CyAN’s Position on the Proposed EU “Chat Control” Regulation

EU flags

The draft European Union Regulation to Prevent and Combat Child Sexual Abuse would be ineffective at protecting children, violates fundamental rights, creates information security challenges, and bears numerous other risks to European digital society.

In 2022, the European Commission introduced a proposal[i] to mandate automatic searches of all private chat messages for content suspected of violating Child Sexual Exploitation Materials (CSEM) laws. 

Commonly called “Chat Control 2.0”, the Regulation to Prevent and Combat Child Sexual Abuse (Child Sexual Abuse Regulation, or CSAR (currently: Commission proposal COM/2022/209 final) would dramatically expand the current framework that currently allows service providers to voluntarily scan for illegal content.  The new rule would require pre-emptive scanning on devices like mobile phones, before any information is sent through encrypted channels.

Patrick Breyer, a Member of the European Parliament, provides a detailed overview[ii] of the timeline of this proposed law, which has faced widespread opposition and condemnation from privacy groups and many European parliamentarians.

On 28 May, the outgoing Belgian Presidency of the Council of the European Union proposed a compromise[iii] text.  In this version, users would have to consent to uploaded material being scanned before encryption.  However, rejecting this scanning would prevent users from accessing electronic communications services such as chat or email.

Due to significant and growing opposition to the proposal from citizens, privacy and industry advocacy groups, and lawmakers at all levels, on June 20 2024 the Belgian presidency announced just ahead of the Council’s scheduled vote on the proposal that it would be postponed, with the decision removed from the Council’s agenda.  However, Hungary, which is scheduled to assume the Council presidency on July 1, has indicated that it will re-open negotiations on the regulation.

Why CyAN Opposes the Regulation

The current proposal is the latest in a long history of well-intended but ultimately misguided and counterproductive attempts to protect the most vulnerable online. Fighting abuse is a critical and challenging task, and we respect and support the dedicated child safety organisations, the dedicated law enforcement agencies and all the professionals who help safeguard our children and the society we live in. But this proposed law is not the solution. 

 This proposal, alongside other digital surveillance measures like the EU Council document 9984/24[iv], which mandates blanket monitoring of digital devices, represents a dangerous trend towards undemocratic surveillance.

The Cybersecurity Advisors Network (CyAN), along with organisations such as the Signal Foundation, the Association of the Internet Industry, the Wikimedia Foundation, and the Global Encryption Coalition, strongly advises against this initiative.  We believe it endangers the security of European citizens, undermines trust in digital democracy, and violates the fundamental right to privacy.

Online child sexual abuse is a heinous crime that must be stopped. CyAN and its members are committed to supporting efforts to combat this issue, as other forms of cybercrime.  However, there are ways to combat child abuse that do not endanger our basic principles and the viability of digital democracy and markets.

Pre-Emptive Scanning is not Technologically Feasible

There are many reasons why pre-emptive scanning is not technologically feasible. Identifying illegal content at the scale being foreseen and in countries with high level legal standards is, at best, unreliable, slow and cumbersome. Enforcement would require inspecting all network traffic across the EU, and blocking or prosecuting noncompliant tools and users.  Even oppressive regimes like Iran and Russia cannot completely suppress their citizens’ use of secure communications. 

Creates Risk and Endangers Security

Client-side scanning introduces potential vulnerabilities that will be abused by cybercriminals and malware. 

This will lead to data being accessed and controlled by third parties, and thoroughly undermine the concept of data sovereignty where individuals and nations have control over their own information.

 Erosion of Digital Trust in Everyday Life

The digital society is integral to modern life – whether through e-commerce electronic voting processing of medical and banking data, or even sharing potentially embarrassing personal information with friends. 

European Member States should do everything they can to increase citizens’ trust in security mechanisms like encryption, that encourage adoption of e-government, e-commerce, and e-society, not undermine it.

Ineffective at Stopping Crime

Criminals do not care about rules. Cybercriminals are frequently sophisticated, and will use illegal, unsanctioned tools to bypass technological roadblocks. 

Encryption-based technologies have legitimate purposes, such as enabling and protecting activists in oppressive regimes. Blocking these technologies is contrary to Europe’s liberal values; instead, it will endanger dissidents in autocratic states, while having little to no effect on stopping cybercrime.

Logistically Impractical

CSIRTs, law enforcement agencies and software providers will face significant additional paperwork and need resource investment that is better spent on providing real security. 

Economically Damaging

Technology companies will face increased costs to implement and maintain client-side scanning, stifling innovation and competitiveness, particularly for small and medium-sized enterprises (SMEs).

Furthermore, European software will be less competitive internationally.  Customers will choose more secure solutions – leaving European tech firms at an export disadvantage.  The EU already faces significant challenges in ensuring the viability of our innovation and technology firms – we must not undercut this.

Potential for Abuse

Few intrusive controls are ever abandoned. 

Once implemented, client-side scanning technologies could be repurposed for broader surveillance, potentially being misused to monitor political dissidents, journalists, and other vulnerable groups.

Technology-facilitated violence and abuse (TFA) often relies on the abuser’s ability to monitor and control victims. Weakening encryption could provide abusers with more tools to exploit, thereby exacerbating the risks faced by vulnerable individuals.

Violation of Fundamental Rights

The proposals undermine several foundational principles of European law and human rights. 

Article 8 of the EU Charter of Fundamental Rights specifies the right to protection of personal data.  Implementing client-side scanning fundamentally undermines the principle of end-to-end encryption, eroding individuals’ right to private communication. This not only compromises personal privacy but also sets a dangerous precedent for surveillance.

Article 8 of the European Charter of Human Rights guarantees that “Everyone has the right to respect for his private and family life, his home and his correspondence.” 

The Charter also specifies that “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.  Client-side scanning demonstrably fails to meet any of these conditions.

To this point, such measures constitute a violation of everyone’s fundamental privacy protections. For instance, in the case of tourists visiting the EU, the installation of spyware on every networked device would be required, creating a pervasive and unacceptable level of surveillance. Along with impacting the fundamental rights of individuals, this would have far-reaching negative consequences for the EU, affecting its economy, reputation, legal standing and political relations.

Furthermore, client-side scanning introduces an implicit presumption of wrongdoing.  It is based on the idea that a person who refuses to submit to onerous, pre-emptive intrusion into their private communication may be prohibited from securely interacting with others.  The panopticon attitude to social transparency, that anyone who has nothing to hide could not possibly oppose intrusion into their private affairs, is unacceptable and leads to self-censorship, stifling free speech and open communication.  This chilling effect is contrary to the democratic values of free expression and open dialogue – basic precepts of the open exchange of ideas and citizen engagement that underpin liberal European society.

There are Better Ways

Modern encryption technologies, such as homomorphic encryption, already allow the matching of known “bad” patterns in encrypted data both at rest and in transit, without forced decryption or scanning of pre-encryption data on the client side.; a functionality that is already in widespread use across the private sector for data analytics which do not require the decryption of, for example, personally identifying data (PID) from jurisdictions with strong data protection laws.  The continuing growth of computational power and intelligence will only increase the power of such tools, while respecting citizens’ privacy and security.

Furthermore, law enforcement already has tools it needs in the form of judicial warrants, cross-border investigative cooperation, and advanced data and behavioral matching solutions to help identify and catch criminals.  Reducing bureaucracy, such as enhancing Europol’s ability to coordinate both among member state agencies and with foreign agencies directly, would be a far more powerful and effective weapon against cybercrime.

Conclusion

Laws, and their enforcement, must never cause more harm than the problems they aim to solve.  The European Union must remain a positive force for rights, liberty, and the protection of individuals and democracy.

The Cybersecurity Advisors Network (CyAN) calls on the European Parliament, the European Commission, and the Council of the EU and its presidency to abandon the Regulation to Prevent and Combat Child Sexual Abuse (CSAR) and its derivatives. 

We also encourage all members, elected and appointed, among the governing bodies of our European Union to re-evaluate their stance on technological surveillance to avoid damaging our digital society.

References


[i] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A209%3AFIN&qid=1652451192472

[ii] https://www.patrick-breyer.de/en/posts/chat-control/ – for a summary of the topic from a non-political website, Techradar has a good explanation:  https://www.techradar.com/computing/cyber-security/proposed-eu-chat-control-law-wants-permission-to-scan-your-whatsapp-messages

[iii] https://netzpolitik.org/wp-upload/2024/05/2024-05-28_Council_Presidency_LEWP_CSAR_Compromise-texts_9093.pdf

[iv] https://cdn.netzpolitik.org/wp-upload/2024/06/2024-05-22-Recommendation-HLG-Going-Dark-c.pdf