Member States want internet service providers to do the impossible in the fight against child sexual abuse
In May 2022, the European Commission presented its proposal for a Regulation to combat child sexual abuse (CSA) online. The proposal contains a number of privacy intrusive provisions, including obligations for platforms to indiscriminately scan the private communications of all users (dubbed ”chat control”). There are also blocking obligations for internet services providers (ISPs), which is the focus of this article.
What’s the current state of the debate on the CSA Regulation?
The highly controversial CSA Regulation proposal continues to move quickly in both Parliament and Council. This is despite a long line of serious human rights concerns being raised by civil society organisations, the European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB) in their joint opinion on the proposal, and most recently by the Austrian Parliament.
Council amendments are negotiated in the Law Enforcement Working Party (LEWP). This is noteworthy because the Commission and some members of the European Parliament emphasise that the CSA Regulation is not a law enforcement act, and the formal legal basis for the proposal is TFEU Article 114 (internal market harmonisation).
Under the Commission proposal, ISPs can be ordered to block Uniform Resource Locators (URLs) for known CSA material which is hosted outside the European Union if voluntary removal of the material is not possible. The blocking order for the list of URLs must be approved by a court.
What are the issues with that?
The main problem with the Commission proposal is the practical implementation: blocking orders at the URL level is technically impossible when HTTPS is used for accessing a website because the full URL is end-to-end encrypted between the user’s browser and the web server.
HTTPS has become the de facto standard for web traffic. It is unclear from the proposal how this situation should be handled. Blocking at the domain name level (DNS blocking), that is entire websites, is a workable alternative, but this requires a different proportionality assessment than the one foreseen in Articles 16-18 of the proposal.
The Council amendments for Articles 16-18 impose even more complex and technically impossible blocking obligations on ISPs.
Besides blocking known CSA material, which has been assessed by competent authorities, ISPs should also block unknown CSA material. This would effectively require ISPs to monitor the content of internet traffic for all users and rely on error-prone artificial intelligence technology to detect unknown CSA material (similar to detection orders in Articles 7-11).
This type of general monitoring of internet traffic is prohibited by EU law, and no derogation is applicable for blocking orders. On a more practical level, the traffic analysis necessary to implement blocking of unknown CSA material is technically impossible when internet traffic is encrypted.
Furthermore, the Council amendments remove essentially all safeguards from the Commission proposal. Blocking orders can be issued for content hosted within the EU, and the order can be issued directly by police authorities without prior court review, undoubtedly inspired by the Terrorist Content Online Regulation.
The required proportionality assessment is also deleted from the proposal. The joint effect of these amendments is a blocking provision with very few safeguards and no independent oversight, a toxic combination which creates a high risk of over-removal of legal content.
At the same time, the fight against the online proliferation of CSA material could actually become less effective with the Council amendments because blocking is incentivised over removal at the source. The latter is really the only measure which can prevent further distribution because access blocking by ISPs is trivial to circumvent.
For our ongoing advocacy work on the CSA Regulation, EDRi has written a short briefing note on the Council amendments which is published together with this blog post.
Contribution by: Jesper Lund, Chairman of EDRi member IT-Pol