Plans to scan smartphone apps for evidence of child sex abuse 'doomed to be ineffective' 

The law would allow for the scanning of messages, pictures, emails, voicemails and other phone data of users. It would seek to overcome end-to-end encryption, used by popular messaging applications like WhatsApp, by enabling scanning directly within a person’s own device — a process known as client-side scanning (CSS).

However, in an open letter to the members of the European Parliament and the European Council, the group in question — including British academics Professor Ross Anderson and Professor Michael Veale — criticised the proposals, saying the scanning technologies “that currently exist and that are on the horizon are deeply flawed”.

'Extremely harmful'

“These flaws... imply that scanning is doomed to be ineffective,” they said, adding that to integrate such technology within existing apps would create “side-effects” likely to be “extremely harmful for everyone online, and which could make the internet and the digital society less safe for everybody”.

“Given the horrific nature of child sexual abuse, it is understandable, and indeed tempting, to hope that there is a technological intervention that can eradicate it,” the group said.

They added, however, that they “cannot escape the conclusion that the current proposal is not such an intervention”.

“It is not feasible or tenable to require private companies to use technologies in ways that we already know cannot be done safely — or even at all,” they said. 

They argued the proposed regulation would “set a global precedent for filtering the internet, controlling who can access it, and taking away some of the few tools available for people to protect their right to a private life in the digital space”.

“We therefore strongly warn against pursuing these or similar measures as their success is not possible given current and foreseeable technology, while their potential for harm is substantial,” the letter said.

In describing the perceived flawed nature of the technology which currently exists to scan for criminal material, the group said more than two decades of research into such technologies have returned “no substantial progress”.

They said it was “virtually always possible” for those disseminating material such as child sexual abuse imagery to make those files impossible to detect by subtly altering an image’s code.

By the same token, innocent images could be manipulated to return false positives, the academics said.

Serious reservations

“We have serious reservations whether the technologies imposed by the regulation would be effective: perpetrators would be aware of such technologies and would move to new techniques, services and platforms to exchange child sexual abuse material information while evading detection,” they said.

They warned further against the “technical implications” of any moves made to weaken end-to-end encryption, which is designed so only the sender and recipient of a message can view its contents.

The group noted CSS was akin to “adding video cameras in our homes to listen to every conversation and send reports when we talk about illicit topics”, while the only deployment of such technology in the western world, by Apple in 2021, was subsequently withdrawn after less than a fortnight due to “privacy concerns and the fact that the system had already been hijacked and manipulated”.