child protection organisations.


Why not keep up to date with all our latest news and events?