Today the EU Parliament decided on an alternative version of chat control - one that fortunately does not deserve this name anymore: After huge opposition against the surveillance methods included in the CSA Regulation (see 'Opposition against chat control' below), the EU Parliament has decided to uphold every citizen's right to privacy and underlined the importance of upholding our democratic values. We in Europe must not follow autocratic regimes like China and Russia by monitoring all our citizens.
Patrick Breyer, Member of the EU Parliament and part of the CSAR negotiations says:
"Under the impression of massive protests against the looming indiscriminate chat control mass scanning of private messages, we managed to win a broad majority for a different, new approach to protecting young people from abuse and exploitation online. As a pirate and digital freedom fighter, I am proud of this breakthrough. The winners of this agreement are on the one hand our children, who will be protected much more effectively and in a court-proof manner, and on the other hand all citizens, whose digital privacy of correspondence and communication security will be guaranteed."
"Even if this compromise, which is supported from the progressive to the conservative camp, is not perfect on all points, it is a historic success that removing chat control and rescuing secure encryption is the common aim of the entire Parliament. We are doing the exact opposite of most EU governments who want to destroy digital privacy of correspondence and secure encryption. Governments must finally accept that this highly dangerous bill can only be fundamentally changed or not be passed at all. The fight against authoritarian chat control must be pursued with all determination!"
Breyer writes on his website that internet services and apps must be "secure by design and default". The EU Parliament has agreed to:
"safeguard the digital secrecy of correspondence and remove the plans for blanket chat control, which violate fundamental rights and stand no chance in court. The current voluntary chat control of private messages (not social networks) by US internet companies is being phased out. Targeted telecommunication surveillance and searches will only be permitted with a judicial warrant and only limited to persons or groups of persons suspected of being linked to child sexual abuse material."
A huge win for our privacy rights is also that the EU Parliament has decided to "clearly exclude so-called client-side scanning".
In contrast to the original chat control proposal, the version of the EU Parliament wants that a new EU Child Protection Centre proactively searches publicly accessible parts of the internet for child sexual abuse material with automatic crawling, which can also take place in darknet and would be much more efficient than private surveillance measures by providers. Found abuse material must be reported and taken down by the provider.
While the EU Parliament's decision is a huge win, the fight is not over. It is expected that the EU Commission will continue to push for general surveillance chat control measures. Now is the time for each and everyone of us to join this fight!
You can help fight chat control and uphold our right to privacy. Check at the end of this post, what you can do!
Chat control has been in discussion for along time already, and the criticism of this draft bill is huge. Significant is not only that technology and security experts agree that client-side scanning is not possible without risking everyone's security. Also scientists, the general public, even the EU's Research Service oppose the EU Commission's chat control proposal.
300 scientists from all around the world have sent an open letter to the EU Parliament to call on policymakers to stop chat control, the EU’s proposed Child Sexual Abuse Regulation. They say while it is the responsibility of politicians to protect children from sexual abuse, "it is our professional recommendation as scientists that such a proposal be not taken forward" because the scanning techniques the EU is proposing to use are deeply flawed and would endanger the security of everyone using the internet.
The scientists make the EU proposal look like wishful thinking: "Given the horrific nature of child sexual abuse, it is understandable, and indeed tempting, to hope that there is a technological intervention that can eradicate it. Yet, looking at the issue holistically, we cannot escape the conclusion that the current proposal is not such an intervention."
There is no magic key that allows the police to scan all chat messages, emails, and more for harmful content while not risking the security and privacy of everyone. This is technically not possible.
The scientists argue that chat control is too much of a threat to everyone and therefore must be stopped:
"First and foremost, we acknowledge that child sexual abuse and exploitation is a very serious crime which can cause lifelong harm to survivors. It is the responsibility of government authorities, with the support of companies and communities, to undertake effective interventions which prevent this crime and react to it quickly when it does happen."
"The European Commission has proposed a law with the stated aim of stopping the spread of child sexual abuse material online and of grooming of children online. To do so, the law allows authorities to compel providers of any apps or other online services to scan the messages, pictures, emails, voice mails and other activities of their users. In the case of end-to-end encrypted apps, the claim is that this scanning can be done on users’ devices – so-called ‘Client-Side Scanning’ (CSS)."
"Passing this legislation undermines the thoughtful and incisive work that European researchers have provided in cybersecurity and privacy, including contributions to the development of global encryption standards. Such undermining will weaken the environment for security and privacy work in Europe, lowering our ability to build a secure digital society."
"The proposed regulation would also set a global precedent for filtering the Internet, controlling who can access it, and taking away some of the few tools available for people to protect their right to a private life in the digital space. This will have a chilling effect on society and is likely to negatively affect democracies across the globe."
"We therefore strongly warn against pursuing these or similar measures as their success is not possible given current and foreseeable technology, while their potential for harm is substantial."
You can read the full open letter here.
In April, the European Parliament's Research Service (EPRS) presented a new study on the legality of the proposed Child Sexual Abuse Regulation, also called Chat Control.
The EU Commission's plans to fight images of abused children on the Internet are not very effective and violate the fundamental rights of Internet users, according to this analysis on chat control. While the number of reported cases is likely to go up significantly, the accuracy of the hits is likely to also decrease significantly, increasing the burden on investigative authorities.
The legal experts of the EU Parliament's Scientific Service conclude that:
"when weighing the fundamental rights affected by the measures of the CSA proposal, it can be established that the CSA proposal would violate Articles 7 and 8 of the Charter of Fundamental Rights with regard to users."
The report also says if chat control becomes a law "that this violation of the prohibition of general data retention and the prohibition of general surveillance obligations cannot be justified."
"A detection order on the content of interpersonal data either on the device or the server will compromise the essence of the right to privacy under Article 7 CFR in the form of confidentiality of telecommunications. It constitutes a form of access on a generalised basis, pursuant to Schrems, where it involves an analysis of all communications going through the server.“
The experts made clear that an "increase in the number of reported contents does not necessarily lead to a corresponding increase in investigations and prosecutions leading to better protection of children. As long as the capacity of law enforcement agencies is limited to its current size, an increase in reports will make effective prosecution of depictions of abuse more difficult."
In addition, the study on chat control finds: "It is undisputed that children need to be protected from becoming victims of child abuse and depictions of abuse online... but they also need to be able to enjoy the protection of fundamental rights as a basis for their development and transition into adulthood."
Pirate Party MEP Patrick Breyer, long-time opponent of mass scanning of private communications, comments:
"The EU Parliament's Scientific Service now confirms in crystal clear words what I and numerous human rights activists, law enforcement officials, legal experts, abuse victims and child protection organisations have been warning about for a long time: the proposed general, indiscriminate scanning of our private conversations and photos destroys the digital privacy of correspondence and violates our fundamental rights. A flood of mostly false suspicious activity reports would make effective investigations more difficult, criminalise children en masse and fail to bring the abusers and producers of such material to justice. According to this expertise, searching private communications for potential child sexual exploitation material, known or unknown, is legally feasible only if the search provisions are targeted and limited to persons presumably involved in such criminal activity."
"What we really need instead of untargeted chat control and identification obligations for age verification is obliging law enforcement agencies to have known exploitation material removed from the internet, as well as Europe-wide standards for effective prevention measures, victim support and counselling, and for effective criminal investigations."
This is also the view of many other experts, such as Mullvad, Edri and others.
Chat control is one of the worst EU plans to date and must be stopped. Mullvad VPN has recently launched a great campaign to fight for democracy.
Mullvad's campaign, launched on March 3rd, calls on EU policy makers to stop chat control and rethink their stance in regards to the EU Commission's proposal for detecting and prosecuting the sharing of child sexual abuse material (CSAM) via the internet. The EU proposal includes far-reaching surveillance measures such as client-side scanning, which would force online services to scan every chat message and every email that anybody in the European Union ever sends for child sexual abuse material.
This legislation would de facto deprive EU citizens of any privacy on the Internet, it would even undermine encryption and thus weaken the security of all Internet users.
For that reason, the EU plans to scan for CSAM is heavily criticized by cryptography experts, human rights organizations as well as internet activists across Europe.
Most recently, Germany has made its opposition to client-side scanning public. With resistance in Germany, Ireland, Austria and the Netherlands to the EU proposal, a blocking minority is within reach.
Mullvad adds to the pressure with their new campaign, which was launched during the Swedish EU Presidency, which started on 1st of January 2023. The timing, thus, couldn't be better.
Mullvad says on their campaign page:
Now is the time for debate and actions
A democratic society is built upon discussions, before law proposals become reality. We started the conversation on the streets of Sweden, during the country’s EU presidency.
Along with the digital campaign, they posted large billboards across Sweden to draw attention to the ongoing legal debate on EU level.
The EU Commission wants to monitor all the citizens of the European union. The law proposal is called #chatcontrol – and now is the time to stop it. We took the debate to the streets of Sweden, during the country’s EU-presidency. Take a look at https://t.co/Dx9cPe1ksq pic.twitter.com/FvqAlQRiig— Mullvad.net (@mullvadnet) March 3, 2023
The digital rights organization EDRi has recently launched the 'Stop Scanning Me' campaign where EU citizens can sign a petition against the EU's surveillance plan.
Sign the Stop Scanning Me campaign now!
The Eu proposal on chat control wants to force online services to AI scan every message and every email for possible child grooming and child sexual abuse material (known and unknown). Suspicious messages flagged by the AI will be reported to law enforcement and investigated.
Machine searching for potential child grooming and sexual abuse material is an artificial intelligence (AI) supported procedure. The AI is not flawless and will flag a high number of harmless, private images, which will then be investigated by the police. Experts expect that 10-20% of images reported will be false positives.
This is a huge intrusion into the privacy of millions of innocent citizens.
The European Date Protection Supervisor Wiewiórowski calls it an 'illusion of legality': This type of indiscriminate scanning of private communications "will always be illegal under the Charter of Fundamental Rights (and probably under several national constitutional laws as well)."
To many the risks of chat control are negligible. After all, as law-abiding citizens what is there to fear?
But the truth is the opposite: The risks of a surveillance tool like chat control are unlimited.
Jan Penfrat said it perfectly on Mastodon:
"You have nothing to hide until the government suddenly declares your behaviour illegal."
The text on the image he posted is taken from news that broke this week via the Business Insider: "Police are prosecuting abortion seekers using their digital data — and Facebook and Google help them do it".
Once you break encryption to allow access to the 'good guys', the security and privacy promised by encryption is gone.
It is simply not possible to implement an encryption backdoor that can only be used by law enforcement.
This is also nicely illustrated by the best of backdoor fails in history. The truth is: Secret services have tried to undermine encryption before, but whenever they were successful, others were too. Malicious intruders have become very powerful.
We in Europe must not weaken the security backbone that our digital life depends on: Encryption.
Now we, as citizens of Europe and members of the civil society, must put pressure on legislators to oppose legislation that will put every email and every chat message that we send under constant surveillance.
We can stop chat control together!
Share the Mullvad campaign to increase the pressure on politicians.
Call/email your EU representative to make your voice heard: "Stop CSAM scanning. I do not want my personal device to become a surveillance machine!"
Sign the Stop Scanning Me campaign.
Together we can stop chat control!