CSS: Client-side Scanning

Caostatically but not too much

If you start conceiving the privacy as something deeper than the simple “I have nothing to hide”, you may become losers. This happens because it is necessary not only to understand technical issues but also to address complex issues without stopping at superficiality. It is about dealing with encryption, end‐to-end secure.

Let’s imagine one, we say, a robust encryption that allows the curious to obscure the content of your text, our multimedia content, telephone conversations and content deposited on remote servers… therefore what should happen: I write the text, maybe from the computer or mobile phone, I run it in an app that deals with encrypting and sending the content (clearly encrypted) to your dear brother who lives in the United States.

Imagine that if encryption is really robust, anyone who tries to intercept the message will not be able to make it readable clearly. What are the weaknesses of this simple example?

  1. The text can always be intercepted before the encryption.
  2. The deciphered text can always be intercepted.

Criticism to future cryptographic standards

If thoughts on the robustness of encryption can make minds more unstable… Today there are those who criticise the problem and criticize standardization bodies1, such as NIST , to be rushed into the definition of the standards of post-quantist algorithms. These are the specifications of the ML‐KEM , a post-quantistic key exchange mechanism that can be used alone or in combination with the Elliptic‑Curve Diffie‑Hellman (ECDH) to protect us from future quantum computers.

Burocrate encryption

We return with our feet on the ground to the current situation of less complex and scarce encryption from quantum computers. This form of encryption arouses fears in the bureaucrats, they fear that they cannot intercept communications and identify any illegal activities. I recommend reading articles on Chat Control

The key to control is the CSS – Client‐Side Scanning technology to be used for communications within the European Union. Below, a brief description of how it would work:

  • Local analysis*, all content is analyzed on the user device when they are created: text while typing, photos at the time of shooting, videos while recording.
  • Preventive analysis, syntactic processing takes place before of sending the message and before of end‐to‐end encryption (e.g. WhatsApp, Telegram, Signal, etc.). In practice, the content is examined by a default algorithm before encryption keys are applied.
  • Report, if the algorithm detects a suspicious block logic*, the file is automatically reported to the competent and blocked authorities.

We break up the brain with sophisticated post-quantic algorithms when the computer and phone become permanent control tools. Encryption is avoided just because the control takes place first!

So:

  • Premature interception, the content is analyzed, before encryption, by algorithms whose operation and logic remain unknown. This exposes potential vulnerabilities, possible device compromises and manipulations of the scanning algorithm.
  • *Privacy of the user, local analysis requires the installation of surveillance software that collects user sensitive data.
  • Positive Phase, will inevitably occur and cause serious problems to users subject to wrong controls.
  • Manipolations, a malicious actor may alter scanning patterns to ensure that harmless content is labeled as dangerous, or to hide unlawful material.

You think only a law could spy on you?

Whatsapp

Attaullah Baig, former security officer of WhatsApp (2021‐2025), filed a case against Meta. Baig accuses the company of dismissing it after raising multiple times free security issues in the messaging app. According to the plaintiff, the measure would have been adopted to cover such vulnerabilities, with the risk of possible fraud in the eyes of shareholders and violations of the regulations of the Securities Exchange Commission (SEC) concerning internal information controls. The complaint, submitted pursuant to the Sarbanes‐Oxley Act, argues that the WhatsApp management falsely interpreted its performance ratings, using this pretext to rescind its contract.

Baig, who has previously held cybersecurity roles at PayPal* and Capital One**, claims to have been penalized for trying to protect users and investors from potential threats2.

What about the operating system?

I only have one example of the notification messages: If you read the messages clearly, do you really think your operating system can’t read them and analyze them?

Conclusion

We must improve our privacy by adopting new devices air‐gapped (currently on the market there are no products that carry out the hypothesized task). These devices encrypt and decrypt our messages offline, ensuring maximum confidentiality in their transmission.

  1. Source Sophie Schmieg - How not to format a private key, Article ; Filippo Valsorda - Let’s All Agree to Use Seeds as ML-KEM Keys, Article  ↩︎

  2. Source Article  ↩︎