The EU is currently considering a new plan to scan citizens' encrypted communications, in yet another chapter of its fight against online child sexual abuse material (CSAM).
After harsh criticism, legislators have abandoned the idea of allowing law enforcement to access text messages and audio—shared photos, videos, and URLs are now the target. Yet, experts still warn that citizens' privacy is at risk.
Belgium, which heads the Council of Europe until June 30, proposed the new text as a compromise on what was nicknamed Chat Control law last May, and it's now under review.
There's a catch, though. People must consent to the shared material being scanned before being encrypted. Choosing to reject the scanning will lead to users being prevented from using this functionality at all. The tech world isn't buying it, in fact, Romain Digneaux, Senior Public Policy Associate at Proton, describes it to TechRadar as "a blatant attempt to pull the wool over our eyes."
Cryptographers, privacy advocates, and tech companies like the best VPN and messaging app providers have criticized the Chat Control proposal since the beginning, warning against mass surveillance and security risks. Last February, the European Court of Human Rights even deemed attempts to break encryption illegal.
"This compromise from the Belgian Presidency is a depressing step backward compared to the European Parliament’s position," Digneaux told me.
"It will potentially subject all EU citizens to mass surveillance, undermining their fundamental rights while doing nothing to address the spread of CSAM online, nor any of the criticism from the European Data Protection Supervisor and countless experts."
Encryption, meaning the process of scrambling data into an unreadable form to prevent third-party access, is at the base of online communications's security behind today's privacy software.
Virtual private networks use it to secure internet communications and conceal your online activities, for example. Popular messaging apps, like WhatsApp and Signal, or secure email providers like ProtonMail implement encryption to guarantee your messages remain private between you and the sender (end-to-end). Not even the provider itself can access it. As the presentation leaked by digital rights group Netzpolitik shows, Belgian legislators now recognize the need to protect end-to-end encryption.
"Regulation shall not create any obligation to decrypt or create access to end-to-end encrypted data, or that would prevent providers from offering end-to-end encrypted services," the proposed wording reads. So, how are they planning to implement the CSAM scanning then?
User consent or blackmail?
The key here is the 'user consent' clause. That's the way to make the scanning of privately shared multimedia files not an obligation but a choice. How they plan to do so resembles more to blackmail, however. As we mentioned, if you want to share a photo, video, or URL with your friend on WhatsApp you must give consent, or just stick to texting, calls, and vocal messages.
Commenting on this point, Digneaux said: "There is no consent. There is no choice. If innocent users don’t agree to let the authorities snoop on their messages, emails, photos, and videos they will simply be cut off from the modern world."
Proton isn't alone in feeling this way. A group of over 60 organizations—including Proton, Mozilla, Signal, Surfshark, and Tuta, alongside 50+ individuals, signed a joint statement to voice their concerns against the new proposal.
Coerced consent is not freely given consent," wrote the group. "If the user has no real choice, feels compelled to consent, or would defacto be barred from the service if they do not consent, then the consent given will not be freely given."
Worse still, experts also warned that such intrusive powers might end up being unfit for catching the bad guys. That's because cybercriminals could simply embed the illegal photos or video on a different type of file, for instance. Moreover, as Digneaux pointed out, criminals already use their own services to conduct illegal activity.
A rebrand of client side scanning
The plan to perform CSAM scanning while protecting encryption also includes a new 'upload moderation' provision. Legislators seek to implement content detection before being transmitted—so, before being encrypted. Again, tech experts believe this approach is rather "a mere cosmetic change" from the Chat Control proposal.
The original bill was pushing for client-side scanning instead, a method that requires the device to automatically analyze files for unlawful material and flag them to authorities. To date, there's no way to do this without creating dangerous backdoors into the encryption. This is further supported by the fact that the UK postponed its side-scanning provision for the Online Safety law until it is "technically feasible" to do so.
However, experts now argue that also scanning messages at the upload point defeats the end-to-end principle—complete protection between the sender and receiver—that characterizes strong encryption. They warn this may create new security vulnerabilities for third parties to exploit too.
Digneaux deemed the move as just a "disingenuous rebrand" of client-side scanning. He told me: "No matter what the Presidency claims, it is not a silver bullet to protect privacy. It’s simply a backdoor to encryption in disguise. European users will become ideal targets for hackers, putting people and businesses more at risk."
Signal strongly opposes this proposal. Let there be no doubt: we will leave the EU market rather than undermine our privacy guarantees. This proposal--if passed and enforced against us--would require us to make this choice. It's surveillance wine in safety bottles. https://t.co/i8D4MlcrgdMay 31, 2024
This is why secure end-to-end encrypted messaging apps like Signal (see above) are already reiterating they will leave the EU market rather than undermine privacy protections.
As Netzpolitik reported, though, the new approach remains ambivalent among the country members. During a meeting held at the end of May, Germany and the Czech Republic expressed perplexities about the Belgian proposed scanning solutions before encrypting the messages. Austria, Estonia, and Luxembourg also criticized the 'user consent' provision. While France said that they could accept 'upload moderation' under user consent but demanded that "there should be no circumvention of encryption."
Overall, though, France seems more positive about the proposal and ready to find a compromise that could work for all. That's also why the country's support is set to be decisive for the final agreement.
"We’re counting on France to maintain its support for cybersecurity, encrypted services, and privacy," Digneaux told me. "If these proposals are not thrown out now we risk dismantling the vital cybersecurity protections that encryption offers putting everyone at risk. But saddest of all, EU citizens will be treated as guilty before being proven innocent by the very people appointed to protect them."
It is also worth noting that legislators plan to exempt staff of intelligence agencies, police, and the military from the CSAM scanning.