EU Lawmakers Face Pressure for Transparency in Dealings with Child Safety Technology Firm Thorn

EU's Controversial Proposal on CSAM Detection Faces Scrutiny

European Union lawmakers are grappling with significant challenges regarding the bloc's proposed legislation to implement surveillance technologies, including client-side scanning of digital messages, aimed at detecting child sexual abuse material (CSAM). This week, the Commission’s ombudsman revealed findings of maladministration concerning the EU executive's refusal to disclose more comprehensive information about its communications with a child safety technology provider.

In 2022, the Commission released some documents linked to its discussions with Thorn, a U.S.-based company that claims to offer AI solutions for detecting and removing CSAM. However, they withheld other documents. This situation arose from a June 2022 complaint by a journalist seeking public access to these documents.

EU Ombudsman Emily O’Reilly has recommended that the Commission "reconsider its decision to significantly increase, if not fully grant, public access to the documents." She emphasized the urgency of her recommendation, given the legislative timeline related to this proposal.

Initially presented in May 2022, the Commission's proposal mandates digital service providers to employ automated systems for detecting and reporting both existing and new instances of CSAM. Additionally, it seeks to identify grooming activities directed at children on these platforms. The proposal is currently under negotiation by the European Parliament and Council. The ombudsman stresses that greater transparency is critical to holding EU lawmakers accountable, suggesting that public access to these documents would enable citizens to engage in a process that could potentially infringe upon their privacy rights.

Moreover, O’Reilly argues for public scrutiny of the sponsors influencing the legislative process, stating, "Stakeholders who provide input should not do so behind closed doors."

Critics argue that the Commission's message-scanning proposal has been heavily influenced by lobbyists from proprietary child safety technology firms that stand to gain from laws enforcing automated CSAM checks. Concerns raised at a seminar by the European Data Protection Supervisor last fall included claims that the proposal would be both ineffective in combating child sexual abuse and a serious threat to fundamental freedoms within a democratic society.

In response, parliamentarians are advocating for a revised approach that would eliminate the requirement for messaging platforms to scan end-to-end encrypted messages, among other limitations. Nevertheless, EU legislation involves collaboration between the Commission and the Council, and it's unclear how the discussions will conclude.

On Monday, the Commission's response to the ombudsman’s recommendation indicated a deliberate pace in addressing the maladministration finding, citing a deadline of March 19 to respond fully. This timeline suggests that a swift resolution is unlikely, raising concerns of inaction on the pressing issue.

Regarding the contentious legislative proposal, the Commission encountered previous internal scrutiny after microtargeted ads promoting it were flagged for using potentially sensitive personal information. In November, privacy rights organization noyb filed a complaint against the Commission over this matter before the European Data Protection Supervisor.

While an internal investigation into the microtargeting incident is ongoing, results have yet to be made public. The EU ombudsman recently cited this investigation as a reason for not opening a separate inquiry into the targeting complaint, indicating that further examination may not proceed for now.

However, the ombudsman has initiated an investigation into the transfer of two Europol staffers to Thorn, given concerns about potential conflicts of interest. O'Reilly stated, "I have decided to open an inquiry to explore how Europol managed the transitions of these two former staff members to roles that focus on combating online child sexual abuse." She anticipates receiving relevant documents from Europol by January 15, 2024.

As the ombudsman continues her investigation, it remains to be seen how the communications between Europol and Thorn will unfold. This raises potential implications for transparency in dealings between EU institutions and industry lobbyists, prompting a reexamination of the influence wielded by commercial child safety tech companies over EU policy.

Investigative journalism from BalkanInsight has raised questions regarding the level of access these firms have gained in the EU's policymaking processes, revealing that emails indicate an ongoing partnership between Thorn and the Commission in shaping the CSAM proposal.

Home Affairs Commissioner Ylva Johansson, who is championing the CSAM-scanning initiative, has rebuffed claims suggesting that lobbying efforts shaped her proposal. Reports also indicate that Europol officials sought unrestricted access to data that would arise from the CSAM regulations and even suggested expanding the scanning capabilities beyond child sexual abuse to include other criminal activities.

Opponents warn that implementing surveillance technology into private messaging systems could create pressure to broaden the range of scanned content in response to law enforcement demands.