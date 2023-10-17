Sexist violence is one of the great scourges of society. But would we be willing to have a security camera recording 24 hours a day in every room in the country to eradicate it? Brussels proposes a similar dilemma to combat the digital spread of child pornography. The EU is going to decide in the coming weeks whether to approve a regulation that forces technology companies to review users’ private communications to detect pedophile content. If it goes ahead, it will involve the automatic scanning of every message, photo, video, post or email exchanged on European soil whenever there is suspicion that it contains illegal material.

Some, like Apple, have their reservations with this initiative as they consider defending user privacy a priority. That position has earned him a campaign against him in the United States, where, like in the UK, a regulation similar to the European one is being discussed. The company prefers not to comment on the campaign or regulations.

Hundreds of academics and engineers and non-profit organizations such as Reporters Without Borders, as well as the Council of Europe, believe that the regulations would mean sacrificing confidentiality on the Internet, and that this price is unaffordable for democracies. The European Data Protection Supervisor, who is preparing a statement on this for the end of October, has said that “it could become the basis for the de facto widespread and indiscriminate scanning of all EU communications.” The proposed regulation, known as Chat Control, holds companies that provide communication services responsible for ensuring that reportable material does not circulate. If after undergoing a risk assessment it is determined that they are an appropriate channel for pedophiles, they must implement automatic screening.

Behind the billboards and pages in the newspapers that demand Apple detect pedophile material in iCloud would be a non-profit organization, Heat Initiative, subscribed to the crusade against the encryption of communications (known in the US as Crypto Wars). This movement has gone from fighting against terrorism to hide behind the spread of child pornography to call for an end to encrypted messages, the last great pocket of privacy left on the internet. “It is significant that the US, the EU and the United Kingdom are simultaneously processing regulations that, in practice, will curtail encrypted communications. It seems like a coordinated effort,” says Diego Naranjo, head of public policies at the NGO in defense of digital rights. EDRi.

There are other technology companies that do welcome Chat Control. Notable among them is the American Thorn, created by actor and businessman Ashton Kutcher and his then wife, Demi Moore. A recent journalistic investigation has revealed that the Commission has exchanged sensitive information on the progress of the regulation negotiations with the company, which presents itself as an NGO, but carries out important lobbying actions and has commercial interests in the matter. Thorn’s flagship product is software that is based on PhotoDNA, from Microsoft, and is technically supported by AWS, Amazon’s cloud division. The program is designed to detect abuse of minors by crossing values hash (a type of alphanumeric license plate) of images and videos uploaded to the internet with a database of millions of known images of child sexual abuse material.

The EU Commissioner for Home Affairs, Ylva Johansson, receives the actor and businessman Ashton Kutcher in Brussels on March 20 of this year.

A delicate balance

“It is incredible that we still do not have regulation in the EU on online child abuse. “I feel like a pioneer with this proposal,” said Interior Commissioner Ylva Johansson in a recent interview in this newspaper. “Of course children must be protected, the question is how,” responds Carmela Troncoso, a Spanish researcher at the Federal Polytechnic School of Lausanne and leader of the team of scientists that developed the privacy protocol for Covid tracking applications. “There are two questions to ask about her proposal: first, whether it is really going to protect children, and second, whether it can be done safely. And the answer to both is no.”

“The main problem that this technology poses to citizens is that pedophile content will be detected using automatic artificial intelligence (AI) tools,” says Bart Preneel, professor of cryptography and privacy at the Catholic University of Leuven and author of a technical report for the European Parliament in which he exposes the shortcomings of the system. “Thorn [la empresa de Kutcher de escaneado de comunicaciones] He says that his system gives 10% false positives. Since Europeans exchange billions of messages daily, that means tens of millions of people will be charged every day. Even if they are innocent, their information will be processed and stored by security forces, and if it is leaked, their reputation will be impacted.”

Every time we write a message on platforms such as WhatsApp, Telegram or Signal, that communication is encrypted. Only the recipient has the key to open it. This is what is known as end-to-end encryption, a mechanism that guarantees that no one other than the sender and receiver access the content. The Chat Control regulations maintain that it is not necessary to end encryption: it would be enough to review the messages on the device itself before sending the content and when it reaches its destination.

“The argument that this technology does not break encryption is based on tremendous technical ignorance,” says Troncoso. “If you look before, even if you don’t touch the algorithm or the key, of course you break the encryption. It is like saying that if someone reads a letter before putting it in the envelope and the envelope arrives closed at its destination, confidentiality is not broken.”

“Companies are forced to break their own encryption to scan messages before they are sent to their recipient. The problem is that there is no way to implement those methods and preserve privacy at the same time. And if you break the encryption, you invite the hackers. There are no backdoors that only the good guys can use,” argues Andy Yen, founder and CEO of Proton, the developer of the Proton Mail encrypted email service. “Chat Control is about combating the serious problem of illegal content by creating of another serious problem: ending the right to privacy,” Yen continues. However, a legal report commissioned by community institutions concludes that the regulation under discussion could “lead to permanent de facto surveillance of interpersonal communications”, which is illegal in the EU.

The scanning techniques proposed by the EU are also easy to evade. As Professor Preneel explains, it would be enough to change some bits of the pursued images (those stored in the database against which the communications will be compared) so that the algorithm does not establish a match and the alarms do not sound.

Open negotiations

Brussels has been working for two years on a regulation that allows scanning of private communications to combat the dissemination of pedophile content, which in 2022 alone generated 1.5 million reports from internet companies collecting five million videos and photos and activities of grooming (when an adult contacts a minor to gain their trust and then engage them in sexual activity). In May last year, the Commission proposed a draft regulation on which the European Parliament and the Council have been working since then.

The intention of the Spanish Presidency of the EU is to approve the regulations before the end of its mandate (December 31), although it is likely that it will not meet that deadline. At the moment, the draft is pending debate in the Public Liberties Committee of the European Parliament (LIBE), which will vote on the text on October 26. “Negotiations between the groups are going well. What we are debating now are the detection orders,” European People’s Party MEP Javier Zarzalejos, rapporteur of the proposed regulation, explains to EL PAÍS. He is referring to when and how internet service providers that have failed to stop the spread of child pornography through other means will be forced to scan communications. “It is the instrument of last resort and greatest intensity in terms of the detection capacity of this type of material. The idea that we are going to be subjected to massive and systematic scanning of our communications is absurd and is not going to happen. “It is neither technically possible nor makes any sense,” says the person who was one of the emissaries of former president José María Aznar in 1999 to start talks with ETA.

The document is also being reviewed in the Council, the EU body that brings together representatives of the governments of the 27, which is expected to debate it on October 19. There is no consensus here either. A dozen countries (Germany, Austria, Estonia, Finland, France, Netherlands, Poland, Portugal, Czech Republic and Sweden) oppose the text presented by the Spanish Presidency. Among the main defenders of the proposal are Hungary, Finland and Spain.

According to public Wired in May Citing official sources from the Government of Spain, Madrid’s position is that “it would be desirable to legislatively prevent service providers from implementing end-to-end encryption.” The Ministry of the Interior denies to this newspaper the veracity of this information.

When the European Parliament and the Council establish their position, it will be time for the so-called trilogues, a negotiation between these two institutions and the Commission that will finish shaping the final document.

Digital solutions for a physical problem?

Another criticism that the regulations face is that they try to solve with technical means something that is not limited to the digital field. “Child abuse is not a technological problem, there is no such thing as online abuse. These crimes are committed in the physical world, they cannot be fixed with technology,” says Troncoso.

The regulation promoted by the Commissioner of the Interior does not contemplate measures such as the reinforcement of mechanisms so that minors can report attacks or social assistance to monitor the family environment and friends, to which the perpetrators of abuse usually belong.

“It is extremely serious that in the proposed regulation there is not a single line of prevention or strategies to socially address sexual abuse. The law uses abuse against children to attack the structure and architecture of the Internet,” says Simona Levy, from the Xnet collective, very belligerent with Chat Control.

What happens if the regulation ends up coming into force as we know it now? “It would be very bad news. The dichotomy between security and privacy is false. In general, the more privacy, the more security, and not the opposite. “Anyone who has lived in a dangerous country has an intuitive knowledge of how privacy is used to protect individuals,” reflects philosopher Carissa Véliz. “When we give up privacy we are losing security and eroding democracy. In a police state in which there was total surveillance it would be impossible to commit a crime, but at what cost?

