Bugs in Our Pockets: The Risks of Client-Side Scanning – CYSE 201S

Jermiah Robinson

March 29th, 2024

CYSE 201S – Cybersecurity
Article Link: https://academic.oup.com/cybersecurity/article/10/1/tyad020/7590463?searchresult=1

Bugs in Our Pockets: The Risks of Client-Side Scanning

            Encryption become a key aspect of our lives over nearly 50 years ago. With encryption learned, information has been made much more secure and sending files over the web are encrypted to prevent outsiders from getting access to the file. However, in the process, encryption has led to governments and other larger companies wondering how they will be able to gather data from users. And so, to circumvent encryption entirely, governments and corporations have been advocating for the usage of Client-Side Scanning (CSS) to bypass encryption by gathering data before its even sent to be encrypted to aid cyber forensics, while sounding good, there is far more concerns with CSS to reveal what it actually is and explain why this is not good at all instead. (Ableson et al., 2024)

            With Client-Side Scanning, data will be immediately analyzed by the device and stored before being encrypted, which could allow for some dangerous activity to be gathered up before it all even happens. While this is promoting good for society and for protection of others, this comes with serious privacy concerns and can be abused easily by law enforcement and large corporations. It is stated that it would offer privacy, however, used data is not included and is searched without consent from the user. This means that there is basically no privacy as user data is still gathered up without any approval. This leads to to other issues about what is specifically collected and what safeguards are even used to avoid third party infringing on gathering this data as well. (Ableson et al., 2024)

            Apple had also proposed the idea of CSS on future systems and eventually implemented through updates to older systems in August 2021. Researchers and other organizations like Eric Rescorla of Mozilla and Daniel Kahn Gillmor of the American Civil Liberties Union (ACLU) have cited and reported on these issues as well with CSS. Apple however was unable to design proper CSS and did not push this idea out. In return, this research provides key points for below and for more information about CSS. (Ableson et al., 2024)

            Another massive issue of Client-Sided Scanning is its ability to analyze stored information. While it prides itself on protecting users and still offering data protection, it will scan stored information that is on the device. Even to the point of videos, documents, and images which allows governments and cooperations to have better help with diffusion. With systems like phones, watches, computers, etc. will have this software which would alert authorities depending on the targeted material and completely avoids encryption by scanning before encryption. This could even allow authorities to view notes and would basically become a wiretap in the system with the ability to log almost everything the user downloads and creates on the system without the user being able to know this is happening. This can be especially dangerous to researchers, smaller businesses, etc. (Ableson et al., 2024)

            In conclusion, Client-Sided Scanning is not safe at all for users who are concerned about their privacy. CSS opens the gates for authorities to immediately gather everything that is on the device without even stating anything to users. With the assistance of researchers and organizations, this article exposes and shows the true side of CSS and how dangerous it is if installed onto systems for the public to keep eye of.

Works Cited

Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Callas, J., Diffie, W., Landau, S., Neumann, P. G., Rivest, R. L., Schiller, J. I., Schneier, B., Teague, V., & Troncoso, C. (2024, January 27). Bugs in our pockets: The risks of client-side scanning. OUP Academic. https://academic.oup.com/cybersecurity/article/10/1/tyad020/7590463?searchresult=1. Accessed 29 March 2024.

Gillmor   DK. Apple’s new ‘child safety’ plan for iPhones isn’t so safe. 2021. https://www.aclu.org/news/privacy-technology/apples-new-child-safety-plan-for-iphones-isnt-so-safe/

Rescorla   E. Overview of apple’s client-side CSAM scanning. Educated Guesswork. 2021. https://educatedguesswork.org/posts/apple-csam-intro/