Europe and Australia will both not break encryption! We've interviewed Patrick Breyer – the guy who coined the term Chat Control.

Action taken by privacy activists and citizens stops the push for mass surveillance.

EU Chat Control.

It's not only Big Tech that is doing policy advocacy right, it's also privacy advocates who have learned their lesson! In the same week as Chat Control and the Australian Online Safety Act did not break encryption, we have interviewed Patrick Breyer on the dangers of Chat Control and why the EU client-side scanning plans must be called exactly this: Chat Control. Read what Patrick has to say and join our fight for privacy – because it's not over yet!


Encryption not broken

Last week, both the EU Chat Control vote and the Australia’s Online Safety Act attack on encryption failed to push the surveillance legislation forward. In the EU, the vote was postponed after the EU Council failed to gain a majority approval. In Australia, the requirement for service providers to implement client-side scanning to help detect child sexual abuse material (CSAM) has been changed, removing the requirement for companies to compromise their end-to-end encryption.

Both laws with their push to break encryption received major resistance from privacy concerned citizens around the world.

Instead, the Australia’s eSafety Commissioner has registered two pending industry standards for ‘Designated Internet Services’ and ‘Relevant Electronic Services’ that will come into force in December 2024. “[It] states that companies will not be required to break encryption and will not be required to undertake measures not technically feasible or reasonably practical.” - If these standards get passed into law it is a turn of 180 degree and ahuge success for all privacy advocates who lobbied in favor of strong encryption. It reads very similar to Germany’s proposal to pass a law on the right to encryption, which again shows why Germany is one of the countries with best data protection laws.

Germany as an opposing member against the EU proposal also played a big part in why Chat Control failed to get a majority: Germany and Poland were opposed, and there would have been abstentions from Estonia,the Netherlands, Slovenia, the Czech Republic and Austria so that the majority of 65% of EU citizens represented was not achieved. It was a close call and the fight is not over!

Chat Control is far from dead

In the EU, Chat Control is still up for debate and we need to remain alert and ready to respond when the next form of this surveillance law is being discussed again. Yet, for the first time, Commissioner Jourova publicly admitted at yesterday’s EDPS summit that encryption would need to be broken for Chat Control to become effective. Watch her statement on YouTube. This is something Commissioner Johansson strongly denied before, trying to make people believe that client-side scanning as proposed by the EU would not be all so bad.

One of the most prominent critics of Chat Control is Patrick Breyer MEP in the European Parliament. In the week that Chat Control was being discussed in the EU Council – but failed to get a majority due to our joined policy efforts – we sat down with him to discuss the details of the Chat Control Bill and why it poses a threat not only to European citizens, but to the privacy of everyone.

Below is a transcript of our interview that happened shorty before the vote in the EU Council got cancelled last week. You can also watch the interview with Patrick Breyer on Chat Control on YouTube.

Interview

BRANDON

Hi everyone, a bit of breaking news right now in the EU, we are nearing a vote on the EU Chat Control Bill. Patrick Breyer from the EU Parliament has decided to take some time to sit down and talk with us a little bit about what Chat Control is and help spread the message about why we need to take action to stop it. So, Patrick would you like to introduce yourself a little bit.

PATRICK

Sure hi my name is Patrick Breyer. I’m an MEP of the Pirate Party and I’m one of the negotiators in the EU Parliament on the parliament’s position on the Chat Control Bill. We [from the EU Parliament] really rewrote it we put it upside down but now there’s the risk that governments endorse the original full Chat Control proposal and that’s why we’re talking today.

BRANDON

Right okay so maybe before we really dive into Chat Control we could talk a little bit about the structure of EU politics. I’m American and I don’t fully understand the intricacies of this. So what I’ve read so far is the EU commission is pressing to have Chat Control become law but there’s also an EU Council and an EU Parliament. How do each of these groups position themselves in support or opposition to Chat Control and how likely do you think this current bill is going to be really pushed forward into law?

PATRICK

So the EU commission has come out and proposed this to begin with and we now know that they have worked a lot with shady actors, like the tech companies that would benefit from rolling out these scanning algorithms, but also with foreign donors, with former law enforcement officials. There has been an an entire network behind this who are trying to create a precedent in the European Union by having this enacted and then they want to do similar things uh elsewhere in the world.

So EU commissioner Johansson who’s the home Affairs commissioner has dedicated uh much of her time to this. That’s why we call her the Big Sister and but she’s outgoing so she won’t be a member of the new commission but that’s why they are pushing so hard to get this pass now before the end of her mandate.

And what happened next was that in parliament I worked very hard and we fought a lot together with civil society and scientists and industry, that protecting children and keeping them safe online needs a different approach than mass surveillance. So, we had a lot of expert hearings and a lot of exchanges among each other and in the end nearly the entire committee the entire Civil Liberties and Home Affairs Committee of the European Parliament endorsed a different version of this law that doesn’t contain mass surveillance but a different approach like security by design, we can talk about it later on, last autumn.

And the next step now will be that the EU governments, which is kind of the second chamber in lawmaking apart from the parliament, the EU governments in Council will have to position themselves and so far there has been a stalemate between those that want to go the full way for for scanning and and surveillance and those that oppose it. So, neither of them had achieved the needed a qualified majority and and this week Thursday we’ll decide whether that will change now or if we can block them from endorsing Chat Control once again. It happened already last autumn there was a risk that this could be endorsed and we managed to to to block it then.

So now if there is a a majority behind this massive plan this week then the next step would be negotiations between the institutions, compromise negotiations, they are called trilogues because there are three parties at the table. It’s the commission that made the proposal, it’s the parliament, and it’s the council that represents the EU governments. These are closed door meetings with no participation of of experts and usually experience shows that parliament has a tendency to give in to get the agreement of the others and it would be faced with both the commission and a council that both endorse Chat Control so that that would be very dangerous for negotiations to be in a situation like that. That’s why it’s all the more important right now when the council takes its position to to do what we can to make sure that they disapprove of mass surveillance and breaking encryption. If we had a really good negotiating position which is what’s being voted on this week, if governments had a really good negotiation position like the one that Parliament has approved, then the negotiations would be on a good track.

What’s basically decided this way after these trilogue negotiations there’s only a formal approval of the result of the deal by both the Parliament and the council but that’s just formal. So the negotiation itself already decides which is the the final legislation that everybody, that the majority in all institutions can live with and that’s what then ends up being the final legislation.

BRANDON

Okay and so right now there’s a lot of back and forth between what you’re talking about as the original Chat Control law and also there’s kind of this, it’s being presented as a compromise from Belgium. This ‘oh no we’re going to institute an upload filter’ is that kind of being pushed as this compromise position at least from supporters?

PATRICK

So the supporters of the original proposal of the original bill, that goes all the way to indiscriminate mass scanning including for end-to-end encrypted services, they needed to bring some countries around some critical countries around to form a majority. And so what they’re offering in terms of concessions is a number of them.

So, first of all they are saying that we will scan the text of chats but only images and videos. But I have to say that scanning of text chats is not really much done within industry and it’s really experimental so most of the flags that are currently being reported voluntarily by some US companies are a result of scanning images and videos. Still we’ve just had statistics from the German crime agency that says that the proportion of false flags of chats and photos that are not even criminally relevant is as high as never [before] and 1 in 2 of these reports essentially discloses private communications that is not criminally relevant. That’s why removing text from the scanning doesn’t address the problem.

Anyway, if the algorithm thinks that images or videos are suspicious it will disclose the chat including the text anyway. They’ve excluded audio from the scope but audio scanning is not done anyway. They’ve actually excluded security agencies and the military from the scanning because they understand very well how unreliable these algorithms are. So essentially those that are negotiating the bill the Ministers of the Interior are excluding their own services from this [scanning] because they know how dangerous it is. Then they’ve said ‘what we’re doing is we’ll ask the user, do they accept being having their photos and videos scanned or they have the option to refuse but then they can no longer send or even receive any images or videos or even links on that service.’ So they would be blocked from essential features that you need in family groups, in work groups, whatever group chats or communications you have. It’s not a real option to say ‘look I’ll be using this on a text basis only and then be spared from from having my communication scanned.’ But that’s one thing, one concession they have made to convince some member states and it seems to have worked in some cases.

Then the final concession that they have made this week, or Friday last week, is some language on encryption saying that encryption shouldn’t be circumvented or undermined and that a new EU institution, a new EU Center, would have to test the so-called client-side scanning mechanisms that have never been deployed so far. It has never existed in the past and that should be tested to make sure that it doesn’t weaken encryption. But the problem with scanning content that’s being sent via encrypted services is not so much the phase during which it is encrypted, so the transmission phase, the problem with the so-called client-side scanning is that whatever you send or receive will be scanned before it is being transmitted. That means, first of all, you can never be sure will this content only be read by who I want to read it or will it be leaked essentially to the provider, to moderators, to US-based [unintelligible] organizations, to police all over the world, and to an EU institution.

You never know it doesn’t tell you if it leaks, [or] if it reports something so you lose the trust in encryption and also scientists warn us that implementing these bugs in the apps that we all run on our smartphones will make them insecure. That will create new attack vectors which criminals can use, also foreign intelligence services [like] China, etc., to infiltrate the messenger apps of targets, or even a large group of people of dissidents. Whistleblowers, journalists, human rights defenders, they all rely on secure and encrypted conversations and so that’s why this concession and this soothing language on encryption is really only a smoke screen for people who don’t understand it or for governments that need to calm down some critical ministries for digitization. So it’s a heavy debate also within governments and that’s also why we can make a difference still this week on this file.

BRANDON

Absolutely and I think it’s funny you talk about how, yes that is it’s kind of sure they’re not necessarily directly attacking encryption, but hitting that data before hand [before encryption] already exists in the form of the Pegasus spyware right? So effectively this is doing a similar thing that it’s going through and can scan all of that content before it’s encrypted right.

PATRICK

Indeed you know so far no government, not even Russia, not even China, have managed to force the providers of secure communications apps to sort of modify the code and insert bugs into their apps. This would set a precedent because if the EU managed to wrestle providers into that then of course they would next ask it for different purposes like scanning for copyright or I don’t know for intelligence services. Then other countries would follow next and would ask for that as well and that would open the floodgates and essentially destroy secure end-to-end encryption and that’s why it’s so essential that we prevent this because encryption is either safe from everybody or if you open a back door to for the police it’s essentially a weakness that makes it insecure towards other attackers and other parties as well. It’s not possible to only [allow] that one so-called trusted party in it’s either private or it’s insecure.

BRANDON

Right and so talking about that like forcing companies to go ahead and kind of institute sort of a back door or insert code into their products, what will happen if this does get passed and a company like Signal for example, they’ve already said okay if it passes we are out of the EU, what happens if a company says no we’re not going to do that? This is something that would face us we’re based in Germany so what are the the ramifications of that?

PATRICK

So certain companies have business interests in the EU. They make money here, they would have some company mostly in Ireland, [or] they have a subsidiary in Ireland, where they run their business and they have financial interests and it’s possible to enforce this kind of EU legislation in that way because they have some form of representation in the EU. If they didn’t comply at all and if it wasn’t possible to get hold of them at all they could look at blocking them from from app stores or something like that but so far all providers Signal, Threema, etc. have said that they would be subject to this legislation even if they are based outside the EU. If they were forced to comply then they would rather withdraw from the [European] market and that means that many of us would no longer be able to use these services.

You know the geeks would be able to install it without an app store but what about the people we write with, [who] we’re in touch with, with our family who are not so computer literate? They would just be cut off or they would use a different service that would be placed under surveillance. WhatsApp, so far, has not said that they would seize their services and there are other services such as Facebook Messenger that don’t use encryption in the first place.

So I’m telling everybody who thinks, well it’s easy to circumvent this just keep in mind will it be easy to circumvent for everybody you’re in touch with. I don’t think so, for the general population they won’t be able to to circumvent it. The criminals will be, so the criminals will find it easy to use self-hosted services, peer-to-peer communications it’ll be easy to circumvent this for people who know a lot, who are digitally literate, but for your your mother it won’t be.

BRANDON

Yeah that’s the kind of ongoing theme that we have is, okay cool we try to make them as easy to use as possible so that not just someone who is extremely tech literate can use it, otherwise it needs to be useful for everyone. So with something like this [Chat Control], it’s weird to see politicians continually returning to this. It’s not a new bill, Chat Control, and like you’re saying now experts are very very clear that this isn’t going to prevent, it’s not going to protect children, it’s not going to stop terrorism. In instituting a law like chat control, is there any honest reason that politicians could support something like this other than the fact that they just want to institute surveillance? Is there a legitimate reason for trying to push a bill like this?

PATRICK

Well of course the aim to protect children keep them safe and to prevent child sexual abuse is totally legitimate and also from a victim’s perspective I totally understand that seeing this material of the traumatic crime that they have suffered still circulate years and decades after is barely supportable and bearable. So this is definitely terrifying, but the fact is that this is nothing that technology can solve. It’s nothing that you can technically prevent from circulating this material or from child grooming [sic] is something that technology will not be able to stop.

We have spoken to victims and survivors and they say, some of them say, that they also need safe spaces and that’s why they are opposed to this scanning because to seek help, to receive counseling via digital means, to contact their defense lawyers or even to speak to each other, to other victims and survivors, they need these safe spaces, these private spaces. Even while they were being abused they say it was actually the lack of safe communications channels that prevented them from reaching out for help. We also talked to young people, to teenagers, and we asked them is this the right way to protect you? They say no, [the] overwhelming majority say no. What they want is to learn, to understand how to keep safe. What are common strategies where criminals are approaching us that we cannot trust who it is that we are chatting with. So they want to be trained, they want to acquire the knowledge, they want to have the tools to report abuse, and they want the providers to actually follow up on it, for it for these reports to be reacted on.

That’s what the overwhelming majority of young people want and they are faced with these grooming attempts all the time. Whenever you you enter a chat you will get these kind of dirty messages right and you need to work with the people if you want to address this. There’s not the the magic technology bullet that will eliminate the problem all of a sudden. And actually even a prosecutors and the police are concerned that this automated scanning just is creating a flood that they cannot handle it. A lot of it is totally irrelevant and then even where it is relevant it’ll be a lot of time people who are not really a bad meaning who find a video funny, you know there’s this video of of underage person having sex with a mule and millions found it funny and shared it but it’s just illegal child pornography legally speaking.

Even children themselves share stuff that is illegal and they are being criminalized due to these reports. So in Germany 40% of the criminal investigations for CSAM are actually targeting persons under 18, so minors, and so instead of protecting them it’s it’s criminalizing them. And then there are some that are really criminals, but really what you’re going after is mostly known material. So this is the circulation of material that that the police are already aware of. It doesn’t really help you to save children.

I asked the officials again and again from these reports and flags how many children have you been able to save? The numbers in proportion to how much child sexual abuse we have in our society and most of it is never noticed or never reported at all in proportion to that the numbers are are just insignificant. So this is not the to go after those people that abuse children, that produce this material that are at the source of this CSAM material, this is not the way you can infiltrate their circles. You need undercover investigations for that, it needs a lot of personnel and police power and time and knowledge. The police are complaining we don’t have the time because we need to prosecute these sharing of known material in the thousands and that’s what’s taking all of our time. And if this becomes mandatory, which is what Chat Control is about right the scanning that is currently performed voluntary by some US companies would become mandatory for all services and the commission itself says this would make the numbers of reports rise three-fold more than three-fold and will totally overwhelm law enforcement with mostly not relevant reports and flags.

How would they have the capacity to keep our children safe?

BRANDON

Okay, one thing I kind of noticed and it is still on topic with the topic of like abuse material we keep talking about Chat Control, that’s not actually what the bill is called right?

PATRICK

Well officially the bill is called a Regulation to Prevent Child Sexual Abuse, but we gave a lot of thought to it in my team because when it was originally discussed it didn’t get a lot of attention. We were thinking to better explain to people, what does it actually do if this is implemented, and essentially it’s a means to control your private communications and chats. So far they say they are looking for CSAM but already part of the proposal that’s on the table is to use AI, artificial intelligence for so-called unknown material. Okay so the algorithms are supposed to look for images and that have never been reviewed before and it’s quite clear that these kind of algorithms cannot reliably tell the age of a person that is being shown, nor if this is consensual sexting by teenagers, or if this is a result of sextortion or child grooming. They can never reliably tell if somebody’s acting intentionally or inadvertently, so this will inadvertedly result in a huge number, in a flood of false positives and scientists are warning of the consequences. That is only scanning for this kind of material. Europol has already said the European police has already said we need to use this for other types of crime as well, and so this is only the beginning and the door opener.

BRANDON

Okay and with this like first opening the door, I did look through your one of your more recent posts about the current status of Chat Control and it was talking a little bit about the different EU member states, who was on board and who was not. What are the current views within Germany?

PATRICK

So Germany and Austria have been among among the most critical countries from the start. Maybe it has historical reasons because, of course, we had several authoritarian regimes on our ground, the Nazi regime and the DDR regime. They have always used secret police that essentially tried to know everything and that would have wanted to invade all spaces and that hated privacy. They wanted total control because it was just dictatorships.

And so we know what it is like and that these tools could be used to essentially build a high-tech surveillance state. Even nowadays in Europe we witness that a number of governments have been seized by right-wing or even extremist parties. Italy was the latest example and now we’re seeing elections in France and who’s pulling strongest? The Nationalist right-wing party. And with the Pegasus spyware that you mentioned earlier, we know that governments have been using these tools to spy on the democratic opposition, on critical prosecutors, even critical journalists, human rights defenders. So these tools carry an enormous potential of abuse and I think that Germany and Austria, maybe because of their history, understand well what the risks are.

We have a strong constitutional court and it is very quite clear actually and even the council’s only legal service says that it’s most likely that this indiscriminate scanning of private communications of non-suspects would not stand in court. It’s disproportionate right, and they are still pushing ahead with it. The problem is until the courts have decided the matter, it can take years and we’ve seen with a similar legislation called data retention that governments won’t even accept if the courts say no. They won’t even take no for a no they will keep reenacting this in a bit of a different form and so don’t rely on the courts, take action now.

BRANDON

One thing with trying to get people, trying to get people mobilized [that] can be a little bit difficult, especially something that I hear quite a bit from people who maybe are not too technically involved or don’t know a whole lot about encryption, and whenever they see a bill like this or new surveillance bills, for me it’s family in the United States, they’re pretty quick to say something along the lines of ‘oh well I don’t have anything to worry about, I don’t have anything to hide.’ What is the best way to try and communicate with friends, family or co-workers, people that you might know who have this kind of line of thinking? What is the best way that we can go forward in our everyday lives trying to kind of promote the importance of privacy and secure communication?

PATRICK

On the one hand there is the example of an American father who just shared a photo of the genitals of his son with his PE [pediatrician] with his doctor and Google basically closed all his accounts, including all the work data that he needed. And even did refused to reinstate it even after it was all cleared up and even after the police said look this is not criminal to do this. So this can have disastrous consequences [even] if you’re suspected of having done something like this and really you were sending just private family photos of your children at the beach. All sorts of chats can be flagged, sex chats, etc. You can easily be falsely incriminated over it.

Even if you think yourself are not at risk by this scanning, do think of others that absolutely need to rely on security of their communications and who are working for us [and] for our society. Political activists you know, [for example] Green Piece is [hypothetically] planning a protest action and they want to climb some factory to display banners. They can only do that if the police don’t know beforehand because it’s illegal. Political activists, human rights defenders, the democratic opposition in oppressive countries, journalists that need to be in touch with whistle-blowers anonymously, we rely on their work to disclose scandals and things that are terribly going wrong. You know, Wikileaks exposed war crimes by the US government, etc.. So think of all those that need secure and private communications because they are operating in authoritarian countries in Iran, in Russia, or even in democratic countries but they are being watched by security intelligence services. This is so important for our society that we have these private spaces that we can keep sane and as I mentioned earlier even the victims of child sexual abuse, survivors, tell us about the importance of having these safe spaces where they don’t need to worry about somebody else intruding in these horrible trauma that they have had to suffer. So this confidentiality is essential for so many professions [like] medical, psycho-therapy, for political affairs, for health or legal counseling, you name it. And if you don’t think you need it yourself right now, think of the others who do.

BRANDON

So beyond that, what is it that we have [sic], you’ve said the the vote has already been postponed one day, I would be curious was that due to people being upset about this being voted on or is there more of a procedural reason that it was moved?

PATRICK

I would rather say it’s a great sign that our protest is showing effects. Obviously they are not sure that it would get a majority tomorrow and they want more time for talks and and convincing, but that also gives us more time to talk and to reach out to governments. There are a number of countries that are still not firmly decided yet it’s on my homepage if you check out chatcontrol.eu or we even reserved chatcontrol.wtf, you can find a link to our call for action and to those governments that are still wavering. And normally there is a discussion within governments between the home affairs police people on the one hand side, and on the other side the ministries of justice that know that it violates our fundamental rights, and the ministries of digital affairs who understand the implications for communication safety. And there is so much everyone can do to inform the the public to speak about it, record videos about it, but also to reach out to NGOs and tell them well look you need to to issue a statement on this, to write open letters or even opinion pieces in the media, to get media interested. And of course to lobby directly to, send letters to, to governments and permanent representations. So all the attention we can get helps add to the pressure if one person says something it doesn’t count much, but if there is a lot of noise that becomes politically relevant and that’s where we need to get to now.

BRANDON

How do you see. There was a big turnout in, we just had the recent EU Parliament elections I believe, last weekend [sic]. What kind of impact do you think that election is going to have on the Chat Control discussion, if any?

PATRICK

So there has been a shift to the right. So we used to have a center left majority in the European Parliament that was good for civil liberties and internet safety but that’s gone now. I’m not sure whether for the specific file it will have an impact. That will still depend more on who will be the new negotiators on the file and that’s not decided yet. But generally there are more plans of the EU that have come to the surface including one plan called EU Going Dark and that is sort of a wish list by law enforcement authorities to make all devices interceptable, to bring back indiscriminate collection of metadata, the so-called data retention, and this plan is a bit further off from implementation but just as dangerous.

I think that the climate of fear is rising it’s a lot of fear about immigration but also of fear about crime. I would like to reassure citizens that never really have we lived as long and as safely as we do nowadays. Look at the objective evidence that crime in Europe is low, also in compared to the US by the way, but also to other countries outside Europe. So this is a safe region and you get a wrong impression from following the media because they will present the spectacular crime and terrorism, etc but really we are secure in our neighborhoods. We can’t be naive but also we can’t allow ourselves to be blackmailed into sacrificing our fundamental rights that were really a historical learning from terror regimes on our grounds that we’ve had in the past. It should be the government that fears the citizens and not the other way around.

This is a development, bit by bit we are moving towards a surveillance society and the development is going in a similar direction as China. China is really setting up a high-tech surveillance state and we have the technology at our hands to build it and that’s why it matters now to prevent our governments from using it. Because if the government knows everything they will find something on everybody to use against them, and to blackmail them, or to prosecute them. They will dig up dirt on everybody and that’s why it’s so important to have our privacy so as to be able to act without fear and without self-censorship. To be truly free we need to be private.

BRANDON

Absolutely, thank you so much for taking the time to sit down and talk with me here. Do you have any further [sic], we will add a link to your site to go through and show people where they can contact the representatives. We’ve also re-posted a few things about demonstrations going on within the EU. Do you have any information about those for people who might want to attend?

PATRICK

Yes, I know of a couple of demonstrations that have been organized today in in Germany. However seeing that the vote has been pushed back to Thursday there is time to organize something tomorrow as well. So to join in the protests for EU citizens you should definitely check out my homepage, chatcontrol.eu. But for citizens from outside the EU understand that this creates a precedent that even providers from outside Europe would be obliged to use this and that there are bills to the same effect in other countries such as the United States. So there are bills already that provide for something like this elsewhere and you would be next. That’s actually the plan of those who are behind this to create a precedent also for other countries and now is the time to stand up.

BRANDON

Well, thank you so much for sitting down and talking with us today. Do you have anything else you would like to add? Any messages to get out there for people who are interested in joining the fight against Chat Control?

PATRICK

I’d rather not take the viewers time and rather give them more time to actually act and get started.

BRANDON

Perfect. Thank you so much.

Closing Remarks

Like Patrick Breyer stated above, “all the attention we can get helps add to the pressure if one person says something it doesn’t count much, but if there is a lot of noise it becomes politically relevant”. Your voice is relevant and we need to stay alert to the dangers presented when such laws reach a point of possible votes.

Our best strategy is to raise awareness on the dangers of surveillance and support politicians who are opposed to it. By electing officials who oppose unconstitutional surveillance we can stop these laws from even entering discussion.

Join our fight for privacy and stay secure!