A controversial new law proposed by the European Commission could oblige popular apps such as Instagram, WhatsApp or Signal to screen all private messages of their users for possible child abuse material.
The draft law, unveiled yesterday in Brussels, does not specify which technology must be used. Privacy advocates fear that in practice, the law could mean that most services will have to use client-side scanning, an intrusive technology that circumvents end-to-end encryption.
While opposition to the new law is led by privacy organisations and members of the European Parliament, a leading voice in lobbying in its favour is Thorn, a non-profit founded by Hollywood actor Ashton Kutcher and his then-wife Demi Moore. While the organisation has little public profile in Brussels, its advocacy has reached the highest levels of the European Commission.
Kutcher is known to older millennials for movies such as „Dude, where’s my car“. Outside of his acting career, he has dabbled in technology investing. With Thorn, Kutcher entered the market for surveillance technology: In 2020, the organization launched „Safer,“ which claims to be the „first comprehensive third-party CSAM [child sexual abuse material] detection platform“.
More than a dozen emails and meeting minutes
To EU institutions, Thorn presents itself as a charity organization that fights against child abuse. Meanwhile, the organization repeatedly brought up its proprietary child abuse tracking software in meetings with EU officials. This is shown by more than a dozen emails and meeting minutes that netzpolitik.org obtained through freedom of information requests to the EU Commission, German and Swedish authorities.
The new EU law against child abuse is a brain-child of Commission chief Ursula von der Leyen and home affairs Commissioner Ylva Johansson. The current controversy is likely a déjà vu for Von der Leyen: In 2009, as German minister for family affairs, she proposed a law that allowed the authorities to order the blocking of websites. While mooted as a measure against child abuse, this led to massive protests under the rally cry „Zensursula“ against government censorship. The law was ultimately scuttled.
In recent months, Johansson has stressed that privacy and encryption should not stand in the way of law enforcement – a call echoed and amplified by Thorn. While smaller advocacy groups in Brussels often find it difficult to get face time with decision makers, the organisation has drawn on Kutcher’s star power to snag high-level meetings. Evidence of this can be found in a video meeting between Kutcher and Von der Leyen, which the Commission chief posted on Twitter in November 2020.
At the time, Thorn advocated for a proposal by the EU Commission that became law at record speed a few months later. In it, the EU allowed platforms like Facebook to voluntarily scan private messages for suspected child abuse. To do this, the EU created an exception in its data protection rules, which had just been tightened. This has since given platforms such as Facebook the legal leeway to do on a voluntary basis what could soon become mandatory: screening private messages.
Kutcher personally lobbied for this regulation in interviews with Brussels-based media and via Twitter appeals to German politicians. The fact that it was passed can be seen as a success for Thorn.
Thorn has continued its lobbying campaign ever since. According to a report on its website, the organization met with 20 EU law-makers in 2021 alone. And indeed, Thorn lobbyists have been canvassing the most important digital policy decision-makers in Brussels since last year. According to the official lobby register, they have met with Von der Leyen’s staff, as well as with those of her deputies Margrethe Vestager and Margaritis Schinas, and Internal Market Commissioner Thierry Breton. The topic of conversation: child abuse and what Thorn wants to do about it.
How Thorn argues against encryption
Behind closed doors, Thorn lobbyists offered their expertise to Von der Leyen’s cabinet. The organization offered to help find a „balanced ground for the most privacy forward approach that still allows the detecting of child sexual abuse,“ according to minutes of the meeting in February 2021.
Thorn also revealed that it was working on „issues related to encryption.“ Weeks earlier, the organization warned in a blog post against plans by Meta to offer end-to-end encryption for Facebook Messenger and Instagram Messenger. It said „the world stands to lose 99% of its intelligence on CSAM. This means that abusers will be able to share illegal and harmful child sexual abuse material undetected on the same platforms that we, and our children, use every day.“
In March 2021, the organization met staffers of Commissioner Johansson, who is responsible for the new EU legislative proposal against child abuse. What was discussed there remains a secret: the meeting minutes provided by the Commission were heavily redacted. Disclosure would have a negative impact on its internal decision-making, the Commission argues.
Thorn brags about „over 30 clients around the world“
What is clear, however, is that the organization founded by Asthon Kutcher has aggressively marketed its software in other meetings with officials.
Thorn „has over 30 clients around the world and their pricing mechanism aims to allow smaller players to use their services,“ lobbyists said in a meeting with Werner Stengg, a senior digital policy advisor to Commission Vice President Vestager. Safer’s website lists the photo platform Flickr and the video portal Vimeo as customers.
Thorn offers artificial intelligence-driven software for finding, removing and reporting child abuse content. In addition, the non-profit is „working on a new algorithm to capture grooming activities“, according to the interview notes.
When asked by netzpolitik.org, a spokeswoman for Thorn confirmed that its own technology could be used to enforce the new EU law. It is crucial to „create long-term legal certainty for the protection of children on the Internet through the discovery, reporting and deletion of child abuse material and to establish a European Center,“ said Thorn CEO Julie Cordua according to German-language quotes e-mailed by the spokeswoman. Thorn will „continue to provide our experience and expertise in the future,“ Cordua added.
„I thank Commissioner Ylva Johansson and her team for the great work they have put into this bill,“ Cordua said. Thorn said it is „grateful for the pioneering work the EU is doing.“
„Safer“ soon to be in use in the EU?
In a seven-page position paper Thorn sent to Swedish EU diplomats in the fall of 2021, the organization touted the success of its „Safer“ software, saying that it had already been used to send 183,000 suspected cases of abuse to the National Center for Missing and Exploited Children (NCMEC) since 2019. In Sweden, Commissioner Johansson’s home country, Thorn is apparently hoping for an ally in the upcoming deliberations on the proposed legislation in the Council of EU States. Thorn wants to understand „the Swedish perspective“, according to an e-mail to the Scandinavian state’s representative on the EU Council.
Thorn also made overtures in Germany. As a legal framework to combat child abuse is being negotiated at the European level, Thorn said it wanted to present its mission in Berlin. So says an e-mail sent last summer to the office of the then Independent Commissioner for Child Sexual Abuse, Johannes-Wilhelm Rörig.
Whether the lobbying of Ashton Kutcher and his non-profit company will be followed by a lucrative public contract remains to be seen. The new EU Center against Child Abuse is likely to play a crucial role. The Commission’s draft legislation outsources the sensitive political question of which software platforms should use to scan private messages in the future to the newly created EU Center. The European Data Protection Supervisor also has a say.
If Thorn’s software finds favour with the EU authorities, it could soon be widely used. For the non-profit organization, that could mean high revenues. But Ashton Kutcher and his organizations would then also have influence on the privacy of millions of Europeans.