Europe and Australia both back down on CSAM scanning that would break encryption

Both the EU and Australia have backed down on separate proposals to force tech companies to carry out CSAM scanning within messaging apps, which would have meant breaking end-to-end encryption.

It’s the latest development in the ongoing battle between tech companies and politicians who don’t understand how encryption works …

Europe drops CSAM scanning vote

A proposed EU regulation called for messaging companies to be required to scan outgoing messages for CSAM in the form of photos or links. But while there was support in some European countries, others opposed it on privacy grounds, as it would have meant breaking the end-to-end encryption (E2EE) used in apps like iMessage, Signal, and WhatsApp.

Politico reports that a vote on the proposal has now been dropped, after it became clear that it did not enough support to pass.

A vote scheduled today to amend a draft law that may require WhatsApp and Signal to scan people’s pictures and links for potential child sexual abuse material was removed from European Union countries’ agenda, according to three EU diplomats […]

Many EU countries including Germany, Austria, Poland, the Netherlands and the Czech Republic were expected to abstain or oppose the law over cybersecurity and privacy concerns.

“In the last hours, it appeared that the required qualified majority would just not be met,” said an EU diplomat from the Belgian presidency

Australia rules out breaking encryption

Australia’s online safety regulator, eSafety, had also proposed a similar requirement for tech companies to carry out CSAM scanning on both cloud and messaging services.

However, The Guardian reports that these plans have now been diluted, with the government explicitly ruling out requiring tech giants to break E2EE.

Tech companies and privacy advocates raised concern it would not protect end-to-end encryption. Apple warned it would leave the communications of everyone who uses the services vulnerable to mass surveillance […]

But in the finalised online safety standards lodged in parliament on Friday, the documents specifically state that companies will not be required to break encryption and will not be required to undertake measures not technically feasible or reasonably practical.

The UK previously backed down when challenged by Apple

The UK had also proposed to force companies to break E2EE. However, the government backed down after Apple said that it would withdraw iMessage from the UK rather than compromise user privacy.

Apple likewise abandoned its CSAM scanning plans

Even Apple, which did its best to come up with a privacy-protecting approach to CSAM scanning, eventually dropped these plans after many of us pointed out the potential for misuse by repressive governments.

Photo by Tommaso Scalera on Unsplash