Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source, would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy -- in the sense of unimpeded end-to-end encryption -- and the ability to successfully investigate serious crime. In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.
翻译:在个人、经济和政府事务中,我们日益依赖数字技术的个人、经济和政府事务,因此必须确保私人公民、企业和政府的通信和装置。这导致全社会普遍使用加密技术。尽管有明显的好处,但执法和国家安全机构认为,加密技术的传播阻碍了证据和情报的获取。工业和政府中的一些人现在主张采用新技术获取有针对性的数据:客户-端加密(CSS),而不是削弱加密,或为执法部门提供解密通信的后门钥匙。中央安全系统将无法对数据进行明确分析。如果发现有针对性的信息,则其存在及其潜在来源将披露给各机构;否则,几乎没有或根本没有信息会留下客户装置。 其支持者声称,中央安全系统是加密与公共安全辩论的解决方案:它提供隐私 -- -- 从不受阻碍的端对端加密(CSS)的意义上说,以及成功调查严重犯罪的能力。在本报告中,中央安全服务系统既不能保证有效的犯罪预防,也不能阻止监测。事实上,效果正好相反。 中央安全服务系统在性质上创造严重安全和隐私风险,而安全-隐私在执法方面则会给客户带来最大风险。