It's kind of remarkable that most are not even based in Europe. Google, Microsoft, law enforcement - I'm sure there were comprehensive criteria in their selection, but that doesn't sound like the correct kind of crowd to advise on matters of privacy and security.
Ah yes, the usual suspects: microsoft, google, and their leased proxies in academia and ngos.
Degoogle and demicrosoft and spread the word. Remember folks that used to think they’ll use chips and vaccines to spy on them? Well explain how it’s actually done via their phones and pcs with the blessing of their unelected representatives.
The last thing needed is corrupt governments and billionaire playboys spying on all communication channels under some fake nonsense about protecting children they don't really give a shit about.
A true politician realizes that the enemy of my enemy (on a specific issue) is my friend (on a specific issue).
Why not harness a portion of the zeitgeist?
And maybe in the progress build some bridges. "You don't trust big tech? I don't trust big tech either!" (Let's have a discussion about how microchips work, though...)
Isn't that just the perfect monopoly. Nobody is even allowed to work on anything similar unless they buddy up with NCMEC (hi Apple).
Back when I made exceptionally bad (but not illegal) choices I publicly archived 3 supposedly worksafe 4chan boards. I found out pretty fast people still used CSAM to derail threads nearly daily. And that's when I found out that it's an impossible problem to solve for me; remedies are available if you're enterprise sized and a corporate entity, but for individuals running services the unofficial recommendation has always been "delete and pretend it never happened". That sucks, and hardly scales. PhotoDNA told me to ask again when I had a floor full of lawyers. I am to this day baffled the Fediverse hasn't died by the same mechanism. Either way, it's a disgusting way to limit who can operate services with UGC in practice.
I at least decided against hosting the entire thing pretty soon and of course still had my entire hardware seized a year later. German police are slow, and they weren't interested in even talking to me or my lawyer.
Aren't they a group of people using anti-CP as a way to profit or build a moat? They're essentially looking to mandate scanning, and then selling the tools to do so or making it harder for competition to enter their segments.
They absolutely do support CSAM. They depend on it in the same way Chevron depends on the existence of crude oil. This has never been about minimizing harm to children. It has always been a cynical power play.
No. The headline is correct. These people are in favor of CSAM-as-an-issue. These unfathomably stupid measures have never been about minimizing harm to children. They have always been about power and money.
How did a lobbyist/software supplier/"ngo" get 5 people in the door? Just go look for the money trail. Then expose anyone who has received so much as a euro from Thorn.
LOL at the guy from MEGA. Perhaps proof that the fact that it's still around in this post Kim Dotcom incarnation is that it is probably a honeypot for the Five Eyes.
> is that it is probably a honeypot for the Five Eyes
At least they're still going through the usual motions of putting forward the "think of the children!" mantra, I suspect that given the current geo-political and defence environment we'll have this thrown down our collective throats in about 6 months to one year with no "advising" whatsoever, just served to us as a fait accompli in the interest of protecting the values-based order.
Come to think of it, I'm still a little surprised that they haven't dropped that mask off just yet.
>> "In response to a request for documents pertaining to the decision-making behind the proposed CSAM regulation, the European Commission failed to disclose a list of companies who were consulted about the technical feasibility of detecting CSAM without undermining encryption."
>> "... a list of experts who helped the Commission draft the text related to potential solutions to detect child sexual abuse material in end-to-end encrypted communications."
This doesn't sound like a list of those who supported it. Only who were consulted.
Maybe some more consideration before we start burning witches?
>> Such a requirement is fundamentally incompatible with end-to-end encrypted messaging because platforms that offer such service cannot access communications content.
The challenge is that based on the advice of experts, the commission made recommendations which violate or are in conflict with end-to-end encryption.
The public deserves to know the lineage of such decision-making and (rightfully) stimulate or recommend improvements to the process.
> The challenge is that based on the advice of experts, the commission made recommendations which violate or are in conflict with end-to-end encryption.
"Based" is doing a lot of service there.
Maybe they were fully in support. Maybe they told the EU it was a terrible, stupid idea and were ignored.
At the end of the day, the EU body made the proposed regulation, and I'd like to know individuals' involvements before assuming their opinion.
F.ex. I would assume that Alex Stamos didn't tell them it was a brilliant idea
Experts are entitled to their opinions, I wouldn't judge anyone on the list for their stance.
Seeing the list as a whole, however, makes me wonder if the commission or lawmakers in general have access to adequate technical expertise and representation from the industry.
In theory you are right, but why would the EC consult with Canadian, British and Australian government people? And what do you think they said? "No, you will ruin E2E"?
> but why would the EC consult with Canadian, British and Australian government people?
to know how they're planning on managing the same issues? i'm not a fan of CSAM either but it makes sense to talk to your neighbours to know how they're handling things?
someone could make an AI image generator for CSAM. Then the whole point will be moot, the market for it will collapse and the social taboo will be rendered irrelevant.
Such material would be considered CSAM in the UK, for example. No child needs to be abused for a person possessing such material to be prosecuted and imprisoned.
Indeed, but would you like to be the MP who votes against a law which tackles CSAM?
Similarly, the age limit is 18, so if you are 17, a sexy photo (or AI generated image) of your girlfriend of 17 is CSAM (though there is a defence provided you are married or in a civil partnership with said girlfriend). That's a 10-stretch.
What if you only "possess" a bunch of model weights that can produce such material when prompted to do so, just as it can produce pictures of cute puppies?
What if someone did try really hard to prevent it producing it, but it still happens to do so if you ask it to act like your deceased grandmother?
Those AI-generated materials will inevitably very easy to obtain, if not tomorrow then in a few years for sure. The laws will change accordingly as there is little point of having a law that prescribes putting too many people behind the bars.
The two UK government members listed published a detailed paper last year "Thoughts on Child Safety on Commodity Platforms" https://arxiv.org/pdf/2207.09506.pdf
With a stated aim to "to educate and inform in order to allow a more detailed and informed debate to happen" and appears a genuine in that goal.
Could you [in theory] do some kind of zero knowledge proof or whatever that the plaintext belonging to a given ciphertext does [not] have a certain property? Here is my encrypted message and the proof that it does not contain some illegal content. Whether you would want such a system is another question, but it would at least be some middle ground between everything being encrypted and everything being [effectively] unencrypted.
I was imagining that you provide the proof, for example that none of the files you are sending has a hash that is on a certain list of illegal files. They would not be detecting anything, you would provide a cryptographically verifiable proof that whatever you are sending meets certain criteria. A server could then refuse to transport your encrypted message if it is not accompanied by a proof that the content is benign. There is of course the danger that they could change or expand what you have to prove in order to not get your message dropped. I think it might be possible to build something like that but I also think that it would probably in general require something like fully homomorphic encryption and therefore is not currently practical.
So like, maybe you could build a secure encryption algorithm that has a specific property X *only* when one of the images on some list is encrypted with it ?
Imagine giant, mile-wide traps into which hordes of people gleefully run and fall. The talks about this being a “technical problem”, “legal problem”, “responsibility problem” are such obvious traps preventing people from getting the clear view. The ability to control, to have the last word on what is acceptable by someone else is the goal here. The construction of hierarchy attracts all kinds of actors, big and small, who see “opportunities” for themselves there. It is safe to assume that all that crowd couldn't care less about all the children in the world. The question to ask yourself is why such demands are not shrugged off like the others.
You could. However, this would require the prover to know how to evaluate the property -- in other words, the test for CSAM would have to be publicly-known, or at least known to the client.
This is not what providers and law enforcement want, since this would amount to giving away an algorithm that smart criminals could use to pre-test their content to see if it'll trip CSAM filters. To date, organizations have been extremely cagey about giving out content hashes for CSAM as well as even the algorithms for computing them, like PhotoDNA (which recently leaked.)
The more recent proposals use two-party computation so that the client doesn't know whether any given piece of content matches. You can attach ZK proofs to the client's piece of this computation, all at fairly large (computational) cost.
The only expert from EU academia is Bart Preneel who is actually a loud opponent of the CSAM proposal [1]. Kudos and thank you, Bart, for your professional integrity!
53 comments
[ 4.7 ms ] story [ 86.0 ms ] threadSource: https://www.theregister.com/2023/11/09/eu_casm_expert_identi...
Also if they are advising on the technology of CSAM rather than the politics of it, then does it really matter where they are based?
Degoogle and demicrosoft and spread the word. Remember folks that used to think they’ll use chips and vaccines to spy on them? Well explain how it’s actually done via their phones and pcs with the blessing of their unelected representatives.
Why not harness a portion of the zeitgeist?
And maybe in the progress build some bridges. "You don't trust big tech? I don't trust big tech either!" (Let's have a discussion about how microchips work, though...)
Those “crackpots” have voting rights and a desire for privacy which while they may not be able to articulate well is very much valid.
And they are many.
https://netzpolitik.org/2023/chatkontrolle-lobbyist-thorn-me...
[0] https://www.microsoft.com/en-us/photodna
Back when I made exceptionally bad (but not illegal) choices I publicly archived 3 supposedly worksafe 4chan boards. I found out pretty fast people still used CSAM to derail threads nearly daily. And that's when I found out that it's an impossible problem to solve for me; remedies are available if you're enterprise sized and a corporate entity, but for individuals running services the unofficial recommendation has always been "delete and pretend it never happened". That sucks, and hardly scales. PhotoDNA told me to ask again when I had a floor full of lawyers. I am to this day baffled the Fediverse hasn't died by the same mechanism. Either way, it's a disgusting way to limit who can operate services with UGC in practice.
I at least decided against hosting the entire thing pretty soon and of course still had my entire hardware seized a year later. German police are slow, and they weren't interested in even talking to me or my lawyer.
Which I think it's fair to say that, whatever their motivations and misguided goals, they do not.
At least they're still going through the usual motions of putting forward the "think of the children!" mantra, I suspect that given the current geo-political and defence environment we'll have this thrown down our collective throats in about 6 months to one year with no "advising" whatsoever, just served to us as a fait accompli in the interest of protecting the values-based order.
Come to think of it, I'm still a little surprised that they haven't dropped that mask off just yet.
>> "In response to a request for documents pertaining to the decision-making behind the proposed CSAM regulation, the European Commission failed to disclose a list of companies who were consulted about the technical feasibility of detecting CSAM without undermining encryption."
>> "... a list of experts who helped the Commission draft the text related to potential solutions to detect child sexual abuse material in end-to-end encrypted communications."
This doesn't sound like a list of those who supported it. Only who were consulted.
Maybe some more consideration before we start burning witches?
The challenge is that based on the advice of experts, the commission made recommendations which violate or are in conflict with end-to-end encryption.
The public deserves to know the lineage of such decision-making and (rightfully) stimulate or recommend improvements to the process.
"Based" is doing a lot of service there.
Maybe they were fully in support. Maybe they told the EU it was a terrible, stupid idea and were ignored.
At the end of the day, the EU body made the proposed regulation, and I'd like to know individuals' involvements before assuming their opinion.
F.ex. I would assume that Alex Stamos didn't tell them it was a brilliant idea
Seeing the list as a whole, however, makes me wonder if the commission or lawmakers in general have access to adequate technical expertise and representation from the industry.
to know how they're planning on managing the same issues? i'm not a fan of CSAM either but it makes sense to talk to your neighbours to know how they're handling things?
Similarly, the age limit is 18, so if you are 17, a sexy photo (or AI generated image) of your girlfriend of 17 is CSAM (though there is a defence provided you are married or in a civil partnership with said girlfriend). That's a 10-stretch.
What if you only "possess" a bunch of model weights that can produce such material when prompted to do so, just as it can produce pictures of cute puppies?
What if someone did try really hard to prevent it producing it, but it still happens to do so if you ask it to act like your deceased grandmother?
Those AI-generated materials will inevitably very easy to obtain, if not tomorrow then in a few years for sure. The laws will change accordingly as there is little point of having a law that prescribes putting too many people behind the bars.
No wonder they tried to keep this secret.
And that's the problem
This is not what providers and law enforcement want, since this would amount to giving away an algorithm that smart criminals could use to pre-test their content to see if it'll trip CSAM filters. To date, organizations have been extremely cagey about giving out content hashes for CSAM as well as even the algorithms for computing them, like PhotoDNA (which recently leaked.)
The more recent proposals use two-party computation so that the client doesn't know whether any given piece of content matches. You can attach ZK proofs to the client's piece of this computation, all at fairly large (computational) cost.
[1] https://twitter.com/bpreneel1/status/1676142898197274624