Summary of Statement Public Prosecutor’s Office, Central and Contact Point Cybercrime (ZAC) on the public hearing of the Digital Affairs Committee of the German Bundestag on “Chat Control”
Original Statement here.
The assessment is made primarily from the perspective of prosecutorial and general law enforcement practice. The perspectives of prevention, improved compliance and other effects on societal, political as well as technical aspects are only examined in their respective interaction with law enforcement in view of the expertise available here.
The proposal for a regulation also has an impact on the activities of the national law enforcement authorities dealing with the crime of child abuse in the digital space.
Compared to a risk-based general intervention also in end-to-end encrypted communication infrastructures, concrete, effective, but always occasion-related criminal prosecution is likely to be a much milder, but (at least) equally suitable means to improve the fight against net-related child abuse.
Without a human, evaluative and legally and criminally competent review of the cases identified as relevant, a reliable identification of criminally relevant cases on the basis of AI alone is unlikely to be possible.
Scanning activities by major internet corporations (of unencrypted messenger messages and emails, hosted files and posted content) should now be mandatory for service providers (including host providers, interpersonal communication services, app stores, access providers).
Age verification: any anonymous use of communication services would become de facto impossible (as effective exclusion of minors would only be achievable through personal identification, not through mere age confirmation)
Targeted detection obligations on the basis of so-called detection orders
- Provider decides whether to use own software or that of the EU Centre against Child Abuse.
- Commitment only possible through fully comprehensive, automated, largely AI-based review of communication content
- Automated scanning of all content of a service are an encroachment on European (and national) fundamental rights
- Scanning of end-to end encrypted content would have to take place on users’ devices (client-side scanning), so that encryption is not completely abolished or technologically weakened.
- Detection orders significantly affect information security (predetermined breaking point for encryption technology with evidenced potential for risk and misuse)
- Private conversations and private image and video files that can be attributed to the private sphere will also have to be noted and examined by a large number of examiners.
- Service providers are to report content deemed relevant to a new EU centre to be set up and remove the material.
- Prior verification by the EU Centre before onward transmission
- Effective legal remedy for both providers and users: inter alia, legal remedy before the courts of the Member State, the competent judicial authority or the independent administrative authority.
- Individual remedies are not a sufficiently suitable corrective for any misuse of detection orders. Providers with vested interests cannot adequately fulfil the legal function for users. Urgent introduction of a strong and independent control mechanism is needed.
- All digital communication services and devices are covered by the regulations, without range or usage thresholds
- Criminal law is applied proportionality, criminal prosecution at any price is not a viable alternative under German and European constitutional law.
Commission proposal in the sense of the classic proportionality triad must be appropriate, necessary and proportionate in the narrower sense
- The detection order does not prove to be fully necessary to achieve the goal of an improved and effective fight against network-related child abuse. Furthermore, it encounters – partly far-reaching – concerns with regard to its appropriateness.
- There are no doubts about the fundamental legitimacy of the purpose
- Means also likely to be suitable, i.e. at least conducive, in relation to the purpose sought.
- Despite possible crowding-out effects to other technologies or providers, the proposed measure is not to be qualified as per se unsuitable
- Significant and, in the end, far-reaching concerns exist with regard to necessity, especially insofar as they are directed against end-to-end encrypted communication
- The Commission proposal assumes a lack of knowledge and information on the part of the law enforcement authorities
- End-to-end encryption of perpetrator communications in the field of net-related child abuse is only in a significantly smaller number of cases a significant obstacle to investigation
- The scope of knowledge arises from a combination of server-side monitoring, the investigation procedures themselves and from third party tips
- Commission moves significantly away from the reality of law enforcement practice with regard to end-to-end encrypted communications. Rather, there is a structural deficit in action due to insufficient technical and personnel resources of the law enforcement agencies.
- Improved European cooperation between investigative authorities through an EU centre can be an essential contribution, also for ensuring a unified European intelligence practice
- Multinational so-called Joint Investigation Teams are to be set up on a permanent basis instead of only on a trial-by-trial basis.
- The risk of innocent citizens being affected by official investigations is significant.
- False-positive reports are a misallocation of resources for the investigating authorities
- Pre-filtering in the EU centre means additional resource requirements
Detection delta
- Hashes for known and classified abuse material.
- AI should detect unknown misuse material but is prone to error and requires invasive methods
- Hashes can significantly minimise the intensity of intervention, which is appropriate in terms of results, and is sufficiently effective
- Closing the detection delta by upgrading the law enforcement authorities
- End-to-end encryption is the only effective means of protecting the confidentiality of digital communications. It is the most important digital protection measure for individuals, businesses, public authorities and law enforcement (including specially protected professions such as defence lawyers). Encryption is either effective or compromised from a technical perspective. Encryption that is weakened or structurally undermined by an instrument such as the discovery order is, in effect, no encryption.
Recommendations
- Empower and strengthen law enforcement agencies.
- Instead of “data retention” rejected by the European Court of Justice, limited IP allocation
- Live extraction of current IP data without a retrograde storage (“login trap”), with a very limited storage period for IP assignment data of one week.
- Improving international cooperation at European level
- EU Centre as a competence and coordination hub
- Netblocks are easy to circumvent, better delete material and prosecute people. “Track instead of just block”