A few days after EU citizens were called to vote on their next parliamentary representatives, we have a rough idea of what the next political team will look like. That is However, the truth is that anti-encryption sentiments continue to thrive across the Union.
We already reported on the revised proposal to stop the spread of child sexual abuse material (CSAM) online that requires your permission to scan your WhatsApp messages. Now, a leaked 42-point plan presents new recommendations for how companies should handle people's online activities, including data retention, access and interception of all digital services.
The goal is simple: make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement agencies.
According to Jan Jonsson, CEO of Mullvad, one of the best VPNs out there with a privacy-first mandate, all encrypted traffic will no longer be private or secure if the legislation is passed. “A VPN won't help either,” he told me. “It would mean total surveillance and people in Europe carrying state spyware in their pockets.”
The process also seems to be moving at great speed. With the ashes of the EU elections still burning in the background, lawmakers met on Tuesday June 11 to discuss the plan and the way forward.
It's getting serious: today, as part of the #EuGoingDark surveillance plan, the “Working Group on Cooperation in Criminal Matters” (#COPEN) in the Council of the 🇪🇺 officially discusses the reintroduction of #DataRetention. @GreensEFAJune 11, 2024
Data access by design
The intention to implement a framework called “security by design” was first shared last year by the High Level Group (HLG). Created by the European Commission, the group is taking the first steps in what is known as the Going Dark initiative to ensure “the availability of effective law enforcement tools to combat crime and improve security in the digital age.” Until now, the process has largely taken place behind closed doors, denying civil society the opportunity to participate.
As mentioned above, the goal is to find a way to provide law enforcement agencies with complete surveillance capabilities, both from a legal and technical perspective. Not surprisingly, encryption – the scrambling of data into an unreadable format to prevent unauthorized access – was flagged as the most urgent area of work at the time. The main targets were stored data and location access, data retention practices, and the anonymization offered by virtual private networks.
Now, about 12 months later, it appears that the HLG group has come up with some concrete solutions for how to do this in practice.
The 42-point “confidential” plan suggests forcing encrypted messaging apps to allow interception. Data retention should also be reintroduced (the EU Court of Justice previously overturned the directive) and expanded to all over-the-top (OTT) communications, i.e. all instant messages and online chats not provided by your mobile network operator. IP connection tracking should be guaranteed “at a minimum”, metadata encryption should be prohibited and GPS tracking should be activated by the provider at the request of the police. Tech companies that refuse to cooperate should be threatened with prison sentences.
It seems that the authorities want to access a large amount of our data: information stored on our devices, in the systems of services and in those who travel on the Internet. As Jonsson said: “In other words, all the data.”
“They prioritize solutions for legal access to device data and seem to want to try to introduce full device scanning at the customer's end. In other words, a scan of operating systems. Apple is constantly urged to do this, to scan your users' phones,” he added.
Is a supervised society the right answer?
As the name suggests, the EU's anti-encryption crusade is based on what is known in law enforcement as the “blackout” assumption: with online anonymity, crime will go undetected in the digital world. However, experts have long rejected this stance, arguing that violating this protection would be detrimental to everyone's safety.
Encryption is vital to guarantee the enjoyment of fundamental rights, such as privacy and freedom of expression, but also to allow both citizens and companies to defend themselves against abuses of information technologies. This was exactly the conclusion of the ruling published in February by the European Court of Human Rights that declared it illegal to break encryption.
Did you know?
Cryptographers, privacy advocates and tech companies raised similar concerns when the UK's Online Security Bill (now law) and the EU's Chat Control proposal considered creating a backdoor into encryption to Scan people's encrypted and private messages for illegal content. In the UK, so-called customer scanning has been postponed until it is “technically feasible” to do so safely.
This means that weak encryption protections not only allow authorities to spy on our online activities, but also provide an easy-to-exploit backdoor for cyber attackers.
Furthermore, as Jonsson suggests, criminals will turn to alternative and illegal online services to carry out their malicious online activities unmolested.
He told me: “This means that EU mass surveillance will not catch criminals. Only ordinary people, who do not want to make any effort, will be fully monitored.”
At the same time, German digital activist and Pirate Party MEP Patrick Breyer also highlights the fundamental role that encryption plays in criminal investigations.
He said: “The planned internet data retention threatens to destroy our right to anonymity online, which enables crime prevention through anonymous counseling and pastoral care, support for victims through anonymous self-help forums and also the investigative journalism, which often relies on anonymous whistleblowers.”
Whats Next?
While a reshuffled Parliament will elect the new EU Commission by 2025 as its first task, the Going Dark group appears to be already busy laying the foundations for future legislation against encryption and online anonymity.
Mullvad's Jonsson worries that these efforts could end up having more legislative force than the Chat Control proposal, which he believes was too tainted to gain the necessary support in a final phase. “This time, they are not only using the 'think about the children' argument, but also other serious crimes and terrorism as excuses to massively monitor the entire EU population,” he told me.
Such a push for surveillance by EU authorities, and ultimately around the world, is even more worrying when combined with the direction in which big tech companies are heading. Greater data collection is prioritized, which is in stark contrast to the GDPR's core concept of data minimization.
Take the current backlash against Adobe, for example, over the invasive and vague new policy on how data can be used to train AI models. Or Microsoft's new Recover feature that regularly takes snapshots of your active screen, which sounds more like a privacy nightmare than a useful tool. After harsh criticism, the big tech firm resorted to updating Recall's privacy policy in an effort to please users.
Jonsson now hopes that external pressure from citizens, tech companies and the media can encourage the EU Commission to kill Going Dark's plans. “Opposition to Chat control finally became massive, but it came late. This time we hope the opposition will be there from the beginning,” he told me.
“And of course, we hope that the new Commission is better than the previous one and invites experts to participate from the beginning, so as not to spend years on absurd legislative proposals that end up in the trash.”