1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites
PoliticsEurope

EU plan to combat online child abuse sparks privacy concern

October 2, 2024

The EU may soon require platforms like WhatsApp and Signal to scan messages for child sexual abuse material. Supporters say this is vital to protect children, but critics argue it's ineffective and compromises privacy.

https://p.dw.com/p/4lKz5
Symbolbild Cyber crime
Image: Tim Goode/empics/picture alliance

Could well-intentioned efforts to combat child sexual abuse pave the way for unprecedented surveillance in the European Union?  

That is the question at the heart of a heated debate over a draft law that could be adopted during a meeting of EU ministers on October 10.  

The law would require services such as WhatsApp, iMessage or Signal to automatically scan messages sent in the EU for potential child sexual abuse material and flag suspicious content to authorities.  

Using AI to uncover cyber groomers

Supporters say the law is urgently needed to counter a surge in child sexual abuse material and to protect the most vulnerable members of society.  

However, opponents say the measures, which they have dubbed "chat control," are ineffective, prone to error and could violate EU citizens' fundamental right to privacy. 

"Of course we as a society agree on the importance of fighting such content," said Anja Lehmann, a professor of cryptography at the Hasso Plattner Institute in Potsdam. "But there is no reliable evidence that the proposed measures would do this effectively." 

Anja Lehmann, in a studio setting, smiling into the camera
Cybersecurity expert Anja Lehmann is among hundreds of researchers opposing the billImage: privat

Lehmann is one of 344 researchers from 34 countries who are signatories to an open letter warning that the new law would effectively spell the end of secure end-to-end encryption and could pave the way for mass surveillance. 

"The fight against such crimes seems once again to be used as a pretext for an attack on secure encryption of online communications," Lehmann told DW. 

Consitutional concerns 

Legal experts share the concerns raised by the researchers. 

"This law would represent a significant encroachment on fundamental rights, that's undisputed among legal professionals," said André Haug, vice president of the German Federal Bar, an umbrella organization representing approximately 166,000 lawyers. 

The law has been controversial since it was first introduced in 2022. Two earlier drafts were blocked by opponents because of privacy concerns.  

Cyber grooming - criminals home in on children

While the latest version, drafted by the Hungarian EU presidency, makes some minor changes, it "does not solve the core problem," Haug told DW. 

The law would still violate the right to protection of communications and personal data, as outlined in Articles 7 and 8 of the EU Charter of Fundamental Rights, he said. 

"This is particularly worrying in sensitive areas such as communications between lawyers and clients or doctors and patients," Haug added. 

Screening content before it is encrypted 

The proposal does not specify how exactly providers like WhatsApp, iMessage or Signal would be required to screen content on their apps. 

But experts say the only feasible method is what's known as "client-side scanning," a process in which messages are checked against an anonymized database of child sexual abuse material or instances of "grooming" — attempts by potential predators to build emotional bonds with minors for abusive purposes — before being encrypted. 

The display of an iPhone, showing messaging app Signal
On services that offer end-to-end encryption, like Signal, only senders and recipients can see the messages and pictures they send each other.Image: Janosch Delcker/DW

Although the regulation claims that this approach would respect end-to-end encryption, in practice it does not, argued cryptography professor Lehmann, offering an analogy to traditional letters. 

"The state may not be opening people's letters," she said, "but it's effectively looking over their shoulders while they're writing them to see what's in them." 

False positives and 'mission creep''

Technology experts also say that AI-powered scanning technology is immature and will result in a high rate of false positives. 

They caution that criminals could exploit the scanning system in large-scale attacks, undermining device security. 

The screen of a desktop, displaying computer code
Opponents of the proposed measures say they aren't safe and won't workImage: Silas Stein/IMAGO

And they warn of what they call "mission creep:" As soon as the technology is in place, it could be expanded to monitor content beyond child sexual abuse material. 

"Once we open that door, we create an infrastructure that could potentially lead us into a surveillance state," Lehmann said. Anti-democratic regimes, for example, could use client-side scanning to detect content critical of their government, she added.     

Political showdown 

It remains unclear whether EU interior ministers supporting the law will secure the majority needed to pass the bill when they meet on October 10. 

If they succeed, the process would move to closed-door negotiations, where the European Parliament, the European Council, and the European Commission would finalize the details of the legislation. 

Should opponents like Germany gather enough votes to block the draft, lawmakers would likely return to drafting a new proposal. 

This week, the Netherlands, previously undecided, announced it would not support the draft due to fundamental rights concerns. 

Edited by Rina Goldenberg

Janosch Delcker
Janosch Delcker Janosch Delcker is based in Berlin and covers the intersection of politics and technology.@JanoschDelcker