Criticism of CSAM, eIDAS and digital euro at Privacy Conference

Report by PONT Data & Privacy 

eIDAS 2.0

The European Digital Identity (eIDAS) aims to give citizens a secure and widely accepted digital identifier. This system would allow citizens to purchase online services without revealing their full identity. In theory, this sounds great, but in practice the technical implementation leaves much to be desired, according to Dr Jaap-Henk Hoepman.

A major criticism is the lack of a truly privacy-friendly architecture. The implementation of digital signatures in the current eIDAS 2.0 standard means that users can still be tracked across different services. This undermines the fundamental principle of an anonymous and secure digital identity. Cryptographic alternatives such as zero-knowledge proofs, which allow attributes to be selectively revealed without revealing full identity, are not used. Hoepman stresses that standardisation of cryptography within governments is problematic. A limited set of 'approved' cryptographic techniques are allowed, which are often outdated and inefficient for modern privacy applications.

Privacy-friendly digital Euro?

With the rise of digital payments and crypto-currencies the European Central Bank (ECB) wants to offer a digital alternative to cash. The Digital Euro should, according to the European Central Bank (ECB) have a similar level of privacy as cash, but in the current set-up, that seems like an empty promise states Hoepman.

Hoepman doubts the technical feasibility of a truly anonymous digital euro. Cash has fundamental properties such as anonymity, freedom of transaction and independence from central infrastructures. The digital euro should mimic this, but the current technical implementation does not sufficiently guarantee anonymity, according to Hoepman. After all, all transactions are recorded and monitored, leading to far-reaching control over transactions. He argues that the privacy-friendly digital euro should be 'cash-like', with the identity of the payer and recipient remaining unknown unless explicitly desired.

Another problem is the so-called 'double-spending' challenge in offline payments. Cash works without the intervention of banks or network connections. A digital currency should be able to do the same, but current proposals require payments to be processed through centralised systems, which negates privacy. Hoepman points out that technical solutions such as Trusted Execution Environments (TEE) and secure elements on mobile phones could theoretically provide a solution, but that this depends on the reliability of hardware manufacturers and the infrastructure that controls them. This leads to a central dependency, which goes against the fundamental properties of cash.

CSAM client-side scanning

The most controversial of the three laws is the CSAM regulation, which aims to stop the distribution of child abuse material. The goal is undoubtedly important, but the approach taken raises serious privacy and security concerns, according to Hoepman.

The most recent bill suggests applying 'client-side scanning' to chat services such as Whatsapp or Signal, where software checks photos and messages locally, i.e. on the device itself, for images of child abuse before sending them. If images of child abuse are detected, this could lead to a notification to authorities. Hoepman compares the model to a "snitch installed on your phone" that scans every message before it is sent. This basically means that every communication device is considered a potential surveillance tool functions, leading to a serious breach of letter secrecy, according to Hoepman.

In addition, Hoepman points to the unverifiability of the database containing hashes of illegal images. This database can be misused to block other types of content, such as political opinions or journalistic disclosures. Because the hashes are secret, there is no transparency about what is being monitored. This opens the door to censorship and abuse by governments and big tech companies.

Another criticism is the lack of technical reliability of content detection algorithms. False positives, marking innocent images as illegal, could have serious consequences for innocent users. Hoepman argues that the European Commission has not sufficiently thought through the real implications of this technology and that the focus on encryption preservation is a misleading argument. "Arguing that encryption remains intact while a device pre-emptively analyses messages is like saying you keep a letter locked while the government reads the contents before you send it," Dr Hoepman said.

Legislation and technology run alongside each other

What these three laws have in common is that they all try to solve an important legal and societal challenge using technology. However, in all cases, Hoepman says, it appears that the technical implementation is not thought through enough, putting privacy at risk.

Dr Hoepman emphasises that there is a fundamental problem with how technological regulation is created. Policymakers formulate legislation without sufficient technical understanding and rely on existing standards that are often not suitable for privacy-friendly implementations. This results in laws developed in lawmakers' circles, without the technical insights of experts who better understand the implications of the systems chosen. Jaap-Henk describes how he often sees it go wrong in legislation that uses technology: "First, a college is then appointed, which tries to describe in legal terms what the system should do. A kind of requirements document, but not written by techies, but by lawyers. With the very best intentions, but it does not describe well enough what the system should really do in the end."

To solve this problem, he recommends closer cooperation between legislators, scientists and NGOs early in the legislative process. According to Jaap-Henk, technical knowledge is indispensable for the use of technology in legislation: "The technical specifications determine how it will really work in the end. So how those are implemented is ultimately essential to know what the privacy and security properties of these systems are."

This report was previously published by PONT Data & Privacy: Report Privacy Congress 2025: Jaap-Henk Hoepman critical of technical developments CSAM, eIDAS and European digital currency - PONT Data&Privacy.