In the course of the initiative "Fighting child sexual abuse: detection, removal, and reporting of illegal content", the European Union plans to abolish the digital privacy of correspondence. In order to automatically detect illegal content, all private chat messages are to be screened in the future. This should also apply to content that has so far been protected with strong end-to-end encryption. If this initiative is implemented according to the current plan it would enormously damage our European ideals and the indisputable foundations of our democracy, namely freedom of expression and the protection of privacy (see EDRi letter). The initiative would also severely harm Europe’s strategic autonomy and thus EU-based companies.
Europe as a global technology leader is respected internationally for its high level of data protection, notably due to the exemplary effect of the GDPR. In an internationally very competitive market, European companies are in first position when it comes to data protection. The EU initiative could now endanger this unique selling point of European IT companies.
For these reasons we request:
The General Data Protection Regulation is a global model for the protection of personal data. Some countries have already launched or enacted their own versions of the GDPR. The European Union now planning exactly the opposite steps is a wrong signal with fatal effects for the EU as an IT location. High data protection standards lead to great trust in European IT products. The "Made in Europe" label weighs heavily in our customers’ – not only in Europe, but worldwide. The compulsion to break the high protection of end-to-end encrypted communication endangers the business of numerous IT companies throughout the EU. It would destroy an important unique selling point for European IT companies on the global market.
We explicitly emphasize that access to encrypted communication by private organizations and public authorities is incompatible with a strong EU as a technology location.
Protected communication is essential for coexistence within our society. The doctor's duty of confidentiality and the attorney-client privilege, for example, are considered immeasurably valuable rights. But how are these professions supposed to maintain their professional secrecy if protected communication with patients and clients is not possible? Like most modern industries they rely on secure, digital communication to keep their vows of confidentiality. The monitoring of all communication within number-independent services equals a technological setback to the 20th century. Postal and personal communication would be left the only secure alternatives.
Yet, the EU initiative will not stop crimes from being committed. It will also not stop criminal individuals to set up private, end-to-end encrypted chat services for illegal activities with little effort and thus continue to elude law enforcement authorities. It is the majority of private individuals, relying on public networks with many participants, who will be truly affected by the EU initiative – and who will be deprived of their right to confidential communication in digital spaces.
The protection of digital privacy of correspondence must not be weakened. To the contrary, with the steady shift of sensitive communication in all areas of our society to the digital sphere, strong end-to-end encryption is imperative.
Finally, we would like to call on the European Commission to refrain from populist, actionist politics and to solve problems on the substantive level. To effectively ban secure communications for all EU citizens makes life unsafe for everyone.
The abolition of privacy is particularly problematic in relation to private communication. Automated checks of most intimate messages like nude pictures sent via public networks, for example, can result in employees of international corporations and police authorities viewing these intimate images. In other words: strangers gain access to someone’s most personal messages and could in turn disseminate them. This creates a new risk.
Mass surveillance does not, as some argue, contribute to preventing terrorism or child sexual abuse. Sascha Lobo has argued in the German news magazine Der Spiegel that more surveillance does not necessarily lead to more security : "Since 2014, a total of 24 identified perpetrators have carried out 13 Islamist murder attacks in the EU – and all, yes literally 100 percent of the attackers were previously known to the authorities and had a propensity for violence."
The Effectiveness of mass surveillance in solving crimes has not been proven. However, three things are certain to help in effectively protecting children from sexual violence:
In summary, we conclude: We must not base the standards of our society on the behavior of criminals. Crimes cannot be prevented by making every citizen a potential suspect.
We see a clear danger in the EU initiative "Fighting child sexual abuse: detection, removal, and reporting of illegal content" that secure communication for citizens and companies is to be abandoned on the grounds of child protection. This must not happen in an open, democratic society.
As experts in the field of secure communication, we are available to discuss with the European Commission on what is technically feasible.
Signed by Boxcryptor, Cryptomator, Mailbox.org, mail.de, Mailfence, Praxonomy, Tresorit and Tutanota.