Does the EU’s proposal in the form of CSAM entail a loss of privacy for your data?

So what is CSAM all about? This regulation, if implemented in its current proposed form by the EU, imposes an obligation on all ISPs to provide customer data upon request, even in cases where the user protects their data with end-to-end encryption. The main idea is to establish a regulatory authority that, in cases of suspicion, can request data from the communication of a suspect.

Since internet traffic is so voluminous that it cannot be monitored by human effort, artificial intelligence would carry out traffic monitoring. And we all know how well A.I. at Facebook, for example, handles such tasks. It doesn’t understand context and can suspend your account for something that doesn’t even come close to violating the terms.

So where is the problem?

I see two main issues. The first is that AI will flag suspicious content without any context. It can thus falsely identify an innocent person as the culprit. However, once you point the finger at someone in the sensitive area of child abuse, that person will live with the stigma of being a pedophile. People won’t easily accept that it was a mistake. They’ll hold their own views, and where there’s smoke, they’ll see fire.

The second problem is that we would have to give up the security of our data in exchange for practically gaining very little. Why? Because of end-to-end encryption. Let’s explain in plain language what end-to-end encryption is using an example of a message sent through WhatsApp.

Your message is encrypted in your mobile phone and, as a jumble of characters, travels through your internet connection provider and the service provider to the target user. There, their phone decrypts it, and the target user reads it. Nobody, except you and the target recipient, knows what the message contains. Mathematically and computationally, it’s impossible to decrypt. This ensures the maximum security of your data.

However, the EU is pushing for the availability of information that is protected in this manner. How can you do that when it’s virtually impossible?

So, how do we solve the issue of end-to-end encryption?

Well, there are two options, and both of them are frankly quite dumb. Let’s be honest. The first option would mean that a provider of such services cannot offer this type of encryption because they wouldn’t be able to access the content of your message in any way. They would only offer you encryption that ensures secure transmission. However, the ISP can still access the data on their servers because it won’t be encrypted there.

The second option is essentially a backdoor that the developer incorporates into the application you use. The application still uses end-to-end encryption, but because your data is unencrypted on your device, the application always creates some sort of backdoor. It retrieves basic data and then sends it to the service provider. This is essentially the same as not encrypting at all. Why? Because there would always be a possibility that someone could access your sensitive data and misuse it.

In layman’s terms, imagine if the EU suddenly mandated that all physical mail must be sent without an envelope, and everyone could see the content of your letter. Or, the only way to send mail would be on a postcard. Crazy, right? However, it’s just the equivalent of what would happen to internet communication if CSAM were to take effect.

It’s only a matter of time before someone abuses it, whether it’s a hacker or an official (legally or illegally). Furthermore, when we realize that we will likely never get back this loss of privacy and that the benefit will be minimal, we should ask ourselves what goal CSAM is actually pursuing.

Those who deal in child pornography will find another way regardless. For example, they might send such material among themselves in an encrypted container and send decryption keys through another channel. 

CSAM and the Position of the Czech Republic

The Czech Republic is currently opposed to the implementation of CSAM. As each country naturally has a right to vote, the European Commission is exerting pressure on our policymakers to change their stance. Thanks to this, there is now a campaign on the internet drawing attention to CSAM. It is full of manipulation and emotionally charged scenes. Emotions play a significant role in such a sensitive topic, especially one involving children.

Furthermore, campaigns often use questions that are taken completely out of context, questions that may answer “A” but no longer “B.” What would you say to a question like, “Is it necessary to enhance internet security against child pornography?” At the very least, I would certainly answer yes. However, would you say the same if the questioner added “B,” meaning that it comes at the cost of an official being practically able to read your private messages at any time? You probably wouldn’t be so certain. Of course, it won’t happen at the snap of a finger, but the path will have been paved.

Does the EU’s proposal in the form of CSAM entail a loss of privacy for your data?

Conclusion

As you’ve probably gathered from the text, I am personally strongly against the implementation of CSAM in the form envisioned by the European Commission. The security of your data ends where anyone can peek into it. I don’t know how you perceive your privacy. However, it is very important to me to know that the content I send using end-to-end encryption is truly visible only to me and the intended recipient. And I definitely won’t settle for the answer that if I’m not sending child pornography, I have nothing to fear. Quite the opposite. The loss of privacy is what we should all be afraid of. It’s not for nothing that they say the road to hell is paved with good intentions. Once we lose our privacy, we’ll never get it back. And as for those dealing in child pornography? They will simply find other, less visible paths.