"Not the Right Question?" A Study on Attitudes Toward Client-Side Scanning with Security and Privacy Researchers and a U.S. Population Sample

For decades, law enforcement and privacy advocates have struggled to find common ground regarding surveillance and privacy, resulting in the so-called Crypto Wars. When Apple announced it was planning to implement client-side scanning (CSS) in 2021 as a privacy-preserving compromise to detect known child sexual abuse material (CSAM), it received such intense pushback, especially from IT experts, that it dropped the plans within weeks. However, a study of the European population by ECPAT [1] and another of the German population by Geierhaas et al. [2] showed that despite concerns, the majority stated that they supported CSS for the detection of CSAM. This highlights a potential mismatch between “the majority” and “the experts.” To examine the different attitudes toward CSS further, we extend the work by Geierhaas in two ways. First, we conducted qualitative interviews with 19 IT security and privacy researchers at two major IT security conferences: the Symposium on Usable Privacy and Security (SOUPS) and the USENIX Security Symposium. In our second study, we replicated the German survey with a representative sample (age, gender, and state) from the USA. This was done both to examine possible cultural differences between Germany and the U.S. and to have a U.S. view to compare to our interview study. In this paper, we discuss key similarities and differences between the U.S. and German samples and contrast these with the researchers' views on the matter.