A few days after EU citizens were called to vote on their next parliamentary representatives, we just have a rough idea of what the upcoming political squad will look like. What is certain, however, is that anti-encryption sentiments are still thriving across the Union.
We already reported the revised proposal to halt the spread of online child sexual abuse material (CSAM) that wants your permission to scan your WhatsApp messages. Now, a leaked 42-point plan puts forward new recommendations on how companies must handle people's online activities, including data retention, access, and interception of all digital services.
The goal is simple: make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.
According to Jan Jonsson, CEO at Mullvad—one of the best VPNs around with a privacy-first mandate—all encrypted traffic will no longer be private and secure if the legislation passes. "A VPN won’t help either," he told me. "It would mean total surveillance and that Europe's inhabitants carry state spyware in their pockets."
The process seems to be rolling at a fast speed, too. With the ashes of EU elections still smouldering in the background, lawmakers got together on Tuesday, June 11 to discuss the plan and the way forward.
It's getting serious: Today, as part of the #EuGoingDark surveillance plan, the "Working Party on Cooperation in Criminal Matters" (#COPEN) in the Council of the 🇪🇺 officially discusses the reintroduction of #DataRetention!https://t.co/6dfIhzIZyr @GreensEFAJune 11, 2024
Data access by design
The intention to implement a so-called "security by design" framework was first shared last year by the High-Level Group (HLG). Created by the European Commission, the group is taking the first steps in what's nicknamed the Going Dark initiative to ensure "the availability of effective law enforcement tools to fight crime and enhance security in the digital age." The process has developed largely behind closed doors so far, with civil society denied a chance to take part.
As mentioned earlier, the aim is to find a way to provide law enforcement bodies with full surveillance capabilities, both from a legal and technical point of view. It isn't surprising that encryption, the scrambling of data into an unreadable form to prevent unauthorized access, was flagged as the most urgent area of work at that time. Stored data and localization access, data retention practices, and anonymization offered by virtual private networks were the main targets.
Now, about 12 months later, it looks like the HLG group came up with some concrete solutions on how to do this in practice.
The "confidential" 42-point plan suggests forcing encrypted messaging apps to allow for interception. Data retention should also be reintroduced—the EU Court of Justice previously overturned the directive—and expand to all over-the-top (OTT) communications, meaning all the instant messaging and online chats not provided by your mobile network operator. IP connection tracking should be guaranteed "at the very least," encrypting metadata prohibited, and GPS tracking activated by the provider upon police request. Tech companies who refuse to cooperate should be threatened with prison sentences.
It looks like authorities want access to a great deal of our data: information stored on our devices, in the services' systems, and those traveling on the internet. As Jonsson put it: "All data, in other words."
"They prioritize solutions for legal access to data on devices, and it sounds like they want to try to introduce client-side scanning of entire devices. In other words, a scanning of operating systems. Apple is constantly being urged to do this, to scan their users' phones," he added.
Is a monitored society the right answer?
As the name suggests, the EU anti-encryption crusade is based on what's known in policing as the "going dark" assumption—with online anonymity, crime will go undetected in the digital world. Experts have long rejected this stance, though, arguing that breaking this protection would be detrimental to everyone's security.
Encryption is vital to ensure the enjoyment of fundamental rights, like privacy and free speech, but also to allow both citizens and businesses to defend themselves against abuses of information technologies. This was exactly the conclusion of February's judgment published by the European Court of Human Rights which made it illegal to break encryption.
Cryptographers, privacy advocates, and tech companies raised similar concerns when the UK Online Safety Bill (now law) and EU Chat Control proposal considered creating a backdoor in the encryption to scan people's encrypted and private messages for illegal content. In the UK, so-called client scanning has been postponed until it is "technically feasible" to do so in a secure way.
This means that weak encryption protections don't just allow authorities to snoop on our online activities, but also provide an easy backdoor for cyber attackers to exploit.
Moreover, as Jonsson suggests, criminals will turn to alternative and illegal online services to carry on their malicious activities online undisturbed.
He told me: "It means that the EU mass surveillance will not catch criminals. Only ordinary people, who don't want to make an effort, will be left totally surveilled."
At the same time, German digital activist and MEP for the Pirate Party, Patrick Breyer, also highlights the vital role encryption covers in criminal investigations.
He said: "The planned internet data retention threatens to destroy our right to anonymity online, which enables crime prevention through anonymous counseling and pastoral care, victim support through anonymous self-help forums, and also investigative journalism, which often relies on anonymous whistleblowers."
What's next?
While a reshaped Parliament is set to elect the new EU Commission by 2025 as the first task, the Going Dark group seems to be already busy laying the foundation of future legislation against encryption and online anonymity.
Jonsson from Mullvad is worried that these efforts may end up having more legislative legs than the Chat Control proposal, which he believes became too polluted to gain the necessary support in a final stage. "This time, they are not just using the argument 'think of the children,' but also using other serious crimes and terrorism as excuses to mass monitor the entire EU population," he told me.
Such a surveillance push from the EU, and ultimately worldwide, authorities is even more worrying when you pair it with the direction Big Tech is headed. Greater data collection is prioritized, which is in stark contrast to GDPR's main concept of data minimization.
Take the ongoing backlash investing Adobe, for instance, over new invasive and vague policy on how data may be used to train AI models. Or Microsoft's new Recall feature that regularly takes snapshots of your active screen, resembling more of a privacy nightmare than a useful tool. After harsh criticism, the big Tech firm turned to updating Recall's privacy policy in an effort to please users.
Jonsson now hopes that external pressure from citizens, tech companies, and media could encourage the EU Commission to kill Going Dark plans. "The Chat control opposition eventually became massive but it came late. This time, we hope that the opposition is there from the start," he told me.
"And of course, we hope that the new Commission is better than the old one and they invite experts to be involved from the beginning—so they don’t spend years on absurd legislative proposals that end up in the trash."