Evaluating Encryption Backdoors and Client-Side Scanning in Modern Data Access Frameworks
Authors
Islam, Kamrul ; Nyaichyai, Rachana ; Sharma, Newton
Term
4. semester
Education
Publication year
2026
Submitted on
2026-06-04
Pages
95
Abstract
End-to-end encryption protects digital messages by allowing only the sender and recipient to read them, but it also makes lawful access to digital evidence harder. Proposed responses include encryption backdoors, key escrow, and client-side scanning. Client-side scanning is often presented as privacy-preserving because content is scanned on the user’s device before encryption. This thesis asks whether a perceptual hash created during such scanning can be considered an anonymous representation of content, or whether it retains information that creates privacy and security risks. Three perceptual hashing methods are assessed: a NeuralHash surrogate, PDQ, and PhotoDNA. The study uses criteria from WP29 Opinion 05/2014—singling out, linkability, and inference—to test whether hash outputs preserve identifiable information. The findings show that the analyzed hashes were not distinctive enough for strong singling out of images. However, all three algorithms exhibited measurable linkability between them and allowed the inference of a few appearance-related attributes directly from raw hash outputs. Therefore, perceptual hashes should not be treated as fully anonymous data, but as pseudonymous data in situations where they enable linkability or inference. The thesis also applies STRIDE threat modeling to examine what this means for client-side scanning and compares it with key escrow. The analysis shows that client-side scanning does not eliminate the risks of lawful access systems, but shifts them to device-side scanning, reference databases, threshold choices, and reporting channels. Key escrow concentrates risk around stored or recoverable key material, while client-side scanning distributes risk across the scanning pipeline. Both options raise GDPR issues around data minimisation, purpose limitation, accountability, proportionality, and security. The thesis argues that perceptual hashing for client-side scanning needs clear legal grounds, strong technical safeguards, and transparent, public governance before it can be considered compatible with encrypted communication and privacy.
End-to-end-kryptering beskytter digitale beskeder ved kun at lade afsender og modtager læse indholdet, men den gør også lovlig adgang til digitale beviser vanskelig. Foreslåede løsninger omfatter bagdøre, nøgledeponering (key escrow) og klientsidescanning. Klientsidescanning præsenteres ofte som privatlivsbevarende, fordi indholdet scannes på brugerens enhed før kryptering. Denne afhandling spørger, om et perceptuelt hash, der dannes ved sådan scanning, kan betragtes som en anonym repræsentation af indholdet, eller om det bevarer information, der skaber privatlivs- og sikkerhedsrisici. Tre perceptuelle hashingmetoder vurderes: et NeuralHash-surrogat, PDQ og PhotoDNA. Undersøgelsen bruger kriterier fra WP29 Opinion 05/2014—udskillelse (singling out), linkbarhed og inferens—til at vurdere, om hash-uddata rummer identificerbar information. Resultaterne viser, at de analyserede hashes ikke var særprægede nok til stærk udskillelse af billeder. Alle tre algoritmer udviste dog målbar linkbarhed mellem sig og gjorde det muligt at udlede enkelte udseenderelaterede attributter direkte fra rå hash-uddata. Derfor bør perceptuelle hashes ikke opfattes som fuldt anonyme, men som pseudonyme data i situationer, hvor de kan bruges til linkbarhed eller inferens. Afhandlingen anvender også STRIDE-trusselsmodellering til at undersøge, hvad dette betyder for klientsidescanning og sammenligner med nøgledeponering. Analysen viser, at klientsidescanning ikke eliminerer risici ved ordninger for lovlig adgang, men flytter dem til enhedsnær scanning, referencedatabaser, tærskelvalg og rapporteringskanaler. Nøgledeponering koncentrerer risiko omkring lagrede eller gendannelige nøglematerialer, mens klientsidescanning fordeler risikoen på tværs af scanningskæden. Begge tilgange rejser GDPR-spørgsmål om dataminimering, formålsbegrænsning, ansvarlighed, proportionalitet og sikkerhed. Afhandlingen argumenterer for, at perceptuel hashing til klientsidescanning kræver klar lovhjemmel, tekniske sikkerhedsforanstaltninger og gennemsigtig, offentlig styring, før det kan anses for foreneligt med krypteret kommunikation og privatliv.
[This apstract has been rewritten with the help of AI based on the project's original abstract]