A controversial proposal to scan encrypted chats threatens Europeans’ privacy in a way that is never seen before.
At the time European Commissioner for Home Affairs Ylva Johansson first proposed the Child Sexual Abuse Regulation (CSAR) in May 2022 as a solution to the spread of child sexual abuse material (CSAM).
What’s been deemed by its critics Chat Control has seen many twists and turns since then, with technologists and digital rights experts continuing to warn against the privacy and security risks of undermining encrypted communications.
While it failed to gain full support so far, the divisive proposal keeps coming back on lawmakers’ agenda with the next voting having taken place on 12 December 2024.
The encryption conundrum
The EU CSAM scanning proposal has seen some of its wording and provisions changed over the last two years. Yet, the core of the matter (and the main issue for those against it) remains – the risk of weakening encryption.
Encryption refers to scrambling data into an unreadable form to prevent third-party access. Encrypted messaging apps such as WhatsApp or Signal ensure your messages stay private between you and your receiver, protecting you from end-to-end.
As per the first version of the so-called Chat Control, all messaging software providers, no matter if they use encryption, would have been required to perform indiscriminate scanning of private messages on the lookout for CSAM – so-called ‘client-side scanning’.
Tech experts, however, have long argued that there’s no way to break encryption safely, warning against the creation of vulnerable backdoors that malicious actors could exploit.
Do you know?
Encrypted communications are so crucial that an “unprecedented cyberattack” sparked an urgent warning from US authorities for citizens to switch to these services. “If anti-encryption advocates had their way, the United States would now be defenseless to this type of mass snooping from a foreign power,” noted Greg Nojeim of the Center for Democracy & Technology (CDT).
This is also why a similar proposal in the UK, the Online Safety Act, halted its side-scanning provision until “it’s technically feasible to do so.” In February 2024, the European Court of Human Rights then banned all legal efforts to weaken encryption of secure communications in Europe.
All these legal and technical challenges pushed lawmakers to present a new version of the EU proposal last June. Here the targets are shared photos, videos, and URLs instead of text and audio messages upon users’ permission. There’s a caveat, though – you must consent to the shared material being scanned before being encrypted to keep using the functionality.
This wording made privacy experts furious, with Meredith Whittaker, President of the Signal Foundation, labeling this so-called ‘upload moderation’ as a mere “rhetorical game.”
Yet another Chat Control version was then leaked by Politico in September. Communications providers would be free to decide whether or not to use artificial intelligence to flag images and text chats as suspicious. These companies, however, would be required by law to scan all user chats and report when they found illegal content.
What European lawmakers present as a balance between privacy, security, and child protection, for digital rights and tech experts it still compromises encryption’s integrity.
“Scanning is still scanning, regardless of the type of content it seeks, including both known or unknown CSAM,” reads the Global Encryption Coalition’s statement published on September 16, adding that upload scanning could be easily circumvented while creating new security vulnerabilities for criminals to exploit.
“In short, it will not solve the problem of the online spread of child sexual abuse material but will introduce significant security risks for all citizens, companies, and governments.”
Who’s in favor?
Finding a balance between protecting online anonymity and fighting crime has long been a priority for law enforcement since the beginning of the internet.
As social media became increasingly widespread, statistics show how the spread of CSM and grooming practices have been “proliferating at an alarming rate.” Reports grew by more than 300% between 2012 and 2023 alone, for instance, with most coming from Europe.
Naturally, finding a solution to address issues around child safety online became a pressing matter for lawmakers, but also for many organizations advocating to address online harms against the youngest.
🇬🇧Orban insists: First public vote on #ChatControl scheduled for Thursday! https://t.co/YwSVS70sOs +++ Silence no more: Which countries will support destroying the privacy of correspondence and secure #encryption? +++ Criticism from Austria and Slovenia: https://t.co/XuKcT5JZ4e pic.twitter.com/LzUXVx4kVrDecember 10, 2024
This is exactly why the new European commissioner for internal affairs and migration, Magnus Brunner, said to be “convinced of the necessity and urgency to adopt the proposed regulation.”
As per the European Pirate Party’s latest data (see tweet above), the great majority of EU members are currently supporting the current version of the CSAR. Even nations like France, Italy, Portugal, and Belgium, who previously were either undecided or against, have now joined the in-favor list.
Who’s against?
Cryptographers, privacy advocates, some politicians, and tech companies keep raising concerns over the proposed CSAM scanning regulations. The latter category includes encrypted messaging apps like WhatsApp and Signal, secure email providers such as Proton Mail and Tuta, and even some of the best VPN providers on the market.
The team behind Swedish Mullvad VPN has been especially vocal against it since last year, investing both money and energy to raise awareness around the risks of the EU Chat Control.
For instance, when Sweden held the Presidency of the EU Council – between January and June 2023 – the team even put up banners in Stockholm airport and around the streets of both Stockholm and Guttenberg for both politicians and citizens to see.
Besides the risks of undermining encryption protection, some critics also argue that criminals would probably find new ways to keep committing crimes online.
“The solution is not to go and put a CCTV camera in everyone’s bedroom in case they do something illegal,” Matthew Hodgson, CEO and CTO of Element, told TechRadar back in 2023. “I would argue that you can still do a lot of infiltration and frankly education because it’s clearly a social problem. What you don’t do is blanket surveillance.”
While Sweden is now supporting the latest version, Finland managed to stop the proposal during the December 6 voting session as it joined Estonia, Czech Republic, Austria, Germany, Luxemburg, Netherlands, Poland, and Slovenia in the against list.
What’s next?
As mentioned earlier, the Hungarian EU Presidency is expected to hold the first public voting on the CSAM scanning proposal on Thursday, December 12. Hence, everything could change after the vote.
What’s certain, though, the so-called Chat Control isn’t the only effort to give law enforcement more means to monitor people’s activities online.
The European Commission has established a high-level working group whose aim is precisely working on “access to data for effective law enforcement.” The process has developed largely behind closed doors so far, with civil society denied a chance to take part.
Some of their work officially went public last June with a leaked 42-point plan to make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.
We then expect to see more friction occurring over the year on this front – both in Europe and beyond.