Article Review #2 – The Risks of Client-Side Scanning

Posted on by

Hypothesis

While acknowledging the safety debate proponents of Client Side Scanning (CSS) pose, the authors of this paper argue against the implementation of CSS by highlighting how It may fail. Society has become and continues to grow more reliant on technology. Cryptography is used to keep their communications private and secure, making it difficult for law enforcement and security agencies to identify targeted data. CSS was invented to provide these entities a way to find targeted material, without providing them a back-door or weakening encryption. CSS would allow them to analyze data on client devices, whether they belong to private citizens, businesses, or governments. If targeted information is found on the device, its existence and source may be revealed. Even when this technology is used in a just manner, it opens serious questions about the privacy violations of users, among other risks.

The Social Science of Client-Side Scanning

The seven Social Sciences, used to explain social phenomena, are Anthropology, Criminology, Economics, Geography, Political Science, Psychology, and Sociology. Sociology employs the study of social institutions. This is of import in this research paper, as CSS is a concern of social institutions such as the National Security Agency (NSA), Law Enforcement, Targeted Material Providers such as the National Center for Missing and Exploited Children (NCMEC), and Service Providers such as Facebook, Twitter, or Google. Some of these social institutions were built to serve society, while others are the products of society. This provides a unique dynamic when contemplating the challenges of CSS vs. Server Side Scanning.

Research Methodology and Analysis

The analysis conducted in this research paper highlights the security and policy principles for content scanning on the Client side and Server side. CSS introduces new privacy risks. By creating the capability to scan files that would never otherwise leave a user device, CSS thus erases any boundary between a user’s private sphere and their shared (semi-)public sphere. [1] While CSS is designed to only reveal targeted material, targeted by the targeted material providers, to law enforcement, unauthorized entities could use this access to their advantage. Using social engineering techniques, such as bribery, adversaries may search for other content, such as sex-abuse material, using CSS.

CYSE 201S and Client-Side Scanning

In CYSE 201S, we had a discussion in Module 5 about theories of Cybercrime. For that module, I discussed how Neutralization Theory provided the best reasoning for cybercriminals to commit acts of deviance. In CSS, we can scale criminal impact from a local incident of deviancy to a worldwide invasion of privacy. Neutralization Theory has many facets, but I want to focus on Denial of Injury, which cybercriminals use to justify their behavior by saying that no one was physically hurt. [2] How easy it must be for a person, business, or state to invade a private citizen’s privacy, unbeknownst to them, to disassociate from their actions.

Concerning Marginalized Groups

This article expresses concern for the effect CSS will have on minorities, specifically children, LGBTQ+ members, and victims of spousal abuse. A large justification for the use of CSS is the discovery and reporting of child sex abuse material (CSAM). CSAM is reported and given to targeted material providers such as the NCMEC, who then provide a hash of that material to the service providers. If the hash matches material found on a client’s system, it is reported to law enforcement who may then take action to enact justice.

This Study’s Contribution to Society

The tracking of CSAM and other such damaging content is an honorable endeavor. No one would argue these things should be allowed to exist, whether on the server or a client’s system. This article does well to show the countermeasure already in place but it also shows how far we must go to fight back against this content on a technological level. Privacy and security concerns are very real. With examples like China’s Green Dam censorware, politicians, lawmakers and Cybersecurity professionals see the guardrails within which they must work.

Conclusion

Attempts are being made by companies, such as Apple, to find the middle-ground regarding CSS employment and capabilities. I was left with the feeling that it is only a matter of time before we see this matter left up to individual companies on whether they use CSS with their technologies and it will be up to the customer to sacrifice their privacy to combat CSAM and other such examples. In the coming years we will see litigation about privacy and security concerns for private citizens. We may also see companies invent creative new technologies to expose cybercriminals while minimizing the impact on personal privacy.

References:

[1] Rescorla   E. Overview of Apple’s client-side CSAM scanning. Educated Guesswork. 2021. https://educatedguesswork.org/posts/apple-csam-intro/ (22 March 2024, date last accessed).

[2] https://canvas.odu.edu/courses/153108/files/32052816/download?download_frd=1

Journal Research Paper:

https://academic.oup.com/cybersecurity/article/10/1/tyad020/7590463?searchresult=1

Leave a Reply

Your email address will not be published. Required fields are marked *