Open Letter Calling On EU Member States To Defend Encryption

As the trilogue is about to start, EU Member States must decide what side they are on: privacy or surveillance.

Encryption in the EU must be defended to protect the privacy of people and businesses alike.

New year, old discussion: This year the EU will start the trilogue discussion on the EU Commission's Child Sexual Abuse Regulation (CSAR), which proposes to scan every message of EU citizens for abuse material. Last year, the EU Parliament already positioned itself against such client-side scanning - a huge success for privacy advocates in Europe. Now is the time for EU Member states to position themselves in this battle of privacy vs surveillance. We, a coalition of privacy-first companies from Europe, call on our ministers to uphold citizen's right to privacy and defend strong encryption.


Last year, we were thrilled to see the historic agreement of the EU Parliament against chat control surveillance. We would like to applaud the EU Parliament on the decision to defend people’s right to privacy and to uphold strong encryption within Europe. In its decision, the EU Parliament followed the advise of 300 scientists and cryptography experts and the European Parliament’s Research Service (EPRS) who heavily criticised chat control for its vast surveillance powers that would destroy the right to privacy online as well as harm freedom of speech and thus undermine our democratic values.

While the world is facing more surveillance tendencies than ever - as you can see from the Online Safety Bill in the UK, the Australian surveillance legislation, and the US FISA reform,the European Union now has the unique chance to become the beacon of hope for freedom of speech and democracy.

With the General Data Protection Regulation (GDPR) the EU has set a very high standard for data protection and privacy in the EU. Now it is important to uphold this high level of privacy by defending strong encryption so EU citizens and businesses can continue to enjoy online privacy and confidentiality at the highest possible level.

Open letter to EU Member States on the proposed CSA Regulation

Dear Ministers of the Interior, Justice, and Economy of EU Member States,

We write to you as small and medium-sized companies and organizations from Europe, concerned about the proposal for a Regulation on Child Sexual Abuse (CSA). Collectively, we call on you to ensure that your country’s position on this file is brought as close as possible to the European Parliament’s (EP) one. We all agree that ensuring children are safe online is one of the most important duties of tech companies and for this reason, we find the European Commission’s proposed Regulation extremely worrying. If it were implemented as proposed, it would negatively impact children’s privacy and security online, while also having dramatic unforeseen consequences on the EU cybersecurity landscape, on top of creating an ineffective administrative burden. The European Parliament recently adopted its position on the file, acknowledging that scanning technologies are not compatible with the aim of having confidential and secure communications. The crucial changes it therefore puts forward for the proposal reflect the opinions of the European Data Protection Supervisor (EDPS), the Council legal services as well as countless experts in cryptography and cybersecurity. It also reflects the opinion of between 63% and 69% of the companies, public authorities, NGOs and citizens consulted by the European Commission in its Impact Assessment. As small and medium-sized tech companies and organizations, we share their concerns as we know that looking for specific content – such as text, photos and videos – in an end-to-end encrypted communication would require the implementation of a backdoor, or of a similar technology called “client-side scanning”. Even if this mechanism is created with the purpose of fighting crime online, it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all users alike.

Data protection is a strong competitive advantage

As tech companies operating within the European Union, we have built products and services in line with the strong data protection framework of the EU which still serves as an example and inspiration across the world. The GDPR allowed for the creation of ethical, privacy-first tech companies in Europe, that would otherwise never have been able to compete against Big Tech. It gave European companies a strong competitive advantage in that field internationally and allowed consumers to finally be able to find alternatives to American and Chinese services. Our users, both within the EU and beyond, have come to trust our commitment to safeguarding their data and this trust is a key driver of our competitiveness. The learning curve for adapting to the necessary administrative burden brought about by the GDPR was high but was worth it. However, the CSA Regulation could threaten this unique selling point of European IT companies and would also add a new administrative burden which we fear could overwhelm both our companies and law enforcement bodies. Considering the volume of communications and content transiting through our services, even an insignificant error rate of the technologies applied to scan for abusive material would result in millions of false positives to be manually reviewed every day.

The CSA Regulation could erode trust and safety online

In a world where data breaches and privacy scandals are increasingly common, the EU’s reputation for stringent data protection is a unique selling point for businesses operating within its borders. It provides us with a competitive edge, assuring our customers that their information is handled with the utmost care and integrity. This trust, once eroded, is challenging to rebuild, and any measures that compromise it such as mandatory scanning, or mandatory age verification have the potential to harm businesses both large and small. Furthermore, the EU has recently adopted Regulation 2023/2841, which mandates that EU Institutions and bodies to consider the use of end-to-end encryption among their cybersecurity risk-management measures. There are also multiple ‘cyber’ EU proposal currently on the table, such as the Cyber Resilience Act and the Cybersecurity Act. Supporting an opposite approach for the CSA Regulation would only undermine the EU cybersecurity framework creating a contradictory, incoherent and inefficient new set of measures that companies would not be able to enforce without putting citizens and businesses at risk.

The EU Parliament’s proposal goes in the right direction

Therefore, we applaud the European Parliament for its resolute stance in defending the European citizens’ right to privacy and secure communication. The European Parliament’s commitment to these principles is not only a testament to its dedication to human rights, but also a beacon of hope for businesses like ours that prioritize data protection and security. The position of the Parliament includes alternatives to scanning which have a minimal impact on cybersecurity and data protection, and which experts believe would be both more effective and more efficient than mandatory scanning. Such changes of paradigm would mean going beyond the false dichotomy between privacy and security, while also making the proposal respect the proportionality principle, as requested by the Regulatory Scrutiny Board. Even if not perfect in our eyes, the changes the European Parliament made in its position are a good compromise to maintain digital security and confidentiality and to better protect children online. We believe that these changes strike the right balance between child protection and safeguarding privacy and cybersecurity.

As representatives of the vibrant European small businesses community, we encourage EU Member States to continue championing the values of privacy, cybersecurity and data protection. These principles not only align with the EU’s commitment to human rights, but also serve as a foundation for a thriving and competitive business environment. Let us defend and strengthen these principles, ensuring that the EU remains an advocate of privacy in the global marketplace.

For these reasons we call on you to:

  • Ensure that Council’s position is aligned as closely as possible to the European Parliament’s. This will allow for a swifter adoption of the Regulation while building on the important work of the European Parliament.

  • Maintain the high level of fundamental rights - and in particular data protection – enjoyed by citizens in the European Union.

  • Refrain from forcing companies like us to conduct mass surveillance of private correspondence on behalf of law enforcement agencies.

  • Guarantee a high level of cybersecurity in the EU by protecting end-to-end encryption and bringing the necessary safeguards in the text. Client-side scanning and backdoors in particular should not be mandated.

  • Preserve the confidentiality of correspondence.

  • Minimize the administrative burden of the proposal by making it more effective and efficient, through alternatives to mass scanning.

Signed:

Blacknight Solutions

Cyberstorm

Element

Gate 15

Mailfence

Mail.de GmbH

Olvid

One Privacy

Parsec

Proton

Seezam

Surfshark

TelemetryDeck

Threema

Tresorit

Tuta

Trade associations and supporters:

ACT | The App Association

Defend Democracy

Encryption Europe

ISOC-CAT

Privacy & Access Council of Canada

STUDIO LEGALE FABIANO

The Tor Project