Online services may (and do) scan all of your messages. Here is how you can protect yourself!
tl;dr: To make sure your messages stay private, you must switch to encrypted services now.
Interestingly, if you look at the word derogation it means two things:
- the act of officially stating that a law or rule no longer needs to be obeyed
- the act of talking about or treating someone in a way that shows you do not respect him, her, or it
ePrivacy Directive watered down
The EU ePrivacy Directive was an outstanding piece of legislation that protected EU citizens’ private data from overly intrusive eavesdropping. Even companies providing communication apps such as messaging apps and email providers were oblidged to respect their users’ privacy and keep their users’ data safe.
However, this piece of legislation has now been watered down. In its recent derogation, the EU decided that companies may scan all messages of all users all the time.
This is an unprecedented intrusion into users’ privacy as it allows a wide form of eavesdropping that it is barely possible to monitor. While there are, of course, rules and regulations for the companies as to how they may scan users’ messages and how they must report their findings, there is no guarantee that the data obtained from the automated scanning processes will not be misused, abused or even leaked or stolen.
Reason for derogation
The reason given for this derogation of users’ privacy is that European authorities want chat and email providers to scan their content for harmful content, such as child pornography, and report the findings to the authorities.
The question that must be raised here is the question of proportionality: Can it be justified that everyones messages are being scanned all the time to catch a few criminals?
To better judge about this issue, one may also look at statistics from the German authorities as to who is being monitored.
Comparison of the percentage of monitoring orders for child pornography and drug offenses in Germany, 2009-2019.
These statistics show that most surveillance orders issued to telecommunication providers are ordered to catch criminals for drug-related crimes, not pedophiles.
Opposition to the ePrivacy derogation
Patrick Breyer from the Pirate Party says that
”The adoption of the first ever EU regulation on mass surveillance is a sad day for all those who rely on free and confidential communications and advice, including abuse victims and press sources. The regulation deals a death blow to the confidentiality of digital correspondence. It is a general breach of the dam to permit indiscriminate surveillance of private spaces by corporations – by this totalitarian logic, our post, our smartphones or our bedrooms could also be generally monitored. Unleashing such denunciation machines on us is ineffective, illegal and irresponsible."
"Indiscriminate searches will not protect children and even endanger them by exposing their private photos to unknown persons, and by criminalising children themselves. Already overburdened investigators are kept busy with having to sort out thousands of criminally irrelevant messages. The victims of such a terrible crime as child sexual abuse deserve measures that prevent abuse in the first place. The right approach would be, for example, to intensify undercover investigations into child porn rings and reduce of the years-long processing backlogs in searches and evaluations of seized data.”
EDRi, the biggest European network defending rights and freedoms online, says:
“The legislation is a negative evolution in the sense that it will legalise the continuous voluntary scanning of all communications by private companies. The services under the scope of the interim Regulation are as broadly defined as in the ePrivacy Directive, including your Facebook Messenger messages, Tinder chats, emails and any other form of online communication that will come up in the future is potentially under the scope.”
What the derogation of ePrivacy means for me
The derogation of the ePrivacy Directive must be worrisome for all of us. It allows private coporations to scan all our message with little to no oversight as to what they do with our private communication data.
What remains for all us to do now is to keep fighting for our right to privacy. The EU plans to replace this interim derogation with a long-term legislation. We must act now to shape this piece of legislation in a way that private communication must remain private.
EDRi recommends that you to contact your country’s digital rights organisations and ask how you can help in our joint fight for privacy.
Is Tutanota affected by this law?
No. The scanning that has now been legalized by the EU is voluntary. This means only companies that want to scan their users’ messages, may do so. Tutanota is encrypting all your data, we do not want to read your messages. Thus, we will also not scan your emails.
Instead, we focus on protecting your right to privacy.
Stop using Gmail & Co
To protect your privacy now, you must stop using any chat or email service that does not use end-to-end encyrption.
If the derogation of the ePrivacy Directive has had one positive result, it is this: Due to the extensive news coverage about the EU plans, many people have learned that their private messages are already being scanned and monitored. If you are using a service that does not encrypt your messages end-to-end, it is very likely that someone else is reading along.
That is why we recommend that you quit Gmail and other non-encrypted services now!