EU Commission’s nameless experts behind its child sexual abuse law

10 months ago 36

The EU Ombudsman has found a case of maladministration in the European Commission’s refusal to provide the list of experts, which it first denied existing, with whom they worked together in drafting the regulation to detect and remove online child sexual abuse material.

Last December, the Irish Council for Civil Liberties (ICCL) filed complaints to the European Ombudsman against the European Commission for refusing to provide the list of external experts involved in drafting the regulation to detect and remove online child sexual abuse material (CSAM).

Consequently, the Ombudsman concluded that “the Commission’s failure to identify the list of experts as falling within the scope of the complainant’s public access request constitutes maladministration”.

The EU watchdog also slammed the Commission for not respecting the deadlines for handling access to document requests, delays that have become somewhat systematic.

The Commission told the Ombudsman inquiry team during a meeting that the requests by the ICCL “seemed to be requests to justify a political decision rather than requests for public access to a specific set of documents”.

The request was about getting access to the list of experts the Commission was in consultations with and who also participated in meetings with the EU Internet Forum, which took place in 2020, according to an impact assessment report dated 11 May 2022.

The list of experts was of public interest because independent experts have stated on several occasions that detecting CSAM in private communications without violating encryption would be impossible.

The Commission, however, suggested otherwise in their previous texts, which has sparked controversy ever since the introduction of the file last year.

During the meetings, “academics, experts and companies were invited to share their perspectives on the matter as well as any documents that could be valuable for the discussion.”

Based on these discussions, and both oral and written inputs, an “outcome document” was produced, the Commission said.

According to a report about the meeting between the Commission and the Ombudsman, this “was the only document that was produced in relation to these workshops.”

The phantom list

While a list of participants does exist, it was not disclosed “for data protection and public security reasons, given the nature of the issues discussed”, the Commission said, according to the EU Ombudsman.

Besides security reasons, participants were also concerned about their public image, the Commission told the EU Ombudsman, adding that “disclosure could be exploited by malicious actors to circumvent detection mechanisms and moderation efforts by companies”.

Moreover, “revealing some of the strategies and tactics of companies, or specific technical approaches also carries a risk of informing offenders on ways to avoid detection”.

However, the existence of this list was at first denied by the Commission.

Kris Shrishak, senior fellow at the Irish Council for Civil Liberties, told Euractiv that the Commission had told him that no such list exists. However, later on, he was told by the EU Ombudsman that that was not correct since they found a list of experts.

The only reason the ICCL learned that there is a list is because of the Ombudsman, Shrishak emphasised.

Previously, the Commission said there were email exchanges about the meetings, which contained only the links to the online meetings.

“Following the meeting with the Ombudsman inquiry team, the Commission tried to retrieve these emails” but since they were more than two years old at the time, “they had already been deleted in line with the Commission’s retention policy” and were “not kept on file”.

Euractiv reached out to the European Commission for a comment but did not get a response by the time of publication.

Disappearing references

Shrishak also spotted that a document referred to in the CSAM proposal (Annex IX, Footnote 569) about Microsoft’s work on homomorphic encryption has been consequently taken down.

The Commission told the EU Ombudsman that they do not “necessarily hold a copy of the documents linked in the footnotes of the “outcome document” but consulted these documents online without downloading a copy.

“The document, for which the complainant requested a working link, is also no longer accessible to the Commission”, the Ombudsman’s office said on its website.

Controversial proposal

This is not the first time the European Commission has been criticised for the way it has been trying to push the CSAM draft law.

At the end of September, a Balkan Insight article revealed links, going beyond the usual consultations with stakeholders, with at least one Commission official on the board of one of the child protection organisations.

In October, the Commission reportedly used microtargeting techniques to promote the proposal in the countries that did not support the text in the EU Council of Ministers, triggering an investigation over concerns it might have violated the EU data protection and privacy rules.

Shrishak said he expects “a new response, at the very least”. He hopes the Commission provides a list of experts but also expected the outcome of them refusing to do so, citing data protection concerns, “which shouldn’t be [the case], because it should be a public list”, he added.