CSAM Regulation by Ylva Johansson: A Trojan Horse for Mass Surveillance

CSAM Regulation by Ylva Johansson: A Trojan Horse for Mass Surveillance, a Breach of the Right to Privacy, and a Precedent for Blanket Monitoring under the Pretext of Child Protection – Legal Analysis, Risks, and Reasons Why the Proposal Must Not Be Adopted

Questions Presented

1. Under international human rights law, may States mandate indiscriminate scanning of everyone’s private communications to prevent the spread of CSAM?
2. If restrictions are permissible in principle, what tests and safeguards apply?
3. How do the UN bodies treat encryption in this context?

Executive Summary

Indiscriminate, generalized monitoring of all private communications constitutes an interference with the rights to privacy and correspondence protected by UDHR art. 12 and ICCPR art. 17. Under UN doctrine, such interferences are lawful only if they are provided by law, pursue a legitimate aim, and are necessary and proportionate—i.e., the least intrusive means that do not impair the essence of the right and that include effective oversight and remedies. On the record to date, blanket scanning (including client‑side scanning that weakens or circumvents end‑to‑end encryption) fails the necessity/proportionality test and is arbitrary within the meaning of ICCPR art. 17. Protecting children from sexual exploitation is unquestionably a legitimate aim (CRC art. 34), but UN standards require targeted, evidence‑based measures with robust safeguards; they do not permit suspicionless, population‑wide surveillance or encryption backdoors. ohchr.org+3ohchr.org+3ohchr.org+3hrlibrary.umn.edu

Applicable Law & Authoritative Guidance

Core rights

• UDHR art. 12: freedom from arbitrary interference with privacy, family, home or correspondence. OSN
• ICCPR art. 17: same guarantee, legally binding on States parties. The Human Rights Committee’s General Comment No. 16 clarifies that the right protects against interference by State and private actors; any interference must be lawful, non‑arbitrary, and proportionate to a legitimate aim. ohchr.orghrlibrary.umn.edu

Children’s rights

• CRC arts. 16, 19, 34: children’s privacy must be respected while States prevent exploitation and abuse. General Comment No. 25 (2021) on children’s rights in the digital environment requires protection measures that respect all other rights, be necessary and proportionate, and be designed with children’s best interests in view. ohchr.org

Limitation doctrine

• The Siracusa Principles (1984) (widely relied upon by UN bodies) require that any restriction be prescribed by law, pursue a legitimate aim, be strictly necessary in a democratic society, and be the least intrusive option; measures must not impair the essence of the right. hrlibrary.umn.edu

UN guidance on the digital age & encryption

• UNGA Res. 68/167 (“The right to privacy in the digital age”) affirms that offline rights apply online and calls for safeguards and oversight for surveillance and communications interception. teaching.globalfreedomofexpression.columbia.edu
• OHCHR reports on privacy in the digital age emphasize that bulk / indiscriminate surveillance is likely arbitrary, that metadata also enjoys ICCPR protection, and that encryption is key to privacy and associated rights. ohchr.org+1Digital Watch Observatory
• The UN Special Rapporteur on freedom of expression (2015) concluded that encryption and anonymity enable the exercise of rights and should be strongly protected; blanket or generalized restrictions are not necessary and proportionate. ohchr.org

Analysis

1) Does blanket scanning interfere with ICCPR art. 17?

Yes. Scanning the content of private messages (or scanning on‑device before sending) is an intrusion into “privacy” and “correspondence”. Under GC‑16, protections extend against both State and private actors implementing State mandates. The OHCHR has also confirmed that surveillance of communications—including metadata—engages art. 17. hrlibrary.umn.eduohchr.org

2) Is such interference “arbitrary” or can it be justified?

To be non‑arbitrary, any interference must satisfy legality, legitimate aim, necessity, and proportionality under ICCPR art. 17 and the Siracusa Principles:

• Legality / foreseeability: A clear, accessible law is only a starting point; precision alone does not cure arbitrariness if the scope is overly broad or lacks safeguards. hrlibrary.umn.edu
• Legitimate aim: Preventing child sexual abuse is a legitimate aim recognized under the CRC. ohchr.org
• Necessity & proportionality (least‑intrusive means): The measure must be demonstrably necessary to achieve the aim and no less restrictive alternative would suffice. Indiscriminate, suspicionless scanning of the entire population is by definition not targeted and captures vast quantities of lawful, sensitive communications. UN guidance warns that blanket restrictions and surveillance fail the necessity and proportionality test. ohchr.orghrlibrary.umn.edu
• Essence of the right & encryption: Where a measure undermines end‑to‑end encryption (e.g., through mandatory client‑side scanning or backdoors), it jeopardizes the core of private correspondence. UN reports underscore encryption’s key role for privacy, expression, association, and security; States should not compel systemic weakening. Digital Watch Observatory
• Safeguards & oversight: ICCPR practice requires independent authorization, strict purpose limitation, data minimization, transparency, user notification (post‑facto where appropriate), and effective remedies. Bulk scanning regimes typically lack these end‑to‑end safeguards. teaching.globalfreedomofexpression.columbia.edu

Conclusion on 1–2: On current UN standards, indiscriminate scanning of everyone’s communications is incompatible with ICCPR art. 17—even for the important aim of combating CSAM—because it is neither strictly necessary nor proportionate and it undermines encryption that UN experts say must be protected. ohchr.orgDigital Watch Observatory

3) Interaction with other rights

• Freedom of expression (ICCPR art. 19): Generalized monitoring and the weakening of encryption have chilling effects on expression and access to information; restrictions must satisfy art. 19(3)’s necessity and proportionality. The UN Special Rapporteur explicitly connects encryption to the enjoyment of art. 19. ohchr.org
• Children’s rights (CRC): Measures to protect children online must respect children’s privacy (art. 16) and be designed in their best interests without overbroad surveillance of all users. GC‑25 calls for rights‑respecting, proportionate solutions in the digital environment. ohchr.org

4) Comparative (non‑UN) jurisprudence (persuasive support)

While not binding on the UN system, regional courts trend the same way: the CJEU has struck down general and indiscriminate data retention and access regimes as disproportionate (Digital Rights Ireland, Tele2/Watson); the ECtHR has faulted bulk interception for inadequate safeguards. These decisions reinforce that blanket measures fail necessity and proportionality. EUR-Lex+1Amnesty International

What a rights‑compatible CSAM strategy must look like (UN standards)

To comply with ICCPR/CRC, States should favor targeted tools and layered safeguards over population‑wide scanning, for example:

• Targeted investigations based on individualized suspicion and independent judicial authorization;
• Cooperation with hotlines and hosting providers to remove known CSAM at source;
• Robust international cooperation and resourcing of specialized units;
• User‑side safety (reporting channels, age‑appropriate design) that does not weaken encryption;
• Strict oversight, transparency reporting, effective remedies, and periodic sunset/review clauses for any intrusive powers. These are consistent with UN resolutions and reports on privacy in the digital age and with the Special Rapporteur’s guidance on encryption. teaching.globalfreedomofexpression.columbia.eduDigital Watch Observatory

Conclusion

Under UN human rights law, blanket, suspicionless scanning of all private communications—including via client‑side scanning that undermines encryption—cannot be justified by the aim of preventing CSAM. Such regimes are arbitrary interferences with privacy and correspondence (ICCPR art. 17), fail necessity and proportionality(Siracusa Principles), chill expression (ICCPR art. 19), and conflict with the CRC’s requirement to protect children while respecting their other rights. UN bodies instead call for targeted, rights‑preserving approaches and the protection of encryption, not its circumvention. ohchr.org+2ohchr.org+2hrlibrary.umn.edu

Key sources (authoritative UN materials):

• ICCPR, art. 17; UDHR, art. 12. ohchr.orgOSN
• HRC General Comment No. 16 (privacy). hrlibrary.umn.edu
• Siracusa Principles (limits/derogations). hrlibrary.umn.edu
• UNGA Res. 68/167 (“Privacy in the digital age”). teaching.globalfreedomofexpression.columbia.edu
• OHCHR reports on privacy in the digital age (incl. 2014; 2022 update acknowledging encryption’s key role). ohchr.orgDigital Watch Observatory
• UN SR FoE (2015) report on encryption & anonymity (A/HRC/29/32). ohchr.org
• CRC General Comment No. 25 (2021) on children’s rights in the digital environment. ohchr.org

Slovak Intelligence Agency, 

14 August 2025, 

Bratislava, Slovakia