Researchers call for UK, EU to heed scientific evaluation of client-side scanning proposals

Scientists and researchers are criticizing both the United Kingdom’s and European Union’s proposals that could allow national authorities to mandate the use of client-side scanning technologies on encrypted messaging apps.

Experts from the U.K.’s National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN) this week called on politicians in Britain “to consider independent scientific evaluation before voting through the online safety bill,” which is currently sitting with the U.K.’s House of Lords for scrutiny.

Their calls were echoed by more than 300 signatories to a joint statement sent to the European Council and Parliament warning that the EU’s proposed Child Sexual Abuse Regulation risks both failing to protect children and introducing new potential for harms.

Both the British and European laws include similar provisions obliging technology companies to identify illegal content being distributed over their platforms — such as images of child sexual abuse — a process that is today largely done on a voluntary basis.

However, for companies that allow users to communicate using end-to-end encryption (E2EE), there is no way to identify the content of encrypted messages as they transit through the companies’ infrastructure.

The proposed solutions for these companies have tended toward the deployment of client-side scanning systems that would sit on an individual user’s device and monitor their content before it is transmitted.

In particular, the REPHRAIN researchers called for the government to “study the independent scientific evaluation of the tools proposed to undertake such scanning as part of the Government’s Safety Tech Challenge Fund,” which it had been commissioned to conduct.

The independent evaluation concluded “although none of the tools propose to weaken or break the E2EE protocol, the confidentiality of the E2EE service users’ communications cannot be guaranteed when all content intended to be sent privately within the E2EE service is monitored pre-encryption.”

The academics who wrote to European lawmakers said: “Unfortunately, the scanning technologies that currently exist and that are on the horizon are deeply flawed.”

The technical complaints they list — that the systems could produce false negatives and positives — were among those highlighted by 14 of the world's most respected information security experts in a paper titled Bugs in Our Pockets.

“We have serious reservations whether the technologies imposed by the regulation would be effective: perpetrators would be aware of such technologies and would move to new techniques, services and platforms to exchange CSAM information while evading detection,” the academics write.