Endpoint Security , Standards, Regulations & Compliance
EU's Proposed CSAM Bill Poses Hacking Risks
Hackers Would Exploit Client-Side Scanning, LIBE Committee HearsMembers of a European Parliament committee heard Thursday an assessment warning them that a bill intended to fight child sexual abuse material would instead weaken online security.
See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises
The Child Sexual Abuse Material proposal unveiled by the European Commission in May 2022 faces a barrage of opposition from industry and civil liberty groups concerned that its mandate for digital communication services such as instant messenger apps to scan for CSAM is incompatible with end-to-end encryption.
Bart Preneel, a cryptography professor at Catholic University of Leuven in Belgium,
"The only way you could actually detect CSAM would be by scanning on the device of the user. You would have to insert additional software in the user device, and such a software will create new vulnerabilities that are open to attack and abuse," he said.
Scanning communications would violate a right to confidential communications while client-side scanning "violates the essence of the right of protection for personal data in the form of data security," said Niovi Vavoula, a professor at Queen Mary University in the United Kingdom and an assessment co-author.
The independent assessment mirrors objections raised by the European Data Protection Board and European Data Protection Supervisor in a July 2022 report.
European tech associations have also During the hearing, Oliver Onidi, European Commission deputy director general of the Directorate-General for Migration and Home Affairs, defended the proposal. Addressing end-to-end encryption, Onidi said that "the proposal doesn't mandate any prescribed solution on this. It is just important that a proposal will sustain the development over time, remains technologically neutral and indeed if there is any risk that this would lead to diminishing the level of protection of privacy communication, I'm fully with you to reinforce a number of provisions in the proposal in order to ensure that the coordinated work of the different actors in the chain who will ultimately vet the type of technology that would be active in an end-to-end encryption environment would actually not impede on the quality and the significant continuous improvement of private communications."