One-Man Spam Campaign Ravages EU 'Chat Control' Bill

An anonymous reader shares a report: A website set up by an unknown Dane over the course of one weekend in August is giving a massive headache to those trying to pass a European bill aimed at stopping child sexual abuse material from spreading online.

The website, called Fight Chat Control, was set up by Joachim, a 30-year-old software engineer living in Aalborg, Denmark. He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) -- a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

The site lets visitors compile a mass email warning about the bill and send it to national government officials, members of the European Parliament and others with ease. Since launching, it has broken the inboxes of MEPs and caused a stir in Brussels' corridors of power. "We are getting hundreds per day about it," said Evin Incir, a Swedish Socialists and Democrats MEP, of the email deluge.

Framing.

[Gravis Zero]

He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) — a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

That's quite the framing. Instead of saying what the bill does, they write what they bill hopes to accomplish without mentioning how it does it. I have looked into it but given the history of politicians, I would be this is another, "we can't let the little people have secure communications, think of the children!" campaign to restrict the use of encryption.

I am 100% on board with fighting the exploitation of children but insisting on an an Orwellian approach is the only way to do this is lazy thinking at best.

Re:

[easyTree]

Even if politicians weren't (let's be charitable) less-than-forthcoming, what mechanism is there to snoop on the nominal targets other than intercepting <everything> ?

I'd be interested in a commitment that if they do authorise themselves to snoop on everything, they commit to catching every single one of them and if they don't, they (personally - not the taxpayer) suffer financial consequences.

Also, which mechanism could be put in-place to ensure that noone can use the ability to read everything every

Re:Framing.

[korgitser]

Instead of saying what the bill does, they write what they bill supposes to accomplish without mentioning how it does it.

FTFY. Never confuse what is used to sell a bill with what the bill is actually for. Politicians figure out what they want to do, and PR people figure out how to get the public on board. Rarely is there a solid connection between these two.

And with regard to CP in particular, why on earth would any of us believe those Epstein island politicians give a rats ass about children.

Re:Framing.

[0123456]

The purpose of a bill is what it does.

This bill introduces total surveillance of private messaging. That's what it's for.

Re:

[thrasher thetic]

Politicians always and only lie. The unaccountable bureaucrats in the EU are just a particularly wretched example of the type. You'd have a significantly better rate of accuracy predicting what any given piece of legislation will do by assuming its the exact opposite of whatever it was titled.

Its not even a question of well-meaning stupidity or evil at this point. If they were merely misguided, they'd get it right occasionally if only by accident.

Re:

[Snert32]

Oh, they love children all right ... just not in the considerate way you may be viewing them ..

Re:

[MachineShedFred]

Also, the hyperbole of "breaking inboxes" by sending a few hundred emails - what is this, 1993?

I'm sure their email server is more than capable of dealing with a few hundred thousand emails per day, and these assholes are just having a whinge that they someone made it easier to give electeds feedback about their stupid draconian crap that they justify "for the children" which may not even be technically feasible.

Re:

[unrtst]

Also, the hyperbole of "breaking inboxes" by sending a few hundred emails - what is this, 1993?

Came here to say the same! A few hundred emails!?!? At my previous job, I got far more than that daily that were work related, and a couple dozen a day that got replies.

On the plus side, this is welcome news for people wanting to complain to their representatives. I've been assuming that a few emails a day would go entirely unnoticed but, if they view a few hundred as breaking inboxes, maybe the voices of a few can be easily heard?

Re:Framing.

[serafean]

> Also, the hyperbole of "breaking inboxes" by sending a few hundred emails - what is this, 1993?

The Czech electronic id system collapsed during last week's elections when it got to the insane rate of 100 requests per second... (averaged - 1,5 million in 4 hours)

Never underestimate how these systems fail under higher load.

Re:

[ruddk]

And lets not forget that politicians are exempt from this monitoring. soo. is it not secure enough that they trust the privacy of politicians with this thing.

FUD

[AmiMoJo]

Unfortunately the website in question is not accurate. For example: https://fightchatcontrol.eu/#o... [fightchatcontrol.eu]

"Breaking Encryption
Weakening or breaking end-to-end encryption exposes everyone's communicationsâ"including sensitive financial, medical, and private dataâ"to hackers, criminals, and hostile actors."

That is not true. The requirement is for the app that sends or receives the message to scan it locally, against a database of known illegal images and URLs. No encryption is broken, the message is scanned only by apps that have access to the plaintext so that the user can send/receive the message.

The other claims seem accurate and are much more compelling. Apple tried it, it didn't work, it can't work, and it won't be effective.

If we are going to fight this, it needs to be done based on true and accurate information. I imagine most of these MEPs will be told that the claims are not true, and dismiss all opposition as being based on disinformation.

Re:

[Pinky's Brain]

It sends (false) positives to the authorities not encrypted by keys you hold, so in that respect it selectively breaks the encryption.

Re:

[AmiMoJo]

It does not send anything anywhere. Show us your citation for this claim that the authorities will be sent blocked images and URLs.

It wouldn't make sense to do so, due to the high false positive rate and the fact that in many member states there would be no way to send those images anywhere without becoming party to the distribution of illegal material.

Re:

[AleRunner]

https://edri.org/wp-content/up... [edri.org]

The CSAR requires every piece of suspected CSAM that is not “manifestly unfounded” (for example, a picture of a kitten that has been mistakenly flagged as CSAM) to be reported to national police for investigation

Re:

[cmseagle]

It does not send anything anywhere. Show us your citation for this claim that the authorities will be sent blocked images and URLs.

Europa.eu [europa.eu]

Article 12.1 - Reporting Obligations:

Where a provider of hosting services or a provider of interpersonal communications services becomes aware in any manner ... of any information indicating potential online child sexual abuse on its services, it shall promptly submit a report thereon to the EU Centre in accordance with Article 13.

Article 13.1 - Specific requirements for reporting:

Providers of hosting services and providers of interpersonal communications services shall submit the report referred to in Article 12 using the template set out in Annex III. The report shall include:

...

(c) all content data, including images, videos and text;

...

I'm not a lawyer, and would be happy to be corrected by one, but that sure reads like they have to send the blocked content to the authorities.

Re:

[AmiMoJo]

That's not relating to E2EE messaging. It says "become aware", and they are under no obligation to make themselves aware. Only to scan, on device, and block.

Re:

[cmseagle]

That doesn't comport with other language in the document. Article 10.6:

Where a provider detects potential online child sexual abuse through the measures taken to execute the detection order, it shall inform the users concerned without undue delay, after Europol or the national law enforcement authority of a Member State that received the report pursuant to Article 48 has confirmed that the information to the users would not interfere with activities for the prevention, detection, investigation and prosecution of child sexual abuse offences.

So, when "measures taken to execute the detection order" (i.e., chat scanning technology) detect CSAM, the service provider needs to get in touch with Europol with their official report (including content, as referenced in section 12).

They also go into more details on the ways in which a provider may "become aware" of CSAM on their platform:

Therefore, [providers of publicly available interpersonal communications services] should be required to report on potential online child sexual abuse on their services, whenever they become aware of it ... it should be immaterial in which manner they obtain such awareness. Such awareness could, for example, be obtained through the execution of detection orders, information flagged by users or organisations acting in the public interest against child sexual abuse, or activities conducted on the providers’ own initiative

Where a "detection order" is the way in which the EU will mandate that a service provider deploy

Re: FUD

[Samuel Silverstein]

You're not as familiar with this as you think. The overwhelming majority of data sent is a false positive. And Apple didn't try it, they were going to but buckled under public pressure in the US.

Besides, the EU mostly just pays lip service to privacy. Everybody makes a huge deal out of age verification laws here in the US for even pornography, but in Europe they're not only common even outside of pornography but there's even public backlash against companies that don't do it. See for example steam's refusal

Re:

[AleRunner]

1) from what I have read so far it won't be the application itself, instead, you will use Facebook messenger or whatever and that will send to a third party app which will do the scanning.

2) that app then sends some notification of what it has found

So in order to attack this, simply include an image proposing a new meeting of whichever group of democratic dissidents you want to attack. Perhaps include a photo of an innocent naked child so you can block publication later but make it transparent and difficult

Re:

[gwjgwj]

Does it mean, that every user will have a database of known illegal images locally? Good reason to arrest everybody for possession.

Re:

[AmiMoJo]

Apple used an image hash that was supposed to work even when the image read transformed slightly, but it was easy to create false positives.

Re:

[gweihir]

Actually, that _is_ true. It just requires a bit more thinking to see it. Local scanning means an update and feedback channel outside of user control and that channel will also need to be able to push code updates. And that is a risk, and, given the usual quality of government "software engineering", a severe risk.

Also note that as soon as they have this crap in place, they will want more. Never fails.

Re:

[AmiMoJo]

Why would it need feedback? They just update the database that the government gives them.

I might be wrong, it's possible, but I think we need a lot more detail on how this will be implemented.

In any case, it's not breaking encryption, it's targeting the apps. It's always been the case that you don't use WhatsApp if you don't want your messages to be seen by law enforcement eventually.

Re:

[gweihir]

Basics software engineering. You need a status code sent back to know whether an update was successful.

Re:

[AmiMoJo]

Why? Why not let the device worry about if the update completed? And what is the issue with a ping to say update complete? That's not decrypting and sharing your private messages.

Re:

[gweihir]

Are you seriously asking that question? Dude, switch on your brain.

NOT a spam campaign.

[Gravis Zero]

The term "spam" is also used to describe unsolicited electronic messages, particularly in email, for advertising or phishing purposes

Activism is NOT spam. Whoever wrote this is definitely putting a huge amount of spin (intentionally or not) on this story because spam has significant negative connotations.

Re:

[Valgrus Thunderaxe]

Spam is unwated e-mail. Many of the recipients have made it clear they don't want the e-mails. To them, it's spam.

Re: NOT a spam campaign.

[KF7IOR]

Constituent emails are never spam. Spam is "unsolicited commercial email" so it has to have a commercial purpose for it to be spam. Phishing is also not spam and is also not solicited. We have commonly accepted definitions. Let's use them.

Re:

[ahodgson]

Spam is any bulk communication I didn't consent to receive. It absolutely does not have to be commercial in nature.

Re:NOT a spam campaign.

[Tx]

It's both. He's intentionally spamming the politicians as a form of activism.

Re:

[havana9]

If:

• Spam is unwanted e-mail
• I receve official documents via registered e-mail
• I don't want to receive speeding tickets, that now are sent via e-mail

then speeding tickets are spam.

Re:

[The-Ixian]

And your point is....

Things can fall into several classification buckets simultaneously.

Re:

[allo]

Invoices are also unwanted mail. Are they spam?

Re:

[PPH]

Activism is NOT spam.

That depends on the intent. If it is to communicate, then maybe it's not. Although sending hundreds of individual e-mails is just indicitave of Joachim not understanding how more efficient protocols could be used.

If the intent is to clog up mailboxes, then it's just vandalism. Although I do wonder what sort of crappy system they are using that can't just automatically round file this garbage. I get hundreds of e-mails a day from Nigerian princes. A simple rule "If GMail then delete" takes care of most of t

Re:

[sabbede]

Wait, just because politicians may not want to hear from their constituents does not mean the intent of their constituents was other than telling their employee what to do. So long as the recipient knows what the email is, the number of emails essentially represent votes. It's the same when people overwhelm the switchboards at their representative's offices. A politician would be foolish if they were to ignore what that means.

Re:

[PPH]

the number of emails essentially represent votes.

Not always. Many astroturfing campaigns are based on generating large volumes of social media posts or e-mail to make it appear that the issue at hand has broader based support than it actually does.

The ones who scream the loudest don't always deserve the most attention.

Re:

[sabbede]

Oh, I completely agree. You're right on all points.

Thing is the politicians generally know when it's astroturf and when it actually matters. They may say otherwise publicly (calling it one when they know it's the other), but it's hard to get very far in electoral politics without having a decent grasp on whether or not a sentiment is sincere. Or having someone working for you who does.

Re:

[registrations_suck]

Yeah, no.

If some fuckwit "activist" sends me email promoting whatever their cause is, that is absolutely spam.

Re:

[Gravis Zero]

If some fuckwit "activist" sends me email promoting whatever their cause is, that is absolutely spam.

They are contacting their representatives and offices, not everyday people. This isn't spam.

For the counter-argument...

[Petersko]

https://www.eff.org/deeplinks/... [eff.org]

Re:

[sabbede]

"It cannot be voted out of power."

Well, maybe ask the UK about that. They found a solution.

Aalborg

[Rumagent]

Now there is a name I haven't heard in a while. Hope that Joachim is a proud member of F-klubben! I så fald håber du ikke bare vinder, men vinder stort! Genuinely curious how many will get the reference :)

Re:

[sabbede]

Is it "I have your Wilkes-Barre vintner, let's get him sorted"?

I had no idea it would be so easy to read Dutch!

Hundreds a day!

[kaatochacha]

If only there was some technology that could help them deal with such an unrelenting massive deluge of communications from citizens asking questions!
Why, that means during the average workday, they might have to deal with , say, roughly 12 per hour for the entire office! Think of the stress!

how to break it

[MooseTick]

There are lists of hashes for know child exploitation images that many mail providers use to check against attachments being sent through their system. There are also methods to cause hash collisions which would produce false positives.

So... someone just needs to get the list of "bad" hashes (available online) and make some tiny files people could share/send/receive that match those hashes. Or better yet, randomly add some of those files to the mass emails the site in question is sending to various governme

If you do not want a nice Surveillance Facism...

[gweihir]

... got to act. Nothing wrong with that. Like, at all.

While i do not live in the EU anymore.

[Voice of satan]

I am still an EU citizen.

So i sent emails to my MEPs. I got several detailed answers. Of course, some of them pointed out that while playing Helen Lovejoy, our national (not EU) representatives reduce the number of agents paid to infiltrate child molestation networks (Because this is how you dismantle criminal networks, by classical police work, infiltration, informants, human intelligence, well trained magistrates, not robots who snoop on your wanking material). They also reduce the help available to victims of sex abuse.

So no, they do not care about child abuse, they use it as a pretext to tighten mass surveillance.

P.S. Even abroad i still vote for the Belgian and EU parliaments. I have to. By law.

Wait what?

[sarren1901]

When did the Republicans take over the EU? Oh, I guess government surveillance is interesting to all forms of government of all political stripes. Who knew!

The irony...

[drdaz]

The Swedish MEPs got 100s of emails per day about it, but maintained their pro-dystopian stance on the matter.

Democracy in action.