The undersigned organizations, companies, and cybersecurity experts issued the following statement in response to the Regulation on Child Sexual Abuse (CSA) that the European Commission proposed on 11 May 2022:
Child sexual abuse is a serious crime that must be addressed by Member states and by other countries around the world. We are concerned, though, that the approach taken by the Commission in this proposed Regulation would have devastating impacts on the security of communications and on user privacy.
The Commission’s legislation would enable Member States to compel online platforms, including those offering end-to-end encrypted messaging, to scan users’ content and metadata for CSA images and for “grooming” conversations and behavior, and where appropriate, report them to public authorities and delete them from their platforms. Such a requirement is fundamentally incompatible with end-to-end encrypted messaging because platforms that offer such service cannot access communications content. This has been confirmed by experts around the world who produced an analysis of how any form of scanning breaks end-to-end encrypted systems in addition to a detailed report on the multiple ways in which client-side scanning, in particular, “can fail, can be evaded, and can be abused.”
Instead of mandating measures that are inconsistent with end-to-end encryption and would diminish the security of everyone, regulators should incentivize measures that address CSA and protect communications security. Among these measures are facilitating user reporting of CSA material.
Signatories*
AC-LAC (Alianza por el Cifrado en América Latina y el Caribe)
Adam Shostack, Author, Threat Modeling: Designing for Security
Africa Media and Information Technology Initiative (AfriMITI)
Alec Muffett, Security Researcher
Alexander Hanff, Privacy/Security Expert and Survivor of CSA
ARTICLE 19
Associação Portuguesa para a Promoção da Segurança da Informação (AP2SI)
Associação D3 – Defesa dos Direitos Digitais
Bits of Freedom
Blacknight
Calyx Institute
Canadian Civil Liberties Association
Carey Lening, Data Protection Officer and Privacy Advocate, Castlebridge
Centre for Democracy & Technology
CETYS – Centro de Tecnologia y Sociedad de Universidad San Andres
Charly Greaux, GM, GLT2.0
Christopher Parsons, Senior Research Associate, Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto
Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
Committee to Protect Journalists (CPJ)
comun.al, Digital Resilience Lab – Mexico
Council of European Professional Informatics Societies (CEPIS)
Crypto ID
DFRI – Föreningen för digitala fri- och rättigheter
Digital Rights Ireland
Digitale Gesellschaft
Dotzon GmbH
Douwe Korff, Emeritus Professor of International Law, London Metropolitan University
Electronic Frontier Finland (Effi)
Electronic Frontier Foundation
Electronic Privacy Information Center (EPIC)
Elektronisk Forpost Norge (EFN)
Element
Prof. Dr. Elena Andreeva, TU Wien
Encryption Europe
Encrypt Uganda
Epicenter.works – for digital rights
European Digital Rights (EDRi)
EySoft IT Solution
FlokiNET Ltd
Global Partners Digital
Hans Peter Dittler, ISOC.DE
Prof. Dr. LL.M. Indra Spiecker
Internet Society
Internet Society Brazil Chapter
Internet Society Catalan Chapter
Internet Society Ecuador Chapter
Internet Society Finland Chapter
Internet Society Ghana Chapter
Internet Society German Chapter (ISOC.DE e. V.)
Internet Society Netherlands Chapter
Internet Society Portugal Chapter
Internet Society Serbia, Belgrade Chapter
Interpeer gUG
IP.rec – Law and Technology Research Institute of Recife
Iuridicum Remedium (IuRe)
J. Alex Halderman Professor, Computer Science and Engineering, Director, Center for Computer Security and Society, University of Michigan
JCA-NET
Jon Callas, Director of Technology Projects, Electronic Frontier Foundation
Dr. Joseph Kiniry, Principal Scientist, Galois
Julf Helsingius
Prof. Dr. Kai Rannenberg, Chair of Mobile Business & Multilateral Security, Goethe University, Frankfurt
Prof Kapil Goyal, Alumni Fellow, Asia Pacific School of Internet Governance
Kimmo Halunen, Professor, University of Oulu
LAYLO
L Jean Camp, Professor of Computer Science and Informatics, Indiana University
Lorraine Kisselburgh, Purdue University
Luka Modic, Bachelor of Criminal Justice and security, University of Maribor, Faculty of Criminal Justice and Security
Mailfence.com
Assist. Prof. Dr Marko Hölbl, University of Maribor, Faculty of Electrical Engineering and Computer Science
Meta
New America’s Open Technology Institute
Olivier Blazy, Professor, Ecole Polytechnique
Ot van Daale, University of Amsterdam
Pablo Palazzi, Law Professor
Panoptykon Foundation
Privacy & Access Council of Canada
Privacy International
Ranking Digital Rights
Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory
Rich Compton, Principal Engineer
Dr. Roland Bless, Karlsruhe Institute of Technology (KIT)
SFLC.in
Sharon Polsky MAPP, Privacy & Data Protection Specialist, Privacy & Access Council of Canada
Sofía Celi, Cryptography Researcher
Susan Landau, Bridge Professor of Cyber Security and Policy, Tufts University
Sven Dietrich, Professor of Computer Science, City University of New York
Dr. Sven Herpig, Director for International Cybersecurity Policy, Stiftung Neue Verantwortung
Tarah Wheeler, Cyber Fellow, Harvard Kennedy School’s Belfer Center for Science and International Affairs
Tech for Good Asia
Dr. Thorsten Strufe, Professor, KIT/KASTEL Karlsruhe and Centre for Internet CeTI at TU Dresden
Tresorit
Tutanota
University of Bosaso, Somalia
Vladimir Mencl, Senior Software Engineer
Vrijschrift.org
X-Lab
Youth Forum for Social Justice
*Affiliations listed for identification purposes only.