Chat Control May Finally Be Dead: European Court Rules That Weakening Encryption Is Illegal!

First the EU Parliament, now the court: client-side scanning may not be rolled our after all. A huge win for privacy advocates!

2024-02-20 / First published: 2023-03-05
Chat control is pushed for by the EU Commission, but opposition is HUGE.
On February 13th, Europe received an early Valentine’s gift from the European Court of Human rights when they banned any laws that aims to weaken end-to-end encryption. This ruling is a major stumbling block for the EU Chat Control Bill, but does it really mean that Chat Control is dead? There are many reasons why Chat Control should never become law, we've collected the turn of events and steps you can take to help prevent this dangerous bill from ever being passed!

EU stands with encryption, not surveillance

The EU Court ruled that “Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field.” Any requirement to build in backdoors to encryption protocols for law enforcement agencies could also be taken advantage of by malicious actors.

The EU Court of Human Rights’ also builds on their acknowledgment that “mass surveillance does not appear to have contributed to the prevention of terrorist attacks, contrary to earlier assertions made by senior intelligence officials.”

The EU Commission and Encryption

As the EU Commision’s Chat Control Bill directly targets undermining secure end-to-end encryption, it now looks to be in trouble. In its current version, the Chat Control bill would require the scanning of content on your personal devices, including that which is sent via end-to-end encrypted messenger apps or encrypted email. At some point, providers would be required to either break this encryption to allow the scanning of content or scan content once it has been decrypted and is readable.

That's why we at Tuta - together with a coalition of privacy-first companies - have called on EU member states to defend strong encryption in the upcoming Chat Control discussions with an open letter.

Now, the good news have taken us by surprise that this letter might not have been necessary in the first place!

Following the new ruling by the EU Court of Human Rights, the breaking of encryption to allow client-side scanning will not be possible. This is a huge win for online privacy and digital security!

Is Chat Control Finished?

Patrick Breyer stated “EU governments will now have no choice but to remove the destruction of secure encryption from their position on this proposal – as well as the indiscriminate surveillance of private communications of the entire population.” But does this mean that Chat Control is completely off the table?

In short: no, Chat Control is not completely dead - but it could be buried any day now. However, at the moment multiple meetings are still scheduled to discuss changes to the legislation. Regardless, this move by the EU Court of Human Rights is a major win for privacy and it gives added protection to end-to-end encryption.

We've interviewed Patrick Breyer on Chat Control to learn more about his expertise and why he coined the term Chat Control.

Update November 2023: EU Parliament Decides That Your Private Messages Must Not Be Scanned!

Huge privacy win: EU Court of Human Rights and EU Parliament are in favor of strong end-to-end encryption. Historic agreement on chat control proposal: European Parliament wants to remove chat control and safeguard secure encryption.

Chat control - one of the worst EU plans that is also being described as a surveillance monster - must be stopped. And the EU Parliament has just decided to do so! In a historic agreement on the EU Commission's Child Sexual Abuse Regulation (CSAR) the European Parliament wants to remove chat control requirements and safeguard secure encryption. The decision came after extensive backlash against the original proposal from technology and security experts, to international scientists and to citizens across Europe. This is a great win for our right to privacy and for upholding our democratic values in Europe, but the fight continues!

Today the EU Parliament decided on an alternative version of chat control - one that fortunately does not deserve this name anymore: After huge opposition against the surveillance methods included in the CSA Regulation (see 'Opposition against chat control' below), the EU Parliament has decided to uphold every citizen's right to privacy and underlined the importance of upholding our democratic values. We in Europe must not follow autocratic regimes like China and Russia by monitoring all our citizens.

Patrick Breyer, Member of the EU Parliament and part of the CSAR negotiations says:

"Under the impression of massive protests against the looming indiscriminate chat control mass scanning of private messages, we managed to win a broad majority for a different, new approach to protecting young people from abuse and exploitation online. As a pirate and digital freedom fighter, I am proud of this breakthrough. The winners of this agreement are on the one hand our children, who will be protected much more effectively and in a court-proof manner, and on the other hand all citizens, whose digital privacy of correspondence and communication security will be guaranteed."

"Even if this compromise, which is supported from the progressive to the conservative camp, is not perfect on all points, it is a historic success that removing chat control and rescuing secure encryption is the common aim of the entire Parliament. We are doing the exact opposite of most EU governments who want to destroy digital privacy of correspondence and secure encryption. Governments must finally accept that this highly dangerous bill can only be fundamentally changed or not be passed at all. The fight against authoritarian chat control must be pursued with all determination!"

What did the EU Parliament decide?

Breyer writes on his website that internet services and apps must be "secure by design and default". The EU Parliament has agreed to:

"safeguard the digital secrecy of correspondence and remove the plans for blanket chat control, which violate fundamental rights and stand no chance in court. The current voluntary chat control of private messages (not social networks) by US internet companies is being phased out. Targeted telecommunication surveillance and searches will only be permitted with a judicial warrant and only limited to persons or groups of persons suspected of being linked to child sexual abuse material."

A huge win for our privacy rights is also that the EU Parliament has decided to "clearly exclude so-called client-side scanning".

In contrast to the original chat control proposal, the version of the EU Parliament wants that a new EU Child Protection Centre proactively searches publicly accessible parts of the internet for child sexual abuse material with automatic crawling, which can also take place in darknet and would be much more efficient than private surveillance measures by providers. Found abuse material must be reported and taken down by the provider.

Fight is not over

While the EU Parliament's decision is a huge win, the fight is not over. It is expected that the EU Commission will continue to push for general surveillance chat control measures. Now is the time for each and everyone of us to join this fight!

You can help fight chat control and uphold our right to privacy. Check at the end of this post, what you can do!

Opposition against chat control

Chat control has been in discussion for along time already, and the criticism of this draft bill is huge. Significant is not only that technology and security experts agree that client-side scanning is not possible without risking everyone's security. Also scientists, the general public, even the EU's Research Service oppose the EU Commission's chat control proposal.

Update June 2023: Scientists letter to EU Parliament

300 scientists from all around the world have sent an open letter to the EU Parliament to call on policymakers to stop chat control, the EU’s proposed Child Sexual Abuse Regulation. They say while it is the responsibility of politicians to protect children from sexual abuse, "it is our professional recommendation as scientists that such a proposal be not taken forward" because the scanning techniques the EU is proposing to use are deeply flawed and would endanger the security of everyone using the internet.

The scientists make the EU proposal look like wishful thinking: "Given the horrific nature of child sexual abuse, it is understandable, and indeed tempting, to hope that there is a technological intervention that can eradicate it. Yet, looking at the issue holistically, we cannot escape the conclusion that the current proposal is not such an intervention."

There is no magic key that allows the police to scan all chat messages, emails, and more for harmful content while not risking the security and privacy of everyone. This is technically not possible.

The scientists argue that chat control is too much of a threat to everyone and therefore must be stopped:

"First and foremost, we acknowledge that child sexual abuse and exploitation is a very serious crime which can cause lifelong harm to survivors. It is the responsibility of government authorities, with the support of companies and communities, to undertake effective interventions which prevent this crime and react to it quickly when it does happen."

"The European Commission has proposed a law with the stated aim of stopping the spread of child sexual abuse material online and of grooming of children online. To do so, the law allows authorities to compel providers of any apps or other online services to scan the messages, pictures, emails, voice mails and other activities of their users. In the case of end-to-end encrypted apps, the claim is that this scanning can be done on users’ devices – so-called ‘Client-Side Scanning’ (CSS)."

"Passing this legislation undermines the thoughtful and incisive work that European researchers have provided in cybersecurity and privacy, including contributions to the development of global encryption standards. Such undermining will weaken the environment for security and privacy work in Europe, lowering our ability to build a secure digital society."

"The proposed regulation would also set a global precedent for filtering the Internet, controlling who can access it, and taking away some of the few tools available for people to protect their right to a private life in the digital space. This will have a chilling effect on society and is likely to negatively affect democracies across the globe."

"We therefore strongly warn against pursuing these or similar measures as their success is not possible given current and foreseeable technology, while their potential for harm is substantial."

You can read the full open letter here.

Update April 2023: EU's Research Service opposes chat control

In April, the European Parliament's Research Service (EPRS) presented a new study on the legality of the proposed Child Sexual Abuse Regulation, also called Chat Control.

The EU Commission's plans to fight images of abused children on the Internet are not very effective and violate the fundamental rights of Internet users, according to this analysis on chat control. While the number of reported cases is likely to go up significantly, the accuracy of the hits is likely to also decrease significantly, increasing the burden on investigative authorities.

Threats of draft EU law

The legal experts of the EU Parliament's Scientific Service conclude that:

"when weighing the fundamental rights affected by the measures of the CSA proposal, it can be established that the CSA proposal would violate Articles 7 and 8 of the Charter of Fundamental Rights with regard to users."

The report also says if chat control becomes a law "that this violation of the prohibition of general data retention and the prohibition of general surveillance obligations cannot be justified."

"A detection order on the content of interpersonal data either on the device or the server will compromise the essence of the right to privacy under Article 7 CFR in the form of confidentiality of telecommunications. It constitutes a form of access on a generalised basis, pursuant to Schrems, where it involves an analysis of all communications going through the server.“

The experts made clear that an "increase in the number of reported contents does not necessarily lead to a corresponding increase in investigations and prosecutions leading to better protection of children. As long as the capacity of law enforcement agencies is limited to its current size, an increase in reports will make effective prosecution of depictions of abuse more difficult."

In addition, the study on chat control finds: "It is undisputed that children need to be protected from becoming victims of child abuse and depictions of abuse online... but they also need to be able to enjoy the protection of fundamental rights as a basis for their development and transition into adulthood."

Pirate Party MEP Patrick Breyer, long-time opponent of mass scanning of private communications, comments:

"The EU Parliament's Scientific Service now confirms in crystal clear words what I and numerous human rights activists, law enforcement officials, legal experts, abuse victims and child protection organisations have been warning about for a long time: the proposed general, indiscriminate scanning of our private conversations and photos destroys the digital privacy of correspondence and violates our fundamental rights. A flood of mostly false suspicious activity reports would make effective investigations more difficult, criminalise children en masse and fail to bring the abusers and producers of such material to justice. According to this expertise, searching private communications for potential child sexual exploitation material, known or unknown, is legally feasible only if the search provisions are targeted and limited to persons presumably involved in such criminal activity."

"What we really need instead of untargeted chat control and identification obligations for age verification is obliging law enforcement agencies to have known exploitation material removed from the internet, as well as Europe-wide standards for effective prevention measures, victim support and counselling, and for effective criminal investigations."

This is also the view of many other experts, such as Mullvad, Edri and others.

Stop chat control

Mullvad really nailed it with their campaign!

Chat control is one of the worst EU plans to date and must be stopped. Mullvad VPN has recently launched a great campaign to fight for democracy.

Mullvad campaign against chat control.

Mullvad's campaign, launched on March 3rd, calls on EU policy makers to stop chat control and rethink their stance in regards to the EU Commission's proposal for detecting and prosecuting the sharing of child sexual abuse material (CSAM) via the internet. The EU proposal includes far-reaching surveillance measures such as client-side scanning, which would force online services to scan every chat message and every email that anybody in the European Union ever sends for child sexual abuse material.

This legislation would de facto deprive EU citizens of any privacy on the Internet, it would even undermine encryption and thus weaken the security of all Internet users.

For that reason, the EU plans to scan for CSAM is heavily criticized by cryptography experts, human rights organizations as well as internet activists across Europe.

Most recently, Germany has made its opposition to client-side scanning public. With resistance in Germany, Ireland, Austria and the Netherlands to the EU proposal, a blocking minority is within reach.

Perfect timing

Mullvad adds to the pressure with their new campaign, which was launched during the Swedish EU Presidency, which started on 1st of January 2023. The timing, thus, couldn't be better.

Mullvad says on their campaign page:

Now is the time for debate and actions

A democratic society is built upon discussions, before law proposals become reality. We started the conversation on the streets of Sweden, during the country’s EU presidency.

Along with the digital campaign, they posted large billboards across Sweden to draw attention to the ongoing legal debate on EU level.

Background info

Opposition to chat control

The digital rights organization EDRi has recently launched the 'Stop Scanning Me' campaign where EU citizens can sign a petition against the EU's surveillance plan.

Sign the Stop Scanning Me campaign now!

What is chat control?

The Eu proposal on chat control wants to force online services to AI scan every message and every email for possible child grooming and child sexual abuse material (known and unknown). Suspicious messages flagged by the AI will be reported to law enforcement and investigated.

Machine searching for potential child grooming and sexual abuse material is an artificial intelligence (AI) supported procedure. The AI is not flawless and will flag a high number of harmless, private images, which will then be investigated by the police. Experts expect that 10-20% of images reported will be false positives.

This is a huge intrusion into the privacy of millions of innocent citizens.

The European Date Protection Supervisor Wiewiórowski calls it an 'illusion of legality': This type of indiscriminate scanning of private communications "will always be illegal under the Charter of Fundamental Rights (and probably under several national constitutional laws as well)."

The risks

To many the risks of chat control are negligible. After all, as law-abiding citizens what is there to fear?

But the truth is the opposite: The risks of a surveillance tool like chat control are unlimited.

1. You don't know whether the laws will change.

Jan Penfrat said it perfectly on Mastodon:

"You have nothing to hide until the government suddenly declares your behaviour illegal."

Chat control becomes very dangerous as soon as your behaviour is declared illegal. It must be stopped.

The text on the image he posted is taken from news that broke this week via the Business Insider: "Police are prosecuting abortion seekers using their digital data — and Facebook and Google help them do it".

2. Compromised encryption is not encryption

Once you break encryption to allow access to the 'good guys', the security and privacy promised by encryption is gone.

It is simply not possible to implement an encryption backdoor that can only be used by law enforcement.

This is also nicely illustrated by the best of backdoor fails in history. The truth is: Secret services have tried to undermine encryption before, but whenever they were successful, others were too. Malicious intruders have become very powerful.

We in Europe must not weaken the security backbone that our digital life depends on: Encryption.

Let's stop client-side scanning

Now we, as citizens of Europe and members of the civil society, must put pressure on legislators to oppose legislation that will put every email and every chat message that we send under constant surveillance.

We can stop chat control together!

  1. Share the Mullvad campaign to increase the pressure on politicians.

  2. Call/email your EU representative to make your voice heard: "Stop CSAM scanning. I do not want my personal device to become a surveillance machine!"

  3. Sign the Stop Scanning Me campaign.

Together we can stop chat control!