Defend encryption! Open letter to the EU urging them to protect your privacy.

The European Union’s new Council Presidency proposal pretends to respect your rights, but it again fails to address the three most critical issues in the proposed EU CSA Regulation:

1. Unlawful mass surveillance: The proposal enables mass data collection without sufficient legal basis.

2. Jeopardizing encryption: It effectively mandates client-side scanning in the EU, undermining the integrity of end-to-end encryption.

3. Mandatory age verification: It requires intrusive and widespread age verification measures.

Despite previous criticisms - the EU CSA Regulation, also called “Chat Control”, has become the most criticized law of all times - the “new” proposal retains a flawed risk categorization model that punishes services committed to privacy and data protection. Even worse, it introduces a new issue disguised as “upload moderation”. Users are forced to consent to having their images, videos and URLs scanned - otherwise they will not be able to share such content.

Here’s why this approach is deeply problematic:

• Under EU law, consent to processing personal data must be given freely. However, now the EU itself wants to require users to consent to client-side scanning or else not being able to use a service or its full set of features. This is forced consent which contradicts EU law.

• The proposal makes the misleading claim that client-side scanning would not be required and end-to-end encryption would be protected. This is complete nonsense. Technically, it is not possible to scan every picture users upload without weakening the encryption in general. Nevertheless, the EU keeps pushing for this law despite repeated warnings from the cybersecurity community that such technologies will put everyone at risk.

• On top of that, the proposal completely ignores that those looking to share child sexual abuse material (CSAM) would obviously not consent to the scanning of their images and videos, but move to other file sharing services or platforms - those that do not follow EU laws or operate on the dark web.

What is more, the EU council explicitly says that state communications for law enforcement or national security purposes remain exempt from these scanning rules, highlighting a double standard and an acknowledgment that the proposal compromises confidentiality and security.

To sum this up: The new proposal will be an inefficient means to detect CSAM online, and harm the security and privacy of every EU citizen.

Malicious hackers, particularly from China and Russia, have shown again and again in the past that they are able to infiltrate systems that are supposedly secure, for instance at Microsoft where Chinese hackers could siphon off ~60,000 emails from the US government officials. This shows that only end-to-end encryption can truly protect our data and, thus, is must not be undermined!

Don’t let this dangerous regulation fly under the radar. Stay informed and protect your digital privacy!

Joint Statement on the dangers of the May 2024 Council of the EU compromise proposal on EU CSAM

Dear Council of the European Union,

The undersigned organizations, companies, and cybersecurity experts, many of whom are members of the Global Encryption Coalition, issue the following statement in response to news of the Belgian Presidency’s latest compromise proposal, dated May 2024, on the Regulation on Child Sexual Abuse (CSA).

Child sexual abuse and its distribution online is a serious crime that can only be effectively addressed if EU member states take a measured approach that is informed by expert evidence. The EU Parliament has already done this by adopting language that excludes end-to-end encrypted services from the scope of the regulation. We praise this step towards recognising the importance of encryption in ensuring security and guaranteeing human rights and fundamental freedoms. We welcome this positive approach by the EU Parliament, as end-to-end encryption is a vital technology that protects adults, children, businesses, and governments from becoming the victims of malicious actors.

We are concerned that the Council of the EU is not following the same path. The Belgian Presidency continues to advocate for the use of scanning technologies for encrypted messaging services, as well other disproportionate limitations on digital rights. Content detection has been a contentious issue for a number of EU member states who have until now opposed client-side scanning technologies, because they rightly understand that it creates serious security and privacy risks, permitting general monitoring, and undermining human rights. We thank Ministers in the Council for their recognition of the importance of encryption and efforts to protect it.

In an effort to find a solution, the Belgian presidency has now rebranded this approach using the term “upload moderation”. This is a mere cosmetic change, as it still fails to address the security and rights concerns raised by experts with regard to client-side scanning. Scanning at the upload point defeats the end-to-end principle of strong encryption, could easily be circumvented, and would create new security vulnerabilities that third parties could exploit. In short, it will not solve the problem of the online spread of child sexual abuse material, but will introduce significant security risks for all citizens, companies, and governments.

The Belgian Presidency’s latest compromise text has sought to find consensus by proposing that:

• Client-side scanning only be applied to visual content (photos and videos) and URLs; and
• Users of communication services would need to give their consent to scanning, otherwise they would not be permitted to upload or share photos and videos using the service.

In today’s digital societies, the exchange of photos and videos is a standard activity. If the user has no real choice, feels compelled to consent, or would defacto be barred from the service if they do not consent, then the consent given will not be freely given. Coerced consent is not freely given consent. Moreover, the proposal is unfit for purpose, and can easily be circumvented, simply by embedding photos or videos on a different type of file, like a text document, or a presentation.

We call on Ministers in the Council of the EU to reject all scanning proposals that are inconsistent with the principle of end-to-end encryption, including client-side scanning and upload moderation, and to guarantee the protection of digital rights throughout the proposal. These intrusive techniques would only jeopardize the security and the rights of Internet users.

Yours sincerely,

Internet Society

Center for Democracy & Technology

Internet Freedom Foundation

Mozilla

Global Partners Digital

Signal

Access Now

Aspiration

Privacy International

Article 19

Tuta

SecureCrypt

Privacy & Access Council of Canada

Big Brother Watch

The Centre for Democracy and Technology Europe

Sjard Braun

epicenter.works – for digital rights

Elektronisk Forpost Norge (EFN)

JCA-NET(Japan)

INSPIRIT Creatives NGO

Privacy First

The Commoners

ISOC Germany

Alternatif Bilisim (Alternative Informatics Association)

Danes je nov dan

Defend Democracy

Defend Digital Me

Deutsche Vereinigung für Datenschutz e.V. (DVD)

Digital Rights Ireland

Irish Council for Civil Liberties

ISOC Switzerland Chapter

ISOC.DE e.V.

Iuridicum Remedium

Majal.org

Proton

SimpleX Chat

Surfshark

Edvina AB

Law and Technology Research Institute of Recife – IP.rec

Dataföreningen väst

Bits of Freedom

D3 – Defesa dos Direitos Digitais

fairkom

ISOC Portugal

ISOC UK

ApTI

Gate 15

Electronic Frontier Foundation (EFF)

Daniel Törmänen

Državljan D (Citizen D)

Politiscope

European Digital Rights (EDRi)

Global Partners Digital

Aivivid AB

Privacy International (PI)

Irene Promussas, Chairwoman Lobby4kids

IT-Pol Denmark

Electronic Frontiers Australia

ISOC-CAT Catalan Internet Society Chapter

U-YOGA UGANDA

eco – Association of the Internet Industry

Electronic Frontier Finland – Effi ry

OpenMedia

Studio Legale Fabiano – Fabiano Law Firm