Internet's Deep-level Architects Slam US, UK, Europe For Pushing Device-side Scanning

The Internet Architecture Board (IAB) has warned that policy proposals requiring or enabling the automated scouring of people's devices for illegal material – as floated by the European Union, the United Kingdom, and the United States – threaten the open internet.

Apple brought widespread attention to this so-called client-side scanning in August 2021 when it announced plans to examine photos on iPhones and iPads before they were synced to iCloud, as a safeguard against the distribution of child sexual abuse material (CSAM). Under that plan, if someone's files were deemed to be CSAM, the user could lose their iCloud account and be reported to the cops.

As the name suggests, client-side scanning involves software on a phone or some other device automatically analyzing files for unlawful photos and other content, and then performing some action – such as flagging or removing the documents or reporting them to the authorities. At issue, primarily, is the loss of privacy from the identification process – how will that work with strong encryption, and do the files need to be shared with an outside service? Then there's the reporting process – how accurate is it, is there any human intervention, and what happens if your gadget wrongly fingers you to the cops?

The iGiant's plan was pilloried by advocacy organizations and by customers on technical and privacy grounds. Ultimately Apple abandoned the effort and went ahead with offering iCloud encryption – a level of privacy that prompted political pushback at other tech titans.

Client-side scanning has since reappeared, this time on legislative agendas. And the IAB – a research committee for the Internet Engineering Task Force (IETF), a crucial group of techies who help keep the 'net glued together –thinks that's a bad idea.

"A secure, resilient, and interoperable internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression," the IAB declared in a statement just before the weekend.

"This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship."

The IAB, which provides technical direction and advises the non-profit Internet Society, takes issue with efforts to enable client-side scanning of content on computing devices, as contemplated in proposed regulations to combat child sexual abuse material (CSAM) and other harmful digital content.

Specifically, the IAB cites Europe's planned "Regulation laying down rules to prevent and combat child sexual abuse" (2022/0155(COD)), the UK Online Safety Act of 2023, and the US Earn-It Act, all of which contemplate regulatory regimes that have the potential to require the decryption of encrypted content in support of mandated surveillance.

The administrative body acknowledges the social harm done through the distribution of illegal content on the internet and the need to protect internet users. But it contends indiscriminate surveillance is not the answer.

• Child psychiatrist jailed after making pornographic AI deepfakes of kids
• EU lawmakers scolded for concealing identities of privacy-busting content-scanning 'experts'
• Australia threatens X with fine, warns Google, for failure to comply with child abuse handling report regs
• India demands social networks 'swiftly' remove all CSAM

Despite the October 2021 publication of technical analysis by cryptography luminaries indicating that client-side scanning is unworkable and anti-democratic, child safety organizations and tech providers that would support content scanning efforts have lobbied for child safety legislation that would entail the technique.

The UK has already passed its Online Safety Act legislation, which authorizes telecom watchdog Ofcom to demand decryption of communications on grounds of child safety – though government officials have admitted that's not technically feasible at the moment.

Proposals for client-side scanning … mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship

Europe, under fire for concealing those who have consulted on client-side scanning, and the US appears to be heading down a similar path.

For the IAB and IETF, client-side scanning initiatives echo other problematic technology proposals – including wiretaps, cryptographic backdoors, and pervasive monitoring.

"The IAB opposes technologies that foster surveillance as they weaken the user's expectations of private communication which decreases the trust in the internet as the core communication platform of today's society," the organization wrote. "Mandatory client-side scanning creates a tool that is straightforward to abuse as a widespread facilitator of surveillance and censorship."

Rejection by technical bodies doesn't necessarily deliver results. The IETF in 2014 declared, "Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible." Yet almost a decade later, pervasive monitoring is still … pervasive.

Law enforcement agencies have options other than client-side scanning. In 2018, for example, the FBI went so far as to create its own encrypted device vendor called ANOM and then marketed the devices to criminal groups.

The feds, according to the US Justice Department, then sold more than 12,000 ANOM encrypted devices to at least 300 criminal syndicates operating in more than 100 countries. The FBI subsequently used its backdoored network to conduct mass arrests in 2021. ®