Europe in ‘last chance saloon’ as new paper shows child sexual abuse can be blocked before being shared in E2EE services

IWF paper sets out how end-to-end encrypted messaging can be protected from child sexual abuse without breaking encryption.

EU lawmakers are in the “last chance saloon” to keep children safe online or Europe faces a “serious backward step” for child protection, experts warn.

The Internet Watch Foundation (IWF) is calling on EU Member States to push for progress on the Child Sexual Abuse Regulation as failure to do so will leave millions of children at risk of online child sexual abuse and exploitation.

This comes as the IWF, Europe’s biggest hotline dedicated to the removal of child sexual abuse material online, publishes a new paper outlining how end-to-end encrypted (E2EE) messaging platforms can prevent the spread of known child sexual abuse images and videos without breaking encryption or trespassing on user privacy.

Concerns over the technical feasibility of safety measures have dogged the negotiations around the stalled EU Regulation, which aims to prevent and detect child sexual abuse on the internet. The paper, published today (Thursday, October 9), demonstrates how upload prevention works without compromising the fundamental right to the privacy of users.

Designed to address existing misconceptions on the issue, the paper highlights how services lose the ability to detect and remove child sexual abuse images and videos if they implement E2EE without adequate safeguards on their platforms.

In this blind spot, offenders thrive¹, while victims and survivors live with the constant threat of their abuse resurfacing. The paper argues that upload prevention closes this gap.

Upload prevention offers a balanced solution to the issue as the safety measure checks for known child sexual abuse material before it is encrypted and sent from the device, working in a similar way to many other pre-encryption checks currently in use, such as malware or preview links.

The EU remains a prime destination for offenders determined to share, sell and buy sexual images and videos of children. In 2024, 62% of all child sexual abuse webpages found by the IWF were traced to an EU country. That is a 28% increase on the previous year. ²

The IWF is urging the EU to adopt the Child Sexual Abuse Regulation without further delay to provide a permanent legal basis for voluntary and mandatory detection of child sexual abuse images and videos across the EU, including when it comes to end-to-end encrypted environments.

The Regulation is all-the-more urgent due to the fast-approaching expiration of the temporary derogation from the EU’s ePrivacy Directive, which currently provides a clear legal basis for companies to proactively scan for child sexual abuse material on their platforms on a voluntary basis, with no risk of being liable for violating ePrivacy rules. The derogation runs out in April next year. ³

Kerry Smith, Chief Executive of the IWF, said: “This is the last chance saloon for policymakers in Europe. If we miss this chance to progress these vital proposals, we risk taking a serious backwards step on child safety.

“If we get to April with no viable alternative solution in place, the possibility of a cliff edge where there is a serious legal gap is profound. Children’s online safety must not be the sacrifice we make because we could not see the solutions staring us in the face.

“Our new paper shows exactly how child sexual abuse imagery can be prevented from being uploaded into even the most heavily encrypted environments without breaking encryption or compromising user privacy. It’s time for policy makers to build these protections into everyday life. There is no time to lose.”

IWF Chief Technology Officer Dan Sexton said: “This paper explains the technical concepts around pre-encryption checks, giving readers crucial insight into a safety feature that is proven to work.

“Offenders should not be given anywhere to hide online. Services that use E2EE can uphold both the security of private communications and the fundamental rights of victims and survivors by adopting upload prevention.

“If we have the means to prevent the sharing of known child sexual abuse imagery and protect children online, we should do so without delay.”

Upload prevention is a safety feature designed to stop the sharing of known child sexual abuse material in E2EE environments before it is sent. The system works by creating “digital fingerprints” of files, known as a hash. This hash is then compared to a secure database of hashes of material that has already been confirmed as CSAM (a “hash list”). A trusted body such as the Internet Watch Foundation (IWF) is responsible for the maintenance and governance of the hash list. 

¹ Protect Children Finland (2024). The Tech Platforms Used by Online Child Sexual Abuse Offenders Research Report with Actionable Recommendations for the Tech Industry.

² IWF Annual Data and Insights Report. Geographical hosting: URLs.

³ To avoid a legal vacuum, the EU Parliament and Council agreed in February 2024 to extend the derogation until April 2026.