Strengthening the Internet 13 December 2023

Client-Side Scanning

What It Is and Why It Threatens Trustworthy, Private Communication

The European Parliament is currently reviewing the “proposal for a regulation laying down the rules to prevent and combat child sexual abuse” (CSA proposal). Some of the discussions have focused on end-to-end encryption as well as the use of “client-side scanning” technologies. The Internet Society seeks to contribute to this debate as the use of client-side scanning would undermine the trust assumptions promised by end-to-end encryption, putting the security and privacy of European Internet users at risk.

The Internet Society makes the following recommendations based on the European Commission’s proposal:

  1. That the European Committee introduce safeguards for end-to-end encryption.
  2. That the European Committee prohibits the use of scanning technologies for general monitoring, including client-side scanning.

Client-Side Scanning Undermines the Trust Agreement of End-to-End Encryption

A common misconception is that you can have strong end-to-end encryption (E2EE) while simultaneously employing client-side scanning. This erroneous line of argumentation is based on the technicality that scanning happens before the encryption process begins. While this is true from a formal perspective, the reality is that scanning nullifies the purpose of encryption, creates new security risks, and puts the privacy of Europeans at risk.

What is Client-Side Scanning?

Client-side scanning (CSS) broadly refers to systems that scan message contents—i.e., text, images, videos, files—for matches or similarities to a database of objectionable content before the message is sent to the intended recipient.

What Are the Risks of Client-Side Scanning?

Major platform providers have increasingly implemented E2EE for their users to improve security, privacy, and trust. Simultaneously, law enforcement agencies increasingly seek access to message content to prevent the sharing of objectional content.

Companies that offer CSS technologies are positioning themselves as a solution. They claim to offer a technology that does not break or otherwise compromise encryption. However,

Furthermore, as the EDPB-EDPS Joint Opinion explains, CSS “can be easily circumvented by encrypting the content with the help of a separate application”. This means that these techniques open the door to a disproportionate measure, putting every citizen at risk, without providing any real solution to the problem.

E2EE is an essential tool to ensure secure and confidential communications. CSS defeats the purpose of E2EE and fundamentally breaches the confidentiality that users expect when using E2EE communications tools. This breach in trust:

  • Presents a serious risk to fundamental rights, as expressed in the EDPB-EDPS Joint Opinion.
  • Reduces trust in the Internet ecosystem. Loss of trust is harmful to a digital economy and could derail EU ambitions for the Digital Decade.
  • Undermines security of communications and online services, as identified by the Irish Parliament Joint Committee on Justice.

Conclusion

Proponents of client-side scanning point to this technology as a solution for identifying objectional content in E2EE environments. However, this document has explained how CSS violates the trust agreement of E2EE and the dangers it presents. For additional information about how CSS works, and its inherent flaws, the Internet Society’s Fact Sheet on Client-Side Scanning can serve as a resource for detailed policy discussions. Our information about what is encryption and how it contributes to security and privacy may also be a valuable resource.

  • Client-Side-Scanning-EU_EN-Cover thumbnail

    Client-Side Scanning - EU Case

    Download
  • Client-Side-Scanning-UK_EN-Cover thumbnail

    Client-Side Scanning - UK Case

    Download
  • Client-Side-Scanning-EU_EN-Cover thumbnail

    Client-Side Scanning - EU Case

    Download
  • Client-Side-Scanning-UK_EN-Cover thumbnail

    Client-Side Scanning - UK Case

    Download

Related articles

Strengthening the Internet 22 May 2024

How Bill S-210 Puts Canadians’ Security and Privacy at Risk by Harming the Internet

Canadian Bill S-210 includes requirements that could disrupt essential functions of the Internet and ultimately harm Canadians’ security and...

Internet Governance 3 May 2024

Global Digital Compact: Zero Draft Matrix

The Internet Society has analyzed the Global Digital Compact Zero Draft with the aim of supporting efforts to identify...

Strengthening the Internet 19 February 2024

Internet Impact Brief: Nepal’s Proposed National Internet Gateway

Learn about the implications of Nepal’s National Internet Gateway proposal on Internet access and security.