Earlier this year, we covered an EU legislative proposal which has the potential to undermine the digital privacy of millions of Europeans.
The proposed EU CSA Regulation (CSAR) is intended to combat and prevent online child abuse. Among other measures, it proposes giving authorities the capability to directly access or otherwise monitor end-to-end encrypted (E2EE) communication. E2EE communication protocols (such as those used by WhatsApp and Signal) are designed to allow only the intended recipients to read the contents of messages.
The monitoring element of the CSA regulation has been dubbed 'chat control' by the civil society groups and companies who are campaigning against it. It describes certain experimental methods of surveilling the content of encrypted communication without breaking encryption. This is typically accomplished by scanning the content of messages (specifically images) on the device where they are either sent or received i.e. client-side scanning.
The CSAR proposal is currently being debated by the EU's member states.
An EU Council document recently leaked to WIRED Magazine sheds light on the positions of 20 EU member states vis-a-vis certain aspects of this proposal. Of these 20, 15 support some form of client-side scanning of private encrypted communication.
Spain represents the hard line, advocating for an outright ban on E2EE communication: "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption."
Sign up for the Tailored Access newsletter
Weekly insights into tech culture, information security and othern modern phenomena.
No spam. Unsubscribe anytime.
Hungary also takes aim at the "problems" caused by E2EE and suggests the need for alternative solutions for government surveillance: "New methods of data interception and access are needed to maintain law enforcement capabilities, based on cooperation of with major international online platforms and smart device manufacturers." This seems to suggest exploring solutions similar to Apple's client-side scanning software NerualHash, which was discontinued in December 2022 amid privacy concerns and fears (which have since been proven) that the system could be weaponized.
On the opposite end of the spectrum, Germany opines that the "CSA Regulation must uphold fundamental rights, in particular when it comes to protecting the confidentiality and privacy of communication." It goes on: "...Germany believe it is necessary among other things to state in the draft text that no technologies will be used which [will] disrupt, weaken, circumvent or modify encryption"
Finland and the Netherlands argue along similar lines, urging restraint with respect any provisions which may impair or circumvent E2EE communication.
The remaining EU member states fall somewhere in the middle.
For Croatia, the "right to privacy is not an absolute right" and must therefore be weighed against the needs of children to privacy and "life." Similarly, Romania would "tip the scales toward protecting children" while at the same time saying that "nothing in the proposed CSA Regulation should be interpreted as prohibiting or weakening end-to-end encryption." It's not clear how such seemingly contradictory stances could eventually be reconciled.
The EU has 27 member states, which means that the position of seven countries are not represented in the document. This includes France, which has previously come out in favor of protecting E2EE.
Germany spearheads national efforts against chat control
Perhaps the most significant political opposition to chat control comes from Germany. In May, Justice Minister Marco Buschmann and his peers from Austria, Lichtenstein, Luxembourg and Switzerland drafted a joint letter (German language link) to the justice ministers of other EU member states.
Mr Buschmann argues that justice ministers should get involved in the discussion around the CSA proposal as it "raises serious fundamental rights concerns." He goes on: "The majority of the experts surveyed concluded that the use of technology to detect so-called unknown child abuse material and cybergrooming lead to an increase in incorrectly reported content ("false positives") and a decrease in accuracy..."
Furthermore, he states that the "envisaged regulation relating to personal communication is likely to affect the essence of Articles 7 and 8 of the Charter" - legal incursions which are "even more severe when encrypted communication is involved". This refers to the EU Charter of Fundamental Rights. Articles 7 and 8 regulate respect for private and family life and the protection of personal data respectively.
Mr Buschmann's letter is the first major mobilization of national political interests against the CSA Regulation.
European Pirate Party: "European Citizens Are Not Being Told"
Among the most outspoken critics of the CSA Regulation at the EU level is MEP Patrick Breyer of the European Pirate Party. A member of the European Parliament since 2019, Mr Breyer has been a staunch advocate for digital freedom and fundamental rights. He describes the role of his party as follows:
Pirates strive to protect fundamental rights in the digital age. We are experts in digital technology, but also in critical thinking. ... We don’t find everything that you can do with digital technology great—we understand the risks and the limits. And especially in the case of fundamental rights, digital technologies have the potential to create an oppressive surveillance state. And that’s what we’re trying to prevent.
According to Mr Breyer, the reason we're not seeing a greater public outcry about CSAR is that "European citizens are actually not being told the truth about the proposal and its devastating consequences." Independent fact checkers have repeatedly called out Home Affairs Commissioner Ylva Johansson for using misinformation in her arguments supporting the CSAR. For example, the figures cited by Ms Johansson regarding the accuracy of image detection technologies were unverified claims from private companies.
Mr Breyer finds it remarkable that the CSAR debate has created rifts within party groups and has attracted the interest of MEPs who normally wouldn't get involved with digital privacy matters. However, he believes this may not be enough to form a blocking majority against the regulation:
I think that the provisions to backdoor even end-to-end encrypted messages will be removed from the proposal, but I don’t yet see a majority willing to remove the mass scanning of non-suspects or the destruction of anonymous communications by mandatory age verification.
The CSAR proposal is being propelled through the legislative process at breakneck speed. It may be implemented before the end of 2023.
Did you enjoy reading this article? Do you want to stay up-to-date with the latest stories about tech culture, information security and other modern phenomena?
If yes, please consider subscribing. It's free, and your support will enable me to write more and cover new topics in the future. Thank you!