The EU is currently considering a new plan to scan citizens’ encrypted communications, in yet another chapter of its fight against online child sexual abuse material (CSAM).
After harsh criticism, lawmakers have abandoned the idea of giving law enforcement access to text messages and audio; shared photos, videos and URLs are now targeted. Yet experts still warn that citizens’ privacy is at risk.
Belgium, which is president of the Council of Europe until June 30, has proposed the new one text as compromise about what was called the Chat Control Act last May, and it is now under review.
However, there is a catch. People must consent to the shared material being scanned before it is encrypted. Choosing to decline scanning will result in users not being able to use this functionality at all. The technical world doesn’t believe in it. Romain Digneaux, Senior Public Policy Associate at Proton, described it to Ny Breaking as “a blatant attempt to put the wind in our sails.”
Did you know?
Cryptographers, privacy advocates, and tech companies like top VPN and messaging app providers have criticized the Chat Control proposal from the start, warning of mass surveillance and security risks. Last February, the European Court of Human Rights even deemed attempts to break the encryption illegal.
“This compromise by the Belgian presidency is a depressing step backwards compared to the position of the European Parliament,” Digneaux told me.
“It will potentially subject all EU citizens to mass surveillance, undermining their fundamental rights, while doing nothing to tackle the spread of CSAM online, nor any criticism from the European Data Protection Supervisor and countless experts.”
Encryption, that is, the process of encrypting data into an unreadable form to prevent access by third parties, is the basis of the security of online communications behind today’s privacy software.
Virtual private networks use it to secure internet communications and, for example, hide your online activities. Popular messaging apps, like WhatsApp and Signal, or secure email providers like ProtonMail, implement encryption to ensure your messages remain private between you and the sender (end-to-end). Even the provider itself does not have access to it. Like the presentation leaked by digital rights group Netzpolitik, Belgian lawmakers now recognize the need to protect end-to-end encryption.
“Regulations will not create any obligation to decrypt or create access to end-to-end encrypted data, or prevent providers from offering end-to-end encrypted services,” the proposed wording reads. So how do they plan to implement CSAM scanning?
User consent or blackmail?
The key here is the ‘user consent’ clause. That’s the way to ensure that scanning privately shared multimedia files is no longer a problem obligation just one choice. However, the way they want to do that seems more like blackmail. As we said, if you want to share a photo, video or URL with your friend on WhatsApp must give permission, or just keep texting, calling and voice messaging.
Commenting on this point, Digneaux said: “There is no consent. There is no choice. If innocent users do not consent to authorities snooping on their messages, emails, photos and videos, they will simply be cut off from the modern world.” world.”
Proton is not the only one who feels this way. A group of more than 60 organizations, including Proton, Mozilla, Signal, Surfshark and Tuta, in addition to more than 50 individuals, has joint statement to express their concerns about the new proposal.
Coerced consent is not freely given consent,” the group wrote. “If the user has no real choice, feels coerced into giving consent, or would be de facto excluded from the service if not consented, then the given consent are not given freely. .”
Worse still, experts also warned that such intrusive powers could ultimately prove inadequate at catching the bad guys. That’s because cybercriminals can simply embed the pirated photos or video into another type of file. Furthermore, as Digneaux noted, criminals are already using their own services to conduct illegal activities.
A rebranding of client-side scanning
The plan to perform CSAM scans while protecting encryption also includes a new ‘upload moderation’ feature. Lawmakers are trying to implement content detection before it is sent, i.e. before it is encrypted. Again, tech experts believe this approach is more likely to be “just a cosmetic change” over the Chat Control proposal.
The original bill pushed for client-side scanning, a method that would require the device to automatically analyze files for illegal material and report them to authorities. So far there is no way to do this without creating dangerous backdoors in the coding. This is further supported by the fact that Britain has postponed its side-scanning provision for the Online Safety Act until it is “technically feasible” to do so.
However, experts now claim that scanning messages at the upload point also undermines the end-to-end principle (complete protection between sender and receiver) that characterizes strong encryption. They warn that this could create new security vulnerabilities that could also be exploited by third parties.
Digneaux viewed the move as merely an “unfair rebranding” of client-side scanning. He told me: “Whatever the presidency claims, it is not a silver bullet to protect privacy. It is simply a backdoor to disguised encryption. European users will become ideal targets for hackers, putting people and companies at greater risk.”
Signal strongly opposes this proposal. Let there be no doubt: we will leave the EU market rather than undermine our privacy guarantees. If this proposal passes and is enforced against us, we would have to make this choice. It’s surveillance wine in safety bottles. https://t.co/i8D4MlcrgdMay 31, 2024
This is why secure end-to-end encrypted messaging apps like Signal (see above) are already repeating that they will leave the EU market rather than undermine privacy protections.
If Netzpolitik reports thisHowever, the new approach remains ambivalent among the country’s members. At a meeting at the end of May, Germany and the Czech Republic expressed confusion about Belgium’s proposed scanning solutions before encrypting the messages. Austria, Estonia and Luxembourg also criticized the provision on ‘user consent’. While France said they could accept ‘upload moderation’ subject to user consent, but demanded that ‘encryption should not be circumvented’.
Overall, however, France seems more positive about the proposal and willing to find a compromise that could work for everyone. That is also why the country’s support will be decisive for the final agreement.
“We count on France to maintain its support for cybersecurity, encrypted services and privacy,” Digneaux told me. “If these proposals are not rejected now, we risk seeing the vital cyber security protections that encryption provides being dismantled, putting everyone at risk. But saddest of all, EU citizens will be treated as guilty before their innocence is proven by the very people appointed to protect them.”
It is also worth noting that lawmakers plan to exempt intelligence, police and military personnel from the CSAM scanning.