Signal president Meredith Whittaker criticizes EU attempts to tackle child abuse material

Meredith Whittaker — president of the Signal Foundation, which operates the end-to-end encrypted (E2EE) messaging app of the same name — criticized on Monday the latest European Union proposals for requiring messaging services to check if users were sharing child abuse material.

Her complaint follows the publication of an internal document from the European Council — the EU body that sets the bloc’s political direction — revealing its position as of the end of May on a proposed regulation to “prevent and combat child sexual abuse.”

The EU document, which was published online by civil society groups, is not now the latest version of the Council’s negotiating position. Once a final position is agreed, potentially as early as this week, it will then be published and further negotiations between the Council and the newly elected European Parliament will begin.

According to the publicly available version, the Council acknowledges that E2EE is “a necessary means of protecting fundamental rights” but warns that services using it must not “inadvertently become secure zones where child sexual abuse material can be shared or disseminated without possible consequences.”

It proposes: “Therefore, child sexual abuse material should remain detectable in all interpersonal communications services through the application of vetted technologies, when uploaded, under the condition that the users give their explicit consent under the provider’s terms and conditions for a specific functionality being applied to such detection in the respective service.”

Users who don’t give their consent to this so-called “upload moderation” should “still be able to use that part of the service that does not involve the sending of visual content and URLs,” states the document.

The document does not prescribe specific technologies, such as the hash-based client-side scanning proposed by Apple that was rescinded following civil society complaints and criticisms from some of the world’s most respected information security experts in a paper titled Bugs in Our Pockets.

E2EE messaging “providers are free to design and implement, in accordance with Union law, measures based on their existing practices to detect online child sexual abuse in their services,” the Council’s negotiating document states.

Despite this, Signal’s Whittaker argues: “There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe.”

Similar legislation has been passed in the United Kingdom, where the Online Safety Act includes a provision that could require messaging platforms to use “accredited technology” to identify child abuse content if notified to do so by the communications regulator. Currently no such technology has been accredited.

Whittaker dismissed the possibility of finding a technological solution to the problem: “Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted […] each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”

📣Official statement: the new EU chat controls proposal for mass scanning is the same old surveillance with new branding.

Whether you call it a backdoor, a front door, or “upload moderation” it undermines encryption & creates significant vulnerabilitieshttps://t.co/g0xNNKqquA pic.twitter.com/3L1hqbBRgq

— Meredith Whittaker (@mer__edith) June 17, 2024