A few days after EU citizens were called upon to vote on their next parliamentary representatives, we only have a rough idea of what the next political team will look like. What is What is certain, however, is that anti-encryption sentiments continue to flourish across the Union.
We have already mentioned the revised proposal to stop the spread of child sexual abuse material (CSAM) online, which will ask for your consent to scan your WhatsApp messages. Now one was leaking 42-point plan makes new recommendations on how companies should handle people’s online activities, including data retention, access and interception of all digital services.
The goal is simple: to make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically auditable by law enforcement authorities at all times.
According to Jan Jonsson, CEO of Mullvad – one of the best VPNs out there with a privacy-first mandate – all encrypted traffic will no longer be private and secure if the legislation is passed. “A VPN doesn’t help either,” he told me. “It would mean total surveillance and ensure that the people of Europe have state spyware in their pockets.”
The process also appears to be proceeding at high speed. With the ashes of the EU elections still smoldering in the background, lawmakers met on Tuesday, June 11, to discuss the plan and the way forward.
Things are getting serious: Today, as part of the #EuGoingDark surveillance plan, the “Working Group on Cooperation in Criminal Matters” (#COPEN) in the Council of the 🇪🇺 is officially discussing the reintroduction of #DataRetention! https://t. co/6dfIhzIZyr @GreensEFAJune 11, 2024
Data access by design
The intention to implement a so-called ‘security by design’ framework was shared for the first time last year by the High-Level Group (HLG). The group, set up by the European Commission, is taking the first steps in what is dubbed the Going Dark initiative, to ensure “the availability of effective law enforcement tools to fight crime and improve security in the digital age.” The process has thus far largely developed behind closed doors civil society denied an opportunity to participate.
As mentioned earlier, the goal is to find a way to provide law enforcement agencies with full surveillance capabilities, both from a legal and technical perspective. Not surprisingly, encryption, the scrambling of data in an unreadable form to prevent unauthorized access, was identified as the most urgent area of work at the time. Access to stored data and localization, data retention practices, and anonymization through virtual private networks were the main targets.
Now, about twelve months later, it seems that the HLG group has come up with some concrete solutions to do this in practice.
The “confidential” 42-point plan suggests forcing encrypted messaging apps to enable interception. Data retention should also be reintroduced – the Court of Justice of the EU fallen over before the directive – and extend to all over-the-top (OTT) communications, i.e. all instant messaging and online chats not offered by your mobile network operator. Tracking of IP connections should be guaranteed “at least”, with metadata encryption prohibited and GPS tracking activated by the provider at the request of the police. Technology companies that refuse to cooperate should be threatened with prison sentences.
It seems that the authorities want access to a large part of our data: information stored on our devices, in the systems of the services and the information that travels on the Internet. As Jonsson put it: “All the data, in other words.”
“They are prioritizing solutions for legal access to data on devices, and it seems they want to try to introduce client-side scanning of entire devices. In other words, operating system scanning. Apple is constantly being urged to do this do, to scan the phones of their users,” he added.
Is a controlled society the right answer?
As the name suggests, the EU’s anti-encryption campaign is based on what is known in law enforcement as the ‘going dark’ assumption: with online anonymity, crime will go unnoticed in the digital world. However, experts have long rejected this view, arguing that violating these protections would be detrimental to everyone’s safety.
Encryption is crucial to guarantee the enjoyment of fundamental rights such as privacy and freedom of expression, but also to enable both citizens and companies to defend themselves against misuse of information technologies. This was precisely the conclusion of the February ruling published by the European Court of Human Rights, which made it illegal to crack encryption.
Did you know?
Cryptographers, privacy advocates and technology companies raised similar concerns when the UK’s Online Safety Bill (now law) and the EU Chat Control proposal considered creating an encryption backdoor to scan people’s encrypted and private messages for illegal content . In Great Britain, so-called client scanning has been postponed until it is “technically feasible” to do this in a secure way.
This means that weak encryption protection not only allows authorities to spy on our online activities, but also provides an easy backdoor for cyber attackers to exploit.
Furthermore, as Jonsson suggests, criminals will turn to alternative and illegal online services to continue their malicious activities online unhindered.
He told me: “It means that the EU’s mass surveillance will not catch criminals. Only ordinary people, who don’t want to make an effort, will be fully monitored.”
At the same time, German digital activist and Pirate Party MEP Patrick Breyer also highlights the crucial role that encryption plays in criminal investigations.
He said: “The planned retention of internet data threatens to destroy our right to anonymity online, which enables crime prevention through anonymous counseling and pastoral care, victim support through anonymous self-help forums, and also investigative journalism, which often relies on anonymous whistleblowers. “
What’s next?
While a reformed Parliament is about to elect the new European Commission as its first task by 2025, the Going Dark group appears to be already busy laying the groundwork for future legislation against encryption and online anonymity.
Mullvad’s Jonsson is concerned that these efforts will ultimately gain more legislative momentum than the Chat Control proposal, which he believes has become too contaminated to gain the necessary support in a final phase. “This time they are not only using the ‘think about the children’ argument, but also using other serious crimes and terrorism as an excuse to conduct mass surveillance of the entire EU population,” he told me.
Such a surveillance push from the EU, and ultimately globally, from authorities is even more worrying when you couple it with the direction Big Tech is heading. Priority is given to increased data collection, which is in stark contrast to the main concept of the GDPR, which is data minimization.
Take the ongoing kickback investment Adobefor example, about new invasive and vague policies on how data can be used to train AI models. Or Microsoft’s new Recall feature that takes regular snapshots of your active screen, which seems more like a privacy nightmare than a useful tool. After harsh criticism, the major tech company decided to update Recall’s privacy policy in an effort to appease users.
Jonsson now hopes that external pressure from citizens, tech companies and media could encourage the European Commission to thwart the Going Dark plans. “The opposition to Chat control eventually became huge, but came late. This time we hope the opposition is there from the beginning,” he told me.
“And of course we hope that the new Commission is better than the old one and invite experts to be involved from the start so that they don’t spend years on absurd legislative proposals that end up in the trash.”