Skip to main content

IAB Statement on Encryption and Mandatory Client-side Scanning of Content
statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content-01

Document Type IAB Statement
Title IAB Statement on Encryption and Mandatory Client-side Scanning of Content
Published 2023-12-15
Metadata last updated 2023-12-19
State Active
Send notices to (None)
statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content-01

IAB Statement on Encryption and Mandatory Client-side Scanning of Content

15 December 2023

A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship.

This statement is a reaction to recent policy proposals in the [United Kingdom], [European Union], [United States], and other countries that are mandating client-side scans that require access to otherwise end-to-end encrypted content. These proposals envision client-side scanning technologies that search content on devices before it is encrypted or after decryption on receipt. This would potentially be accomplished by comparison against a database maintained by an authority or by leveraging machine learning to identify previously unseen but potentially prohibited content. These envisioned mechanisms fail to consider their broader implications for Internet security.

The Internet Engineering Task Force [IETF] is the leading standards development organization for the global Internet. The Internet Architecture Board [IAB] provides long-range technical direction for Internet development, ensuring the Internet continues to grow and evolve as a platform for global communication and innovation. To create and maintain the Internet as the bedrock of current secure communication, the IETF and the IAB serve as stewards of the Internet’s communication protocols and its core values of trust, openness, and fairness that underpin secure online communication. This is accomplished through a transparent process backed by consensus that is open for anybody to participate in. We encourage the continued deployment and strengthening of mechanisms that enhance privacy and security for all users of the Internet.

The IETF and the IAB have published concerns about standardizing wiretaps [RFC2804], backdoors [RFC1984] [RFC3365], and surveillance [RFC7258], because these technologies reduce the security of the Internet as a whole, fail to curtail malicious actors, and reduce security for Internet users. To ensure all communication can remain properly protected, the IETF continues to develop and enhance encrypted protocols like [IPsec] at the IP layer, [TLS1.3] at the transport layer which is further incorporated into the [HTTP2] and [QUIC] protocols, and inside many application protocols such as email [S/MIME][OpenPGP] or instant messaging [MLS][XMPP]. Recognizing that management of increasingly encrypted networks can pose operational challenges, the IAB has recently held a workshop on techniques for managing encrypted networks in ways that intend not to sacrifice security for the Internet’s end-users [RFC9490].

The IAB has recognised surveillance of any form as a threat to Internet user privacy, where “surveillance is the observation or monitoring of an individual’s communications or activities” [RFC6973]. As the IAB and Internet Engineering Steering Group (IESG) documented in 1996 [RFC1984], instituting governmental control into communication “provide[s] only a marginal or illusory benefit to law enforcement agencies” as any seemingly beneficial purpose can be equally used by malevolent actors or future authoritarian shifts in government administrations. The IETF community still holds true to these principles today.

For technologies where the intended purpose is scanning of user communication, there is by design no technical way to limit the scope and intent of scanning, nor curtail subsequent changes in scope or intent. Further, specifically when scanning for illegal content, transparency cannot be provided. Mandating such technologies impacts all users of the global Internet and creates a tool that is straightforward to abuse as a widespread facilitator of surveillance and censorship, presenting real-world dangers to the free flow of information and the security and privacy of people. Without privacy, users cannot benefit from the Internet’s virtue to connect people and support freedom of expression.

Additionally, one of the founding principles of the Internet has been its openness; the ability for any standards-compliant software to access the network of networks has been the catalyst for world-changing innovations over many decades. Mandatory use of client-side scanning, and the regulatory burden it would impose, would negatively impact this, restrict use of open-source software, and lead to a stagnant landscape where users lose choice.

The IAB shares concerns about societal harms through the distribution of illegal content and criminal action on the Internet and recognizes the need to protect Internet users from such threats. However, the IAB believes that mandating client-side scanning is in direct opposition to the safe, secure and open communication platform that the Internet provides today and undermines the core principles applied by the IAB and the IETF [RFC1984], [RFC2804], [RFC6973] in order to secure the Internet through encryption. The IAB opposes technologies that foster surveillance as they weaken the user’s expectations of private communication which decreases the trust in the Internet as the core communication platform of today’s society. Mandatory client-side scanning creates a tool that is straightforward to abuse as a widespread facilitator of surveillance and censorship. Mandating on-device scanning of content will compromise privacy, weaken security, and imperil human rights to communication, freedom of expression and freedom of opinion.

Annotated bibliography

RFC1984 stated the IESG and IAB’s position regarding legal constraints on encryption in 1996, with a focus on the effects on the Internet. The publication of the document was prompted in part by the controversy surrounding the US government’s promotion of the Clipper Chip.

RFC2804 articulates why the IETF stated that it was not appropriate to accommodate wiretapping. It was published by the IAB and IESG in 2002.

RFC3365 set a requirement for IETF standard protocols to use ‘appropriate strong security mechanisms’, including encryption. It was published as Best Current Practice in 2002.

RFC7258 documents the IETF consensus that pervasive monitoring is an attack, and thus should be mitigated in IETF protocols (often, using encryption). It was a response to the Snowden revelations and an output of the workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT) (https://www.w3.org/2014/strint/), held jointly by the W3C and IAB.

RFC9490 (publication pending) reports on an IAB workshop on Management Techniques in Encrypted Networks in which participants sought to make encryption more widely adopted by seeking solutions for managing encrypted communications without weakening it.

Additional references

Our concerns are shared by other experts around the world [1, 9], particularly on the grounds of technical feasibility and potential for abuse. We align with the widespread opposition to these regulatory proposals voiced by civil society [2, 4, 6, 8], academic experts [3, 5], and even governments [7].

UK Online Safety Bill

The Online Safety Bill enables Ofcom, the designated regulator under the law, to direct services to use accredited technology to identify content that is communicated publicly or privately on the service. For encrypted services like Signal, WhatsApp, and iMessage, this would mean either creating a backdoor in their encryption or scanning messages before they are encrypted (known as client-side scanning).

See:

  1. Joint letter from messaging providers
  2. ORG Briefing
  3. Academic Experts Letter

EU CSAM Regulation

The European Union’s upcoming legislation on combating CSAM online would enable Member States to compel online platforms, including those offering end-to-end encrypted messaging, to scan users’ content and metadata for CSA images and for “grooming” conversations and behaviour, and where appropriate, report them to public authorities and delete them from their platforms.

See:

  1. EDRi Statement
  2. European Scientific Experts Letter
  3. Global Encryption Coalition Statement
  4. Finland, Germany, and Estonia opposition

US EARN IT Act

The EARN IT Act proposed both in 2020 and 2022, threatens a company’s ability to use and offer end-to-end encryption by putting their liability immunity at risk if they do not proactively monitor and filter for objectionable user content.

See:

  1. Joint letter from civsoc orgs
  2. CCIA Industry Letter