Surveillance is Still Surveillance, No Matter What You Call It
A bit of good news on the EU's controversial 'Spy in your pocket' legislation, and what you can do to help kill this thing.
Yesterday marked, what I hope, is a trend. The EU Council, hoping to surreptitiously slide in a vote to kill end-to-end encryption (E2EE), was chastened and backed down. After receiving thousands of messages online, via phone calls and emails from worried EU citizens, the European Council agreed to pause its vote on controversial legislation that would put a digital spy in (almost) everyone's pocket.
This has been a very long (since at least May 2022), and some might assert, relentless attempt by certain EU politicians and countries, including #Ireland, to deploy mass surveillance on the entire EU population, and in particular, users of E2EE technologies like WhatsApp/Messenger, Signal, and Threema. The current approach favored by the politicians (commonly referred to as ChatControl 2.0) is to force providers of E2EE apps and other secure services to enforce automated, always-on client-side scanning of all messages, texts, images, etc., and automatically report the bad stuff (for now, CSAM and 'grooming behavior') to various law enforcement authorities. There's divergence between the EU Commission, Parliament, and current EU Council versions, and some versions would also include encrypted and other email, cloud storage, and video conferencing as well.
The most current progress report also would exempt law enforcement, national security, the military, and others engaged in 'maintaining law and order'. (p 4 of the Progress Report). The latest proposal also includes a 'consent' requirement -- however, anyone who does not consent to scanning would be permanently barred from receiving images, photos, videos, or links via chat applications. It's pay-or-ok, but the payment is selling out our fundamental right and freedoms to a private life, intimate conversations, association, and liberty.
But Carey, Doesn't This Already Exist?
There's currently a voluntary program (ChatControl 1.0) in place that certain unencrypted chat services (like Google Chat, Instagram Messenger, Skype, and Snapchat) comply with, and if you've been using those services, know you're being spied upon.
Forcing all providers to do this would be a dream for totalitarians, dictators, and law enforcement, wrapped in the cozy and morally righteous blanket of protecting the children. In reality, it would be a real-time, always-on spy in our pockets that would erode democracy and be abused to monitor anything and everything governments deem to be bad, for the children.
MEP Patrick Breyer, has been an unstoppable force for good and has chronicled the whole affair and fought passage of ChatControl 2.0 and its various incarnations for years. I encourage you to read his deeply informative website on the subject. The EDRi also maintains an excellent and comprehensive page on the subject.
Like so many tech-based solutions proposed by politicians, the underlying tech itself is ineffective or frankly just doesn't exist in the way the politicians think it does (for example, smart AI). For example, the current client-side scanning and hash detection used as part of ChatControl 1.0 is prone to false-positives. As Breyer notes, "According to the Swiss Federal Police, 80% of the reports they receive (usually based on the method of hashing) are criminally irrelevant. Similarly in Ireland only 20% of NCMEC reports received in 2020 were confirmed as actual “child abuse material.” Even child protection advocacy organizations recognize this approach doesn't work.
There's also a whole separate bit of age verification which is gross, and would compromise the fundamental rights and freedoms of children and adults alike, by requiring disproportionate data collection and misuse in order to keep kids away from such tools. The US is trying similar nonsense, and this seems to be a favored approach by other democracy-hating governments around the world.
Current Status
After some success in November 2023 when the European Commission said that any efforts would protect E2EE, the various branches including the European Council met up again in March, and strategized on more clever language. Gone was 'client-side scanning' -- in it's place, was 'upload moderation'. Sadly, while the terms changed, the consequences remain the same -- it's still mass surveillance via a backdoor implementation of tech that erodes our ability as citizens to communicate freely, privately, and securely with one another. To conduct lawful business free from prying eyes. To engage in associative speech on controversial subjects, to share intimacies between adults, or to allow teens to explore and learn about themselves and the world in a way that doesn't criminalize them from an early age.
ChatControl instead assumes that if computer says guilty, you are, in fact a criminal.
Fortunately, the Council decided to hit the pause button on the latest version of ChatControl (which had been delayed from Wednesday), at least for now. I'm sure the vocal outcry from folks online and off (myself included) helped. Not that I was able to call Ireland's Permanent Representative in Brussels -- their number doesn't work. I did, however send an email and actually used Twitter constructively, so...
And you should as well. Patrick Breyer has loads of helpful suggestions on how you can get involved, contact your MEPs, Permanent Representatives and local politicians, and try to kill this terrible idea once and for all. I encourage you to reach out and encourage politicians to do the right thing and preserve our fundamental rights and freedoms.
One of the biggest issues I have with legislation that flirts with breaking/banning E2EE is that the problem space it is attempting to deal with is often not fully set out. In particular, the big missing piece here I think is how E2EE environments are being used for illegal activity and therefore whether law enforcement having access to such environments would actually help with the detection and prevention of illegal activity. I have not come across particularly convincing evidence on the prevalence of illegal activity on E2EE platforms that could justify intervention by LEAs, especially given the severe privacy implications.
However, I appreciate that having a definitive answer to this is difficult because in a true E2EE environment, both platforms and LEAs do not have the visibility to make worthy predictions on prevalence. I know WhatsApp resorts to using "unencrypted data" and user reports, but I cannot imagine that this is sufficient for determining the true prevalence of illegal activity (or child abuse to be more specific): https://faq.whatsapp.com/5704021823023684
I've written previously about the lack of evidence on this from the LEA side of the debate (https://www.thecybersolicitor.com/p/notes-on-e2ee-and-client-side-scanning).