Defend encryption! Open letter to the EU urging them to protect your privacy.
Belgian presidency repackages EU's controversial proposal, but sees strong headwind from tech experts and civil society.
The European Union’s new Council Presidency proposal pretends to respect your rights, but it again fails to address the three most critical issues in the proposed EU CSA Regulation:
-
Unlawful mass surveillance: The proposal enables mass data collection without sufficient legal basis.
-
Jeopardizing encryption: It effectively mandates client-side scanning in the EU, undermining the integrity of end-to-end encryption.
-
Mandatory age verification: It requires intrusive and widespread age verification measures.
Despite previous criticisms - the EU CSA Regulation, also called “Chat Control”, has become the most criticized law of all times - the “new” proposal retains a flawed risk categorization model that punishes services committed to privacy and data protection. Even worse, it introduces a new issue disguised as “upload moderation”. Users are forced to consent to having their images, videos and URLs scanned - otherwise they will not be able to share such content.
Here’s why this approach is deeply problematic:
-
Under EU law, consent to processing personal data must be given freely. However, now the EU itself wants to require users to consent to client-side scanning or else not being able to use a service or its full set of features. This is forced consent which contradicts EU law.
-
The proposal makes the misleading claim that client-side scanning would not be required and end-to-end encryption would be protected. This is complete nonsense. Technically, it is not possible to scan every picture users upload without weakening the encryption in general. Nevertheless, the EU keeps pushing for this law despite repeated warnings from the cybersecurity community that such technologies will put everyone at risk.
-
On top of that, the proposal completely ignores that those looking to share child sexual abuse material (CSAM) would obviously not consent to the scanning of their images and videos, but move to other file sharing services or platforms - those that do not follow EU laws or operate on the dark web.
What is more, the EU council explicitly says that state communications for law enforcement or national security purposes remain exempt from these scanning rules, highlighting a double standard and an acknowledgment that the proposal compromises confidentiality and security.
To sum this up: The new proposal will be an inefficient means to detect CSAM online, and harm the security and privacy of every EU citizen.
Malicious hackers, particularly from China and Russia, have shown again and again in the past that they are able to infiltrate systems that are supposedly secure, for instance at Microsoft where Chinese hackers could siphon off ~60,000 emails from the US government officials. This shows that only end-to-end encryption can truly protect our data and, thus, is must not be undermined!
Don’t let this dangerous regulation fly under the radar. Stay informed and protect your digital privacy!
Joint Statement on the dangers of the May 2024 Council of the EU compromise proposal on EU CSAM
Dear Council of the European Union,
The undersigned organizations, companies, and cybersecurity experts, many of whom are members of the Global Encryption Coalition, issue the following statement in response to news of the Belgian Presidency’s latest compromise proposal, dated May 2024, on the Regulation on Child Sexual Abuse (CSA).
Child sexual abuse and its distribution online is a serious crime that can only be effectively addressed if EU member states take a measured approach that is informed by expert evidence. The EU Parliament has already done this by adopting language that excludes end-to-end encrypted services from the scope of the regulation. We praise this step towards recognising the importance of encryption in ensuring security and guaranteeing human rights and fundamental freedoms. We welcome this positive approach by the EU Parliament, as end-to-end encryption is a vital technology that protects adults, children, businesses, and governments from becoming the victims of malicious actors.
We are concerned that the Council of the EU is not following the same path. The Belgian Presidency continues to advocate for the use of scanning technologies for encrypted messaging services, as well other disproportionate limitations on digital rights. Content detection has been a contentious issue for a number of EU member states who have until now opposed client-side scanning technologies, because they rightly understand that it creates serious security and privacy risks, permitting general monitoring, and undermining human rights. We thank Ministers in the Council for their recognition of the importance of encryption and efforts to protect it.
In an effort to find a solution, the Belgian presidency has now rebranded this approach using the term “upload moderation”. This is a mere cosmetic change, as it still fails to address the security and rights concerns raised by experts with regard to client-side scanning. Scanning at the upload point defeats the end-to-end principle of strong encryption, could easily be circumvented, and would create new security vulnerabilities that third parties could exploit. In short, it will not solve the problem of the online spread of child sexual abuse material, but will introduce significant security risks for all citizens, companies, and governments.
The Belgian Presidency’s latest compromise text has sought to find consensus by proposing that:
- Client-side scanning only be applied to visual content (photos and videos) and URLs; and
- Users of communication services would need to give their consent to scanning, otherwise they would not be permitted to upload or share photos and videos using the service.
In today’s digital societies, the exchange of photos and videos is a standard activity. If the user has no real choice, feels compelled to consent, or would defacto be barred from the service if they do not consent, then the consent given will not be freely given. Coerced consent is not freely given consent. Moreover, the proposal is unfit for purpose, and can easily be circumvented, simply by embedding photos or videos on a different type of file, like a text document, or a presentation.
We call on Ministers in the Council of the EU to reject all scanning proposals that are inconsistent with the principle of end-to-end encryption, including client-side scanning and upload moderation, and to guarantee the protection of digital rights throughout the proposal. These intrusive techniques would only jeopardize the security and the rights of Internet users.
Yours sincerely,
Internet Society
Center for Democracy & Technology
Internet Freedom Foundation
Mozilla
Global Partners Digital
Signal
Access Now
Aspiration
Privacy International
Article 19
Tuta
SecureCrypt
Privacy & Access Council of Canada
Big Brother Watch
The Centre for Democracy and Technology Europe
Sjard Braun
epicenter.works – for digital rights
Elektronisk Forpost Norge (EFN)
JCA-NET(Japan)
INSPIRIT Creatives NGO
Privacy First
The Commoners
ISOC Germany
Alternatif Bilisim (Alternative Informatics Association)
Danes je nov dan
Defend Democracy
Defend Digital Me
Deutsche Vereinigung für Datenschutz e.V. (DVD)
Digital Rights Ireland
Irish Council for Civil Liberties
ISOC Switzerland Chapter
ISOC.DE e.V.
Iuridicum Remedium
Majal.org
Proton
SimpleX Chat
Surfshark
Edvina AB
Law and Technology Research Institute of Recife – IP.rec
Dataföreningen väst
Bits of Freedom
D3 – Defesa dos Direitos Digitais
fairkom
ISOC Portugal
ISOC UK
ApTI
Gate 15
Electronic Frontier Foundation (EFF)
Daniel Törmänen
Državljan D (Citizen D)
Politiscope
European Digital Rights (EDRi)
Global Partners Digital
Aivivid AB
Privacy International (PI)
Irene Promussas, Chairwoman Lobby4kids
IT-Pol Denmark
Electronic Frontiers Australia
ISOC-CAT Catalan Internet Society Chapter
U-YOGA UGANDA
eco – Association of the Internet Industry
Electronic Frontier Finland – Effi ry
OpenMedia
Studio Legale Fabiano – Fabiano Law Firm