Checklist 380: Playing CSAM, Recall, and DNA Catch-Up

EU’s Proposal to Scan Encrypted Messages for CSAM Faces Delays and Criticism

In a recent podcast discussion, concerns over the European Union’s proposed regulations to combat Child Sexual Abuse Material (CSAM) were highlighted. These regulations, introduced as “upload moderation,” would allow the scrutiny of messages prior to encryption, a move met with significant opposition from privacy advocates and tech companies alike.

Background and Previous Attempts

The term CSAM stands for Child Sexual Abuse Material. The issue gained widespread attention in August 2021 when Apple proposed a system to detect CSAM by hashing user photos in iCloud and comparing them to known CSAM hashes. Despite its good intentions, the plan was heavily criticized for potential misuse, leading to Apple abandoning the initiative.

The EU’s Controversial Proposal

The European Commission’s proposal, which first surfaced over two years ago, mandates tech companies to proactively scan for CSAM and grooming behavior, even on encrypted platforms. This has sparked fears of undermining end-to-end encryption (E2EE), a critical privacy feature.

Industry Reactions

Critics argue that any form of pre-encryption scanning, whether labeled as “client-side scanning” or “upload moderation,” effectively breaks encryption. Meredith Whittaker, president of the Signal Foundation, emphasized that such measures would compromise the security of encrypted communications, making them vulnerable to exploitation by malicious actors.

Recent Developments

The proposal recently faced a significant delay. Engadget reported that a decision on scanning encrypted messages for CSAM was postponed due to opposition from several member states, including Germany and the Netherlands, who raised cybersecurity and privacy concerns.

Looking Ahead

While the immediate threat of the EU’s plan has been delayed, it remains a contentious issue. As Whittaker pointed out, the desire to undermine end-to-end encryption persists, posing ongoing challenges for privacy advocates.

Sources: The Hacker News, Engadget

Microsoft Delays Controversial Recall Feature Amid Privacy Concerns

Microsoft has decided to delay the release of its controversial Recall feature following widespread criticism over privacy and security concerns. Originally introduced in Checklist 376, Recall was designed to take snapshots of a user’s activity, including files, photos, emails, and browsing history, and store them locally on the user’s computer.

Despite being an optional feature with assurances that data would remain local and inaccessible to Microsoft or third parties, Recall faced significant backlash. Critics labeled it a privacy and security risk, highlighting its potential as a target for cybercriminals. Concerns were also raised about potential misuse by law enforcement and even Microsoft, should it alter its data policies in the future.

Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, expressed particular worry about the feature’s implications for victims of domestic abuse. 

In response to these concerns, Microsoft announced that it would limit the initial release of Recall to participants in the Windows Insider Program. The company emphasized its commitment to security and quality, stating in a blog post:

“We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security… This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Many observers speculate whether this delay will lead to the feature being shelved entirely, similar to Apple’s abandoned CSAM detection plans.

23andMe Data Breach Under Investigation by UK and Canada

Nearly nine months after the breach affecting genetic testing company 23andMe, data protection authorities in the UK and Canada have launched a joint investigation into the incident. The breach, which compromised the data of nearly 7 million users, involved hackers using credential stuffing to access 14,000 accounts. They then exploited a feature that helps users find likely relatives based on DNA, exposing sensitive information such as birth years, profile pictures, family names, and more.

The UK’s Information Commissioner’s Office (ICO) and Canada’s Office of the Privacy Commissioner (OPC) are investigating whether 23andMe had adequate safeguards in place and if the company provided sufficient notification about the breach as required by law.

Philippe Dufresne, Canada’s privacy commissioner, commented:

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

Despite the long delay in launching the investigation, the joint effort aims to address the serious implications of the breach and prevent future occurrences .

Sources: The Hacker News, The Guardian