Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Bugs in our Pockets: The Risks of Client-Side Scanning (2110.07450v1)

Published 14 Oct 2021 in cs.CR and cs.CY

Abstract: Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source, would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy -- in the sense of unimpeded end-to-end encryption -- and the ability to successfully investigate serious crime. In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.

User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (14)
  1. Hal Abelson (4 papers)
  2. Ross Anderson (46 papers)
  3. Steven M. Bellovin (4 papers)
  4. Josh Benaloh (5 papers)
  5. Matt Blaze (2 papers)
  6. Jon Callas (1 paper)
  7. Whitfield Diffie (1 paper)
  8. Susan Landau (3 papers)
  9. Peter G. Neumann (2 papers)
  10. Ronald L. Rivest (17 papers)
  11. Jeffrey I. Schiller (1 paper)
  12. Bruce Schneier (9 papers)
  13. Vanessa Teague (34 papers)
  14. Carmela Troncoso (54 papers)
Citations (36)
View on Semantic Scholar

Summary

Risks and Implications of Client-Side Scanning in Digital Privacy and Security

The paper "Bugs in our Pockets: The Risks of Client-Side Scanning" by Abelson et al. critically examines the proposition of client-side scanning (CSS) as a tool for reconciling the dual objectives of personal privacy and public safety in the digital age. With an illustrious line-up of authors from leading academic institutions, renowned for their expertise in cryptography and security, the paper presents a comprehensive critique of CSS, exploring its potential threats to individual privacy and societal security, while challenging the asserted benefits and efficacy of this proposed technological solution.

Technical Assessment

The proposal for CSS is situated amid escalating tensions between the widespread use of encryption for privacy and the increasing demands by law enforcement for digital surveillance capabilities. CSS represents an approach where content on user devices is scanned directly before or after encryption. It is presented as a mechanism to detect targeted content, such as child sexual abuse material (CSAM), on devices, potentially providing law enforcement agencies a means to prevent crime without weakening encryption itself. However, the paper strongly argues that CSS is fraught with technical and security risks that fundamentally undermine its stated goals.

Security and Privacy Concerns

The security implications of CSS are significant and wide-ranging, affecting all strata of society. A notable assertion in the paper is that CSS exacerbates rather than mitigates risks related to surveillance and privacy invasions. The inherent design choices required by CSS systems create substantial vulnerabilities:

  1. Bulk Surveillance: CSS effectively constitutes mass surveillance as it operates at the level of entire populations without individualized suspicion or warrants.
  2. Expansion of Surveillance Scope: The paper highlights that once CSS infrastructure is in place, its use can easily extend beyond its initial targets. There is a risk of 'mission creep', where scanning extends to a wider array of content types and formats, driven by legal, political, or technical pressures.
  3. Local Adversaries: The potential for abuse extends beyond state actors to local adversaries, such as malicious partners or family members who could leverage CSS capabilities in harmful ways.
  4. Vulnerabilities to Misuse: Given that most devices have security weaknesses, CSS offers various adversaries an opportunity to exploit these vulnerabilities for malicious purposes. This includes both insider threats and external actors like hostile nation-states or cybercriminals.

Evaluation Against Policy and Security Principles

Employing classic security engineering principles and policy frameworks, the authors underscore that CSS does not meet fundamental criteria such as separation of privileges, transparency, and minimization of the trusted computing base. Notably, they underline the lack of assurance mechanisms to verify CSS functionality without imperiling security and privacy. This is compounded by a violation of the principle of least privilege, where CSS necessitates expansive access across user devices.

Case Study: Apple's Proposal

Apple’s 2021 proposal for implementing CSS to detect CSAM is scrutinized in the paper. Despite the employment of advanced cryptographic measures and safeguards—such as requiring multiple entities in different jurisdictions to approve content before it's identified as harmful—the design is still criticized for failing to establish a system that is simultaneously secure, trustworthy, and transparent.

Practical Implications and Future Direction

The implications of deploying CSS are profound on several fronts. Practically, the scalability issues related to false positives, heightened adversarial attacks, and operational fragility in enforcement become evident. With this backdrop, the authors advocate for stringent technical evaluation and policy scrutiny before any consideration of widespread CSS implementation.

In conclusion, while CSS is posited as a midpoint between privacy and public safety, the authors of the paper convincingly argue that it compromises both. The ongoing debate surrounding the technology makes it clear that decisions to deploy CSS must be approached with caution and informed by robust public discourse and technical insights. This paper serves as a critical resource for policymakers and researchers, advocating for a reconsideration of CSS based on its myriad risks and challenging the narrative of its necessity and efficacy.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube