Strengthening the Internet 13 December 2023

Client-Side Scanning

What It Is and Why It Threatens Trustworthy, Private Communication

The European Parliament is currently reviewing the “proposal for a regulation laying down the rules to prevent and combat child sexual abuse” (CSA proposal). Some of the discussions have focused on end-to-end encryption as well as the use of “client-side scanning” technologies. The Internet Society seeks to contribute to this debate as the use of client-side scanning would undermine the trust assumptions promised by end-to-end encryption, putting the security and privacy of European Internet users at risk.

The Internet Society makes the following recommendations based on the European Commission’s proposal:

  1. That the European Committee introduce safeguards for end-to-end encryption.
  2. That the European Committee prohibits the use of scanning technologies for general monitoring, including client-side scanning.

Client-Side Scanning Undermines the Trust Agreement of End-to-End Encryption

A common misconception is that you can have strong end-to-end encryption (E2EE) while simultaneously employing client-side scanning. This erroneous line of argumentation is based on the technicality that scanning happens before the encryption process begins. While this is true from a formal perspective, the reality is that scanning nullifies the purpose of encryption, creates new security risks, and puts the privacy of Europeans at risk.

What is Client-Side Scanning?

Client-side scanning (CSS) broadly refers to systems that scan message contents—i.e., text, images, videos, files—for matches or similarities to a database of objectionable content before the message is sent to the intended recipient.

What Are the Risks of Client-Side Scanning?

Major platform providers have increasingly implemented E2EE for their users to improve security, privacy, and trust. Simultaneously, law enforcement agencies increasingly seek access to message content to prevent the sharing of objectional content.

Companies that offer CSS technologies are positioning themselves as a solution. They claim to offer a technology that does not break or otherwise compromise encryption. However,

Furthermore, as the EDPB-EDPS Joint Opinion explains, CSS “can be easily circumvented by encrypting the content with the help of a separate application”. This means that these techniques open the door to a disproportionate measure, putting every citizen at risk, without providing any real solution to the problem.

E2EE is an essential tool to ensure secure and confidential communications. CSS defeats the purpose of E2EE and fundamentally breaches the confidentiality that users expect when using E2EE communications tools. This breach in trust:

  • Presents a serious risk to fundamental rights, as expressed in the EDPB-EDPS Joint Opinion.
  • Reduces trust in the Internet ecosystem. Loss of trust is harmful to a digital economy and could derail EU ambitions for the Digital Decade.
  • Undermines security of communications and online services, as identified by the Irish Parliament Joint Committee on Justice.

Conclusion

Proponents of client-side scanning point to this technology as a solution for identifying objectional content in E2EE environments. However, this document has explained how CSS violates the trust agreement of E2EE and the dangers it presents. For additional information about how CSS works, and its inherent flaws, the Internet Society’s Fact Sheet on Client-Side Scanning can serve as a resource for detailed policy discussions. Our information about what is encryption and how it contributes to security and privacy may also be a valuable resource.

  • Client-Side-Scanning-EU_EN-Cover thumbnail

    Client-Side Scanning - EU Case

    Download
  • Client-Side-Scanning-UK_EN-Cover thumbnail

    Client-Side Scanning - UK Case

    Download
  • Client-Side-Scanning-EU_EN-Cover thumbnail

    Client-Side Scanning - EU Case

    Download
  • Client-Side-Scanning-UK_EN-Cover thumbnail

    Client-Side Scanning - UK Case

    Download

Related articles

Strengthening the Internet 30 October 2023

Civil Society Experts Voice Concern as New EU Digital Identity Regulation Finalized

Read the analysis and recommendations developed by the Internet Society, Center for Democracy and Technology, Electronic Frontier Foundation, and...

Strengthening the Internet 10 October 2023

How to Talk to Your Manager About Memory Safety

Learn about memory safety, memory-safe languages, common bugs and vulnerabilities, and the reasons for memory safe language adoption and...

Strengthening the Internet 5 July 2023

Internet Fragmentation: An Explainer

Internet fragmentation affects all of us. Learn how policies and proposals around the world put the open Internet at...