There's a hole in the bucket dear EU, dear EU

First published: LinkedIn on May 11, 2022

Image by Shuvrashanka Paul

I am going to try and explain why tackling the CSAM (Child Sexual Abuse Material) problem with technical/surveillance methods is a dead end and why it will harm society more in the end than it will do good.

First things first. A more correct way of describing privacy.

A lot of discussions are about 'what do you want to hide'. This is categorically wrong. Hiding something means to conceal or put out of sight. Something that was previously 'in sight' or 'for all to see' and implicates that there was a right to see that something before it was hidden.

But that is not what privacy means. Privacy means 'being in control of what you share'. Sharing has the connotation that something first and foremost belongs to me and I am giving it freely without obligations to you and/or others.

This difference in framing is very important. It is the difference between 'you are not allowed to keep something secret' and 'you must give up something that is inalienably yours'. Your privacy is yours, and only you are qualified to decide who can or can not get an exception, this is literally the definition of the word private.

History's repeating

In the late 1990's, together with the late Felipe Rodriquez (who also was founder of the 'Meldpunt Kinderpornografie') I demonstrated, to the Dutch government that laws prohibiting encryption will only diversify and disperse CSAM. I did that by demonstrating a hideously simple steganographic algorithm using the least significant bits in a bitmap in Microsoft Word 2.0 (so they themselves could reproduce it).

The responses gave me the hope that lawmakers and government in general understood that crippling dissemination infrastructure would not halt the problem but rather create more damage in the 'healthy parts' of the Internet (we wrote it capitalized back then).

Since then, I repeated that exercise in various guises with various counterparts and usually, after many hours, the verdict was that 'yes, ok, using invasive techniques to catch CSAM disseminators would yield a nice first batch of bad people, it is plain to see that the next wave will absolutely render most of those techniques obsolete and that, because we do not know when the waves start or end, the weaknesses introduced will be in place for far too long. And this makes the risk (chance x damage) disproportionate for it's goal.'

But with each new batch of politicians or influentials who want a quick stern statement that elevates their 'good person for the people' status, I had to repeat that exercise.

But here's the thing... I will not get tired of doing it. Over and over. Because my offspring which falls into the possible victim group should have a future unburdened by a cranky public servant who can monitor their every thought and utterance, possibly with human rights infringing consequences.

Understanding where this is coming from

I do truly understand where this feeling of wanting to monitor every little byte is coming from. During my time as a CISO for a large Dutch cybersecurity firm I always was anxious that I was missing something.

The capable incident responders often showed that with proper logging and monitoring a lot of threats could be found. Therefore the logical gut reaction was to 'monitor all the things!' 'DPI all the packets!' because, well, then we could see *everything*.

But this digital panopticon brought, upon further analysis, and with good input from the DPO and my Security Office, more risk than reward. Because, you have to do a risk analysis of these methods and pinpoint new methods of attack on the fresh attack surfaces that the implementations bring. Things like a four-eyes principle, with auditing and a vetting of actions, much like a search warrant, were needed to mitigate the new danger of 'just browsing' or 'personal vendetta' and such. Getting something analogous to that operating correctly in a nation state, let alone a slightly volatile mix of nation states, makes 'herding cats' look like something you do 5 minutes before dinner.

The main issue here is the (perceived or real) pressure that is put on law enforcement to 'do something about it'. And as I stated earlier, the quickest way to alleviate that pressure is to catch the first wave show a quick win..

Understanding where this is leading to

If we go this route of trying to catch the CSAM creators/purveyors by weakening both the technical facilities as well as the trust in vendors and governments we will have won absolutely nothing.

Not only will the CSAM criminals scatter before the all-powerful searchlight, but any other criminal activity that could be tackled without the cumbersome bureaucracy of privacy preserving DPI will follow suit.

Taking away privacy because of the need for quick results will weaken everything. And it won't amount to a hill of beans in the long run.

Why it is an almost completely useless effort

In 2017 I gave a presentation at SHA2017. It was called 'Parkours communications'. In that presentation I highlighted just a few methods of using the internet to communicate with each other indirectly and not using 'meant for chat' applications.

Things like subscribing to a mailinglist using 'myname.<base64encodeddata>@<adomain that has catchall>' or using orders at JustEat but with the friends email address instead of mine. And putting my message in the 'Note for order'.

But that presentation was just child's play of what is really possible if people want to share info without anyone being able to snoop.

Think about code/file repositories, adding data into binaries on a downloadsite, using DNS/DNSSec with a custom DNS server.

There are so many possibilities to covertly communicate, it is almost hilarious to think that any form of wholesale monitoring could even begin to halt that.

And to finish, there is this phrase "Never underestimate the bandwidth of a station wagon filled with backup tapes hurtling at 70kph over the Autobahn" (paraphrased) which if we were to change backup tapes to 64GB MicroSD cards would yield us a whopping 1196318.25 TeraBytes (and yes, I know we are already *way* beyond that capacity, but this was the first result in Google. Could have been done by the civil servants and MEPs as well, but hey... )

Data transfer is so ridiculously easy, the internet is just a convenience, not a necessity anymore (although many think it is, us old folks know that living with intermittent 2400 Baud is possible).

You will not stop CSAM. You will damage everything else though.