EU Commissioner Johansson has declared that, although the legislation aiming to crack down on child sex abuse “remains controversial as it would force technology companies including Facebook to report cases of abuse to authorities,”  she is “happy [to] fight” to ensure the legislation passes, saying it remained her “highest priority”.

The signed open letter was sent to members of the European Commission on the 28th of April 2022

Signatories collected before and after the 28th of April 2022 appear below

To the Members of the European Commission / Parliament, et al

28th of April, 2022

Open letter and statement of support from business entities, industry associations, IT professionals, privacy, data protection, cyber security, and other experts operating across Europe and Globally

As business entities, industry associations, IT professionals, privacy, data protection, cyber security, and other experts operating across Europe and globally, we are joining together to reaffirm the call from civil society organisations to ensure the full protection of fundamental rights and freedoms in the upcoming EU Legislation to effectively tackle child abuse.

The 2021 EU short-term ePrivacy derogation allowed a number of independent interpersonal communications providers to scan private messages for child sexual abuse material (CSAM); however, the upcoming EU proposal to replace the ePrivacy derogation would compel all providers to scan all private communications for the purpose of detecting CSAM.

Generalised detection practices can threaten the rights to privacy and data protection of all users of a service. Last year, experts around the world highlighted how Apple’s plans for monitoring all photos on Apple devices, as well as iMessage accounts belonging to children, risked “setting a precedent where our personal devices become a radical new tool for invasive surveillance, with little oversight to prevent eventual abuse and unreasonable expansion of the scope of surveillance.”

Fortunately, Apple recognised the significant risks their plans would create. After agreeing with critics from around the world, Apple shelved the plan.

Cybersecurity experts across the globe have detailed how client-side scanning methods like the one proposed by Apple create “serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic.”

Other techniques for protecting private data — such as Steganography — easily allow malicious actors to evade PhotoDNA and other detection systems, rendering their use ineffective and security assurances misleading. Furthermore, independent statistics on the accuracy and reliability of these tools are seriously lacking, while legislative changes to break Encryption have been widely criticised, including by a United Nations Special Rapporteur and an Australian Federal Police Commander.

The privatisation of law enforcement responsibilities to investigate and report the sharing of CSAM will not make the internet safer for young people. It will, however, eliminate private environments that are vital for free expression and democracy.

Providers compelled to scan for CSAM might be forced to use inaccurate or experimental tools — that create additional cyber security risks, weaken or undermine encryption, and facilitate significant harm. Similarly, mandatory routine examination would compromise the vital private communication services that providers offer their users, leading to a wide range of serious risks and harms, undermining trust in these services (regardless, whether or not the provider offers encrypted or unencrypted messaging services).

CSAM detection technologies disrupt Cryptography and/or Steganography, and will also impede national security, individuals, business entities, governments, domestic and international security agencies, as computing power increases — yet it will be unable to detect radical, hateful, or child sexual abuse material concealed by Cryptography and/or Steganography, or other techniques. Modern-day encryption methods like Cryptography and Steganography are used by individuals, business entities, governments, domestic and international security agencies to prevent the harvesting of sensitive data by domestic and foreign adversaries.

Client-side content-scanning technologies capture, store, and classify steganographic images in ways that allow adversaries to exploit the images and potentially gain access to the embedded data — making it easy for adversaries to expose the sensitive data and jeopardise the privacy of individuals, governments, and business entities.

In effect, the use of client-side scanning would enable adversarial actors to break encryption. As the EU Agency for Cybersecurity, ENISA, asserts:

“If you encrypt data that needs to be kept confidential for more than 10 years and an attacker could gain access to the cipher text, you need to take action now to protect your data. Otherwise, security will be compromised as soon as the attacker also gets access to a large quantum computer.”

Similar warnings are made by authorities including the US White House and Department for Homeland Security, the United Nations International Telecommunications Union Telecommunication Standardisation Sector (ITU-T) and many other cyber security experts who specialise in Post-Quantum Cryptography / Steganography solutions.

* Cryptography

* Symmetric Ciphers : Encrypting any data type
* OpenSSL : AES 128 – 256 Bit Keys
* QRCrypto : eAES(R) 256 – 1024 Bit Keys
* FooCrypt <= 200 layers of Symmetric Ciphers per run time

* Steganography: Embedding any data type

* FooSteg
* <= Infinity Bit Strength, In-Situ and/or In Transit 
* Quantum+ Secure / Proof 

Commissioner for Home Affairs Ylva Johnasson, who is responsible for this legislation to effectively tackle child abuse, assured Members of the European Parliament (MEPs) on the 9th of March, 2022, that:

“I would finally like to recall again the commitment made by the Commission to consider solutions that would not prohibit or generally weaken encryption. The Commission is not considering proposing any mechanisms or solutions in its proposal that will break this commitment.”

The EU and its allies must avoid introducing mandatory detection requirements that, by necessity and definition, threaten Cryptography and Steganography, thereby undermining all users privacy and data protection rights.

Encryption is vital in modern societies for protecting individuals, industries and governmental security and privacy. Many of the scanning methods that service providers will be compelled to use under the new legislation will break Commissioner Johansson’s commitment not to undermine encryption — and instead will threaten the fundamental core of encryption.

The undersigned business entities, industry associations, IT professionals, privacy, data protection, cyber security, and other experts operating across Europe and globally welcome the legal certainty that can be provided by the legislation to effectively tackle child abuse, and;

  • We urge the European Commission to ensure that imposed obligations are genuinely proportionate, closely targeted, and protect the sanctity of privacy and of private communications as a fundamental tenet of all democratic societies, and;
  • We affirm that it would be appropriate for the European Union to reconsider its technical solutions, due to their significant and profoundly negative impacts on current Cryptography and Steganography solutions, and;
  • We urge the European Commission to recognise the critical importance of Cryptography and Steganography in protecting the privacy of individuals, entities and governments, not only for today, but also in the Post Quantum Era.

Signed, [ To be added via web form below signatures, Summarised and listed below ] [ Submission to the European Commission, MEP’s, Media, et al ] [ With ongoing perpetual updates of signatures via a web page ]