Enlarge image
Messenger apps: »The planned regulation does not do justice to the freedom rights that apply in Europe«
Photo: DPA
In the fight against child abuse, the EU Commission intends to introduce a new law on March 30th.
According to everything that is known about it so far, it could oblige providers of operating systems such as Apple and Google as well as app operators such as WhatsApp, Signal and Threema to comb through all their users' chats in advance for signs of abused children.
The law is intended to replace the EU's e-privacy transitional regulation, which has been in force for a year, which has so far relied on voluntary message scans.
However, the exact content of the planned regulation is not yet known.
So far, the Commission has only indicated that it wants to make "relevant online service providers" responsible for recognizing, reporting and removing abuse material.
It remains unclear whether this definition only includes application providers or also operating system providers.
What technology will be used can only be guessed at so far.
Tech companies like Google have been sifting through their offers for suspected cases of child abuse for years.
The hit rate is high: according to Google, it has already identified and reported several million pieces of child abuse content in this way.
Microsoft also scans messages on Outlook, Skype and Xbox.
In the first half of 2021, tens of thousands of pieces of content were filtered out and reported in this way.
Among other things, Facebook checks unencrypted chats in Messenger.
The question is whether encrypted chats will also have to be monitored in the future - before encryption, which is actually supposed to prevent something like this.
»As if the post office would open all letters«
Client-side scanning is a suitable method for checking images or videos: on a user's device, every chat message is first compared offline with a so-called hash database before it is encrypted and sent.
The hash database does not consist of abuse material for direct comparison, but of digital fingerprints (hash values) of illegal content that is already known.
For example, if the hash value of a photo that someone wants to send corresponds to a hash value in the database, it would usually have to be the same motif.
Then the shipment could be prevented and the content reported.
However, new recordings of abuse that are not yet contained in the database would not be discovered in this way.
Apple announced such a system for operating systems in 2021, but postponed it until further notice after fierce protests from experts and civil society.
Now it could still come involuntarily.
There is resistance to this.
Despite the open central questions, almost 40 organizations spoke out in an open letter on Thursday against automated control of chats.
They fear that the law will lead to unsuspecting mass surveillance of all Europeans.
The civil rights activists refer, among other things, to the current communication in Russia and Ukraine.
"As the shocking events of the past three weeks have shown, privacy and security are mutually reinforcing rights," the letter reads.
In times of war, people depend on communicating securely with the media or organizing the protection of their families.
But even in times of peace, being able to communicate without unwarranted intrusion by third parties is crucial for freedom and human rights.
"We urge the Commission to ensure that citizens' private communications do not become collateral damage to forthcoming legislation."
The organizations cite a study that found it impossible to exceptionally grant law enforcement agencies access to messages without criminals and repressive governments exploiting this vulnerability.
The technical infrastructure for prior checking of communication content on every smartphone could therefore become a danger for politicians, journalists and human rights activists.
Patrick Breyer, who represents the Pirate Party in the European Parliament, has sharply criticized the planned regulation, which he believes could be passed within the coming months.
"It's as if the post office opened all letters and police officers searched millions of apartments," says Breyer in an interview with SPIEGEL.
"Already overburdened law enforcement agencies are being unnecessarily burdened with sifting through this million-fold-reported junk."
In his opinion, targeted investigations are more effective in the event of suspected abuse, and the decisive information was usually received from witnesses.
"Chat control doesn't help at all," says Breyer.
"Child porn rings don't exchange information via Facebook Messenger or Gmail." And even if they did, the scanners would hardly be of any use, since they couldn't do anything with a link to encrypted content that was common in the scene.
EU plans its own reporting point for cases of abuse
Reported cases are currently sent to the National Center for Missing and Exploited Children (NCMEC) in the USA - and from there, based on the sender and recipient information, they are forwarded to the authorities in the relevant country.
According to Patrick Breyer, a separate organization should be set up in Europe to examine the cases.
He fears that not only content will be misinterpreted and harmless holiday photos of children on the beach, for example, will be fished out.
The regulation could also affect future EU decisions.
“If the law is passed, it will set a precedent.” The scanners could then also be used to search for other material.
"In countries like Turkey, Russia and China, you would search for completely different material that is interesting for the government."
Even the German Lawyers Association (DAV) does not believe in the preliminary check.
Criminal defense attorney David Albrecht complains, among other things, that not only images in the form of hash values are to be searched through, but also messages in plain text are to be scanned.
"I think that's very questionable," says the lawyer in an interview with SPIEGEL.
The fight against child abuse is important, but legal measures must always be proportionate.
"The planned regulation does not do justice to the freedom rights applicable in Europe" and "is associated with considerable interventions in online communication".
The legal expert assumes that the law will end up before the European Court of Justice (ECJ).
"But of course that will take time," says Albrecht.
Even if the ECJ annuls the regulation, the "fundamental damage" would already have been done, since "widespread interventions in the right to confidentiality of communication would have taken place" by then.
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/6WXBDHP36LUSCU24WPM6SPSFEE.jpg)