What is CSAM scanning?

CSAM scanning is an automated process used by online platforms to detect Child Sexual Abuse Material. It primarily uses technology called 'perceptual hashing' to create a digital fingerprint of an image or video and compare it against a database of known illegal content. It can also use AI to detect new material or suspicious behavior.

Are humans reading my private messages?

Generally, no. The initial detection is done by automated systems. Only content that is flagged by these systems as highly likely to be CSAM is then reviewed by trained human moderators before being reported to law enforcement. The vast majority of user data is never seen by a person.

Why did the EU law that allowed this scanning expire?

The law, known as Regulation (EU) 2021/1232, was a temporary 'derogation' or exception to the ePrivacy Directive. It was enacted in 2021 as a stopgap measure to give EU lawmakers time to develop a permanent, comprehensive legal framework. That permanent solution has been delayed due to intense debate, causing the temporary law to expire on June 15, 2024.

What is 'Chat Control' and why is it so controversial?

'Chat Control' is the critical name given to the EU's proposed CSA Regulation. It aims to create a permanent legal basis for CSAM detection. The controversy stems from its proposal to mandate scanning on all communication services, including end-to-end encrypted platforms. Critics argue this would require breaking encryption, effectively creating a system of mass surveillance that would undermine the security and privacy of all users.

Does this scanning affect end-to-end encrypted apps like Signal or WhatsApp?

For now, the voluntary scanning does not apply to the content of end-to-end encrypted messages, because the platforms technically cannot see it. However, Meta does scan unencrypted metadata and user reports on WhatsApp. The primary concern is that the proposed 'Chat Control' law could force these services to build backdoors or use client-side scanning to analyze content before it's encrypted, fundamentally compromising their privacy.

Big tech continues CSAM scanning in Europe's legal vacuum, igniting privacy firestorm

Introduction: A Commitment in a Legal Void

In a move that highlights the profound tension between child protection and digital privacy, several of the world’s largest technology companies have declared they will continue to voluntarily scan for Child Sexual Abuse Material (CSAM) in the European Union. This decision, announced in a joint statement by Microsoft, Google, Meta, and Snap on June 14, 2024, comes just as the temporary EU law that provided the legal grounds for these activities expired.

The companies are now operating in a legal grey area, a self-imposed continuation of a controversial practice without an explicit legislative mandate. While their stated goal is the unequivocal good of protecting children, the action has sent shockwaves through privacy advocacy circles, which warn of a dangerous precedent for mass surveillance. This development places intense pressure on EU lawmakers, who are currently deadlocked over a permanent and highly contentious replacement law, colloquially known as "Chat Control."

Technical Details: The Automated Eye on Your Data

To understand the controversy, it’s important to demystify how this scanning works. This is not a system of human moderators reading every user's messages or inspecting every photo. The detection is overwhelmingly automated and relies on sophisticated technologies designed to identify known illegal content and suspicious patterns with high accuracy.

The primary method is **perceptual hashing**. Think of it as a digital fingerprint for an image or video. When a user uploads a file, the platform's system generates a unique hash—a string of characters—based on its visual characteristics. This hash is then compared against a massive, shared database of hashes corresponding to known CSAM, maintained by organizations like the U.S. National Center for Missing and Exploited Children (NCMEC) and the UK’s Internet Watch Foundation (IWF). A match triggers an alert for human review and a subsequent report to law enforcement.

Perceptual hashing is powerful because it can identify content even if it has been slightly modified—resized, cropped, or color-adjusted. Beyond hashing, platforms increasingly deploy **Artificial Intelligence and Machine Learning (AI/ML) models**. These systems are trained to detect not just known CSAM, but also new, previously unseen material by identifying tell-tale characteristics. They can also analyze text-based conversations for patterns indicative of grooming behavior, helping to intervene before abuse escalates.

Crucially, these scans currently apply to content where the platform has access, such as public posts on social media, files in cloud storage like Google Drive or OneDrive, and messages on services that are not end-to-end encrypted. The core of the current legislative debate in the EU is whether to mandate the extension of these scans into private, end-to-end encrypted communications, a move that security experts argue would fatally undermine the very concept of secure encryption.

Impact Assessment: A Collision of Rights and Responsibilities

The decision to continue scanning creates a complex web of consequences for all parties involved.

For Child Safety

The most direct beneficiaries are the victims of child abuse. The continued flow of reports from tech companies to law enforcement is critical for identifying victims, apprehending perpetrators, and dismantling distribution networks. Child protection organizations have welcomed the companies' commitment, emphasizing that any interruption in this data stream could have devastating real-world consequences. The legal ambiguity, however, could lead to inconsistent application across platforms, potentially creating enforcement gaps.

For User Privacy

For privacy advocates, this is a five-alarm fire. Operating a system of mass content scanning without a clear, specific, and democratically enacted legal basis is seen as a direct violation of fundamental rights guaranteed under the EU Charter, particularly the right to privacy and data protection. The European Digital Rights (EDRi) network and others argue that it normalizes the idea of generalized surveillance and weakens the case against the far more invasive "Chat Control" proposal. It creates a chilling effect, where users may no longer trust that their private communications and stored files are truly private.

For Technology Companies

The tech giants are walking a tightrope. On one hand, they demonstrate a commitment to corporate responsibility. On the other, they expose themselves to significant legal risk. Without the shield of the expired EU derogation, they could face challenges and hefty fines from national data protection authorities under the GDPR for processing user data without a valid legal basis. Their joint statement is as much a declaration of intent as it is a plea to Brussels for a “long-term, harmonized solution” that provides legal certainty.

For EU Lawmakers

The ball is now firmly in the court of the European Parliament and Council. The companies' move forces the issue, demonstrating that the technology exists and is in use. Proponents of the CSA Regulation will point to this as proof of its necessity and feasibility. Opponents will highlight the dangers of allowing private companies to conduct surveillance in a legal vacuum, underscoring the need for a law that contains ironclad safeguards for privacy and rejects any mandate that would break encryption.

How to Protect Yourself

While much of this scanning happens on servers beyond your direct control, you can take steps to better protect your digital privacy.

Prioritize End-to-End Encryption (E2EE): Use messaging services like Signal, which are built on the principle that no one, not even the company running the service, can access your message content. While the current voluntary scanning doesn't affect these services, the proposed EU legislation aims to change that, making support for strong E2EE more important than ever.
Be Mindful of Cloud Storage: Understand that files stored on major cloud services may be subject to scanning. For highly sensitive personal data, consider using E2EE cloud storage providers or encrypting your files locally before uploading them.
Segregate Your Digital Life: Avoid using platforms known for data scanning for sensitive personal communications or file storage. Use different services for different purposes based on their privacy policies and technical architecture.
Stay Informed and Advocate: Follow the legislative debate around the CSA Regulation. Support digital rights organizations that are fighting to protect privacy and secure communications in Europe and beyond.
Secure Your Connection: While it won't prevent platform-level scanning of uploaded content, using a trusted VPN service can shield your internet traffic from being monitored by your internet service provider or on insecure public Wi-Fi networks, adding a critical layer of privacy to your online activities.

Conclusion: An Uneasy Path Forward

The commitment by Big Tech to continue fighting CSAM is commendable in its intent but deeply troubling in its execution within a legal void. It represents a pivotal moment in the global debate over online safety and privacy. The actions taken are a temporary, high-risk solution to a problem that demands a permanent, rights-respecting legal framework. How the EU resolves the deadlock over the CSA Regulation will not only define the future of privacy for its 450 million citizens but will also set a powerful global precedent for how we balance the profound responsibility to protect the vulnerable with the fundamental right to a private life.