Tag Archive for: CSAM

EuroISPA Position Paper on the CSAM Regulation

As trilogue negotiations on the CSAM Regulation continue, EuroISPA considers that the final framework should fully reflect the overall aim of protecting children online while preserving the security and privacy safeguards that already apply across the digital ecosystem. It should also enable effective and consistent application of the legal and technical framework already in place, addressing genuine gaps without duplicating existing legislation. Our members, from hosting providers to CDN operators, access providers, and VPN services, already run detection and reporting systems and act as trusted flaggers under the Digital Services Act, and the Regulation should build on that engagement rather than override it.

Before introducing new obligations, the Commission and co-legislators should ensure that the technical and legal conditions for compliance are firmly established, starting with a permanent legal basis for voluntary detection rather than one based on temporary derogations. Any new obligations should remain proportionate, targeted, and technologically neutral, and grounded in evidence of a genuine gap rather than assumption.

The Commission should first assess whether the objectives can be achieved through closer alignment with existing instruments, such as the DSA, NIS2, and the e-Evidence Regulation, rather than through additional, overlapping requirements. Coherence with this existing framework, not the creation of a parallel one, should guide the Regulation’s final shape.

Our key positions:

  • Ensure the Regulation does not weaken, circumvent, or disable encryption even on a voluntary basis.
  • Include a permanent legal basis for voluntary detection directly in the Regulation, rather than relying on the temporary ePrivacy derogation.
  • Adopt a cascade approach so only the provider with direct control over the content is obligated to act.
  • Remove provisions that duplicate or conflict with the DSA, the e-Evidence Regulation, the Cybersecurity Act, NIS2, and the GDPR.
  • Align user notification and transparency requirements with the DSA instead of creating separate obligations.
  • Streamline risk assessment and categorisation using the DSA’s staggered, proportionate approach.
  • Strengthen and adequately resource national reporting hotlines and the INHOPE network.
  • Ensure judicial oversight for competent authorities and keep any list of approved technologies voluntary.
  • Avoid regulating data retention separately from the Commission’s ongoing data retention initiative.
  • Treat age assurance as an optional mitigation measure, not a mandatory obligation.
  • Align provider liability with the DSA and protect good-faith voluntary detection efforts from penalty.
  • Conduct a renewed impact assessment given how substantially the text has changed since 2022.

We invite you to read our full position paper below.

Telecom operators must not become content police

Telecommunications companies are the backbone of the Internet, akin to road maintenance operators tasked with ensuring smooth and functional infrastructure. Just as road operators are not expected to monitor vehicles for illegal goods, telecom operators should not be burdened with policing Internet content. Their role would shift drastically from facilitators to enforcers if tasked with such responsibilities.

Intermediaries Are Not Responsible for Data Content

Under the EU’s Digital Services Act (DSA), intermediaries like telecom companies are not liable for content transmitted or stored by their users under certain conditions. The DSA also prohibits general monitoring obligations. However, recent EU legislative initiatives have started imposing new responsibilities on intermediaries, stretching the limits of this limited liability.

For instance, under Article 17 of the DSM Directive, online content-sharing service providers might be held accountable for copyright infringements. Other regulations increasingly require telecom operators to block or monitor online content, such as those addressing terrorist content or child sexual abuse. Even seemingly unrelated laws, onto the operators, like those governing payment services, propose shifting liabilities, such as financial losses from spoofing.

Protecting Communications Secrecy

Commission proposals like the CSAM Regulation suggest requiring all communication services to inspect users’ messages, undermining encryption. Scanning messages before encryption negates its purpose, much like obliging postal workers to read letters before sealing them. The European Court of Human Rights ruled in Podchasov v. Russia (2024) that weakening encryption violates human rights. Yet, Europol and Member States’ police chiefs recently called for breaking encryption for investigations.

These proposals often lack technical understanding, expecting telecom companies to assess the legality of all communications—an impossible and intrusive task. Content regulation should target platforms or sources, not infrastructure providers.

Legislation that weakens communication secrecy threatens human rights, risking a surveillance state akin to China. Good intentions cannot justify such erosion of freedoms.

Asko Metsola

Former legal advisor of FiCom

Joint industry call for allowing the continuation of current Child Sexual Abuse detention practices

Together with other industry associations, EuroISPA is calling on EU Member States to allow the continuation of current Child Sexual Abuse detection practices.

Building on our previous joint statement welcoming the extension of the temporary ePrivacy Directive derogation, we reaffirm that proactive measures against CSA have been instrumental in protecting children online over the past decade.

Joint industry call for protecting encryption in the Child Sexual Abuse Regulation

Together with other industry associations, EuroISPA is calling on EU Member States to preserve the integrity of end-to-end encryption in the Child Sexual Abuse Regulation, and to protect both safety and privacy in the Council position.

Some worrying suggestions have been put on the negotiating table last week which are highly problematic for the privacy of users and the security of the Internet. In our joint statement, we point at other avenues for improvement, including voluntary detection and prevention.

EuroISPA and other tech trade associations and NGOs jointly call on policymakers for a swift adoption of the ePrivacy derogation extension

All signatories share the same goal, which is to create and maintain a safe online environment for children, to detect and remove child sexual abuse (CSA) content online, and to ensure the investigation of offenders, in a manner that is compatible with privacy and human rights.

EuroISPA is particularly proud to see our members CZ.NIC, FiCom, ISPA Austria and ISPA Belgium as individual signatories of the statement, underlining the great commitment of European Internet Services Providers (ISPs) to eradicating online child sexual abuse.

Together, we have agreed to jointly call for a swift adoption of the ePrivacy derogation extension. Below are the main points of our joint call:

  • In the absence of an agreement on the CSA Regulation and the soon-approaching sunset clause of the temporary ePrivacy Derogation, there is a high risk of a legal gap which would prevent interpersonal communications service providers from carrying out selected detection, reporting and removal work against child sexual abuse online.
  • Proactive work against CSA has proven to be effective over the past decade. We therefore ask the European Parliament to support the Commission and the Council on this initiative and call on co-legislators to swiftly adopt the extension of the temporary ePrivacy derogation.
  • We note however that this extension should only be considered as a transitory solution, as the core focus is to agree on a long-term framework, and promptly adopt the CSA Regulation. 

All signatories remain committed to working towards legislation which stands the test of time and that is in the best interest of children.

Signatories: 5Rights Foundation, Agarrados à Net, ARSIS – Association for the Social Support of Youth, Asociația Eliberare, Association Novi Put, Brave Movement, Canadian Centre for Child Protection, Center for Missing and Exploited Children (Centar za nestalu i zlostavljanu decu), COFACE – Families Europe, Computer & Communications Industry Association (CCIA Europe), CZ.NIC (Czech Internet Association), Defence for Children International Nederland – ECPAT Nederland, Developers Alliance, Digital Poland Association (Związek Cyfrowa Polska), DOT Europe, ECPAT Albania, ECPAT Austria, ECPAT Belgium, ECPAT France, ECPAT International, ECPAT Luxembourg, ECPAT Norway, ECPAT Sweden, Eurochild, EuroISPA (European Internet Services Providers Association), FAPMI-ECPAT Spain (Federación de Asociaciones para la Prevención del Maltrato Infantil), FICE Croatia, FiCom (Finnish Federation for Communications and Teleinformatics), Fundacja Dajemy Dzieciom Siłę (Empowering Children Foundation), GSMA, Hintalovon Child Rights Foundation – ECPAT Hungary, “Hope for Children” – CRC Policy Center, IAC – Instituto de Apoio à Criança, ICMEC – International Centre for Missing & Exploited Children Singapore, Internet Watch Foundation (IWF), ISPA Austria (Internet Service Providers Austria), ISPA Belgium, ITI – The Information Technology Industry Council, Marie Collins Foundation, Missing Children Europe, Miúdos Seguros Na Net, Network for Children’s Rights (NCR) (Δίκτυο για τα Δικαιώματα του Παιδιού), Pomoc Deci, Safe Online, Save the Children Europe, Stiftung Digitale Chancen, Stop Sexting, Suojellaan Lapsia, Protect Children ry, Terre des Hommes Netherlands, The Pancyprian Coordinating Committee for the Protection and Welfare of Children, The Smile of the Child, Video Games Europe and WeProtect Global Alliance

EuroISPA and other European Internet industry associations join forces and publish third joint statement on encyption and detection orders under the proposed CSAM Regulation

Building on two previous joint statements published in April 2023 and June 2023, EuroISPA and other European Internet industry associations AFNUM, CISPE.cloud, CCIA Europe, CZ.NIC, Developers Alliance, DOTEurope, eco, FiCom, Freedom Internet, i2Coalition, ISPA Austria, and ITI now call on policymakers to ensure the protection of encryption and to limit detection orders in the EU Regulation laying down rules to prevent and combat child sexual abuse (CSA Regulation).

We firmly stand behind the European Commission’s overarching objective to prevent and combat child sexual abuse, but we believe certain improvements need to be introduced in the proposed CSAM Regulation.

To this end, we call on EU policymakers to:

1) defend the rights to privacy and confidentiality of communications through the specific protection of encryption;

2) make sure that detection orders are a last resort measure;

3) limit detection orders to those with the ability to act.

The undersigned industry associations remain deeply committed to making the digital space safer for everyone and in particular to protecting children online.

Read the full statement: CSAM – Joint call for safeguarding encryption and limiting detection orders

EuroISPA and other European Internet industry associations join forces and publish second joint statement on the proposed CSAM Regulation’s risk mitigation measures

Building on their initial joint statement published in April 2023, European industry associations ACT | The App Association, CCIA Europe, Developers Alliance, DOT Europe, eco, EuroISPA, FiCom, and ITI call on policymakers to maintain the flexibility for providers to choose the most appropriate risk mitigation measures and to acknowledge the value of voluntary measures to combat child sexual abuse online in a follow-up paper.

The associations and their members, active in the European Internet industry, agreed on the importance of the European Commission’s proposal to ensure the EU is committed to making the digital space safe for everyone, especially for children.

However, they are now together pointing at a specific part of the text, namely risk mitigation measures, which needs to be improved in order to achieve a legislative framework that helps the detection and prosecution of crimes, and the safeguarding of children.

To do so, the signatories recommend:

  • To broaden the risk mitigation efforts recognized by the proposal to account for voluntary efforts, including prevention work ;
  • To maintain the possibility for providers to take into account relevant differences, including between content types and services, when selecting appropriate and proportionate mitigation measures ;
  • To create an express legal basis for ICS providers to process communications data for the purposes of prevention, detection and reporting with appropriate safeguards ;
  • To expressly authorize broader voluntary efforts to fight CSA for all providers within the scope of the Regulation.

This joint industry statement is the result of a substantial joint effort between the signatories, coordinated by DOT Europe, that shows the unified commitment of several associations with a diverse membership and active in the sector at European level to protect children online.

EuroISPA and other European Internet industry associations join forces and publish a joint statement on the proposed CSAM Regulation

European industry associations ACT | The App Association, CCIA Europe, CISPE Cloud, Dot Europe, eco, EuroISPA, FiCom, ISPA Austria and ITI have published a joint industry statement in which they call the European Commission to amend some key points of the proposed Regulation laying down rules to prevent and combat child sexual abuse.

The associations and their members, active in the European Internet industry, agreed on the importance of the European Commission’s proposal to ensure the EU is committed to making the digital space safe for everyone, especially for children.

However, they are now together drawing attention to how certain measures contained in the proposed Regulation need to be amended in order to reach the goals the Regulation is set to achieve.

To do so, signatories have formulated recommendations to amend six key aspects of the proposal:

  • The narrowing of the scope and definitions
  • The risk assessment, mitigation and reporting
  • The inclusion of voluntary measures
  • The use of detection, removal and blocking orders
  • The importance of safeguarding encryption
  • The role of the EU Centre

This joint industry statement is the result of a substantial joint effort between the signatories, coordinated by EuroISPA, that shows the unified commitment of several associations with a diverse membership and active in the sector at European level to protect children online.

EuroISPA hosts expert roundtable on privacy and encryption

On Thursday, 23rd of March 2023, EuroISPA hosted an in-person expert roundtable on privacy and encryption, organised in the context of the European Commission’s proposal for a Regulation to prevent and combat child sexual abuse.

The event gathered a distinguished expert panel comprised of Mr Matthew Green, Associate Professor at the Johns Hopkins University and expert on applied cryptography and cryptographic engineering, Ms Arda Gerkens, CEO and founder of EOKM, as well as Ms Ella Jakubowska, Senior Policy Advisor at EDRi.

EuroISPA’s Board member, Thomas Bihlmayer (eco), moderated the discussion and introduced EuroISPA’s views from its position as a constructive contributor to child protection and privacy debates, thanks to its diverse membership (hotlines, ISPs of all sizes, platforms, cloud infrastructure services, etc.) that is at the forefront of the efforts to protect children online.

He highlighted EuroISPA’s commitment with the Commission’s objective to prevent and combat child sexual abuse and noted concerns over several aspects of the proposal. He focused on the operability of the regulation and on the dangers of breaking encryption, which will have a direct impact on the technical Internet infrastructure and impede efforts to create an Internet which enhances trust, user privacy, and freedom of expression.

Professor Matthew Green expressed concerns about the lack of understanding of the technical implications of the Commission’s proposal, and the possible harm that could bring to the security of global communications systems. During his intervention, he stressed the technical limitations of such proposed measures and the issue of over-relying on them, considering encryption is a very young area. For him, the proposal would benefit from an in-depth evaluation by scientists and researchers in Europe, which in his view should be seen as a pre-condition for mandating new technologies. (He shared his intervention in a more extensive version on his blog).

Representing the Dutch hotline, Arda Gerkens highlighted the issues of weakening encryption, compromising the security both for children and adults. She also noted the potential positive points, especially when it comes to the creation of a EU Centre as a centre for knowledge and support in the EU. She further explained how the approach of the Netherlands to fight child sexual abuse is working, noting some of the main elements that could be brought to EU level.

Finally, Ella Jakubowska raised the perspective of civil society. She explained why the proposed measures will lead to unreliable client-side scanning practices, undermining end-to-end encryption and making our devices more vulnerable to attacks from malicious actors, all without addressing the core issues or finding the right solutions to tackle child sexual abuse.

The panel discussion was followed by a Q&A session were participants had the opportunity to exchange about the compatibility of these measures with privacy legislation, the potential for improvement of scanning technologies as well as other solutions to allow fighting child sexual abuse without hindering privacy safeguards and fundamental rights.

This session is one of the different actions that EuroISPA is taking around encryption, privacy and the Commission proposal to fight Child Sexual Abuse Material online.

If you would like to know more about EuroISPA’s work on the topic, you can contact [email protected].

To read our Position Paper on the proposed CSAM Regulation, click on the button below.

Position Paper on the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse

14 September 2022EuroISPA publishes its Position Paper expressing concerns about the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The document highlights risks of inoperability and technical unfeasibility, concerns around compatibility with the GDPR, DSA, ePrivacy Directive, NIS2, and the Open Internet Regulation, as well as emphasising worries about excessive administrative burdens on SMEs.

EuroISPA, a pan-European association which represents over 3,000 Internet Services Providers (ISPs), works to advocate for the needs both of the wider industry and of users. This position paper is one example of how the association’s members work together to draft recommendations for EU policy makers that can be implemented by the industry in order to tackle the issue at hand.  EuroISPA members are at the forefront of the efforts to protect children online and have a longstanding relationship with law enforcement authorities to assist them in the fight against child exploitation.

Download the Position Paper here.