On Thursday, June 20, 2024, EU lawmakers will vote on a proposed law that, if passed, would require tech companies to scan all your private messages for child sexual abuse material (CSAM).
What is known as Chat Control has faced heavy criticism since it was first proposed in 2023. Last May, the Belgian presidency attempted to find a compromise by crafting an allegedly watered-down proposal.
In accordance with the revised Chat Control law, users must consent to having their photos, videos, and shared URLs scanned if they wish to continue using this functionality. The bill also introduces the concept of “load moderation” to, they say, avoid breaking encryption, since content is supposed to be scanned before being encrypted.
Make no mistake: Tech experts aren't buying it. Cryptographers, privacy advocates and technology companies, including some of the top VPN and messaging app providers, called the new proposal a dangerous rebrand that will plunge us all into mass surveillance. They are now urging people in Europe to contact their national representative in the EU and pledge to prevent the bill from moving to the next legislative stage.
Just “rhetorical games”
“Let's be very clear, again: requiring mass scanning of private communications fundamentally undermines encryption. Full stop,” wrote Meredith Whittaker, president of the Signal Foundation, in a statement on Monday (see tweet below).
Signal has come out against what was previously known as “side scanning” from the beginning. The company said it would leave the UK rather than undermine encryption; although it is still listed in the online safety law, it has been stopped until it is “feasible to do so”. Whittaker reiterated that stance when EU lawmakers began considering Chat Control last year.
Now, like many other experts, Whittaker noted that 'load moderation' is simply a “rhetorical game” since, no matter how and when scanning is implemented, it can still create a vulnerability that hackers and nation-states hostiles can explode.
She said: “We ask that those who play these word games stop and recognize what the expert community has repeatedly made clear. Either end-to-end encryption protects everyone and enshrines security and privacy, or it doesn't work for all”.
📣Official statement: The new EU chat controls proposal for mass scanning is the same old surveillance with a new brand. Whether you call it a backdoor, a gateway, or “load moderation,” it undermines encryption and creates significant vulnerabilities pic.twitter.com /3L1hqbBRgqJune 17, 2024
Many other security and privacy experts have backed up his statement so far. They include Edward Snowden, the American whistleblower who first shed light on the NSA's surveillance tactics against citizens.
He tweeted: “EU apparatchiks intend to turn terrifying mass surveillance measure into law despite UNIVERSAL public opposition (no thinking person wants this) INVENTING A NEW WORD for it: 'load moderation', and hoping no one knows which means until it is approved.” Stop them, Europe!
Companies such as Proton (the Swiss company behind the popular Proton Mail and Proton VPN services), Tuta, Element, Mullvad and Threema have also warned their online community about the risks, urging EU governments to reject mass scanning indiscriminate.
Did you know?
Chat Control 2.0 is not the only attempt to give law enforcement more access to EU citizens' data. In yet another crusade against encryption, a leaked 42-point plan presents new recommendations to make all the digital devices we use every day legally and technically monitorable at all times by law enforcement agencies. “It would mean total surveillance and the people of Europe would have state spyware in their pockets,” said Jan Jonsson, CEO of Mullvad.
Experts have also heavily criticized the provision of asking users for permission to scan their communications.
“If people cannot use central communications infrastructure without first 'consenting' to mass surveillance, then we must understand this as coercive, not as an exercise of meaningful choice,” Whittaker told TechRadar, adding that the provision does not reflect the how detection orders work in law.
Likewise, Matthew Green, professor of cryptography at Johns Hopkins University, considered the proposal “a coercion towards a regime of mass surveillance, with a certain brand.”
He also noted that focusing only on shared media rather than full messages could be only a “temporary step down” from the original intent. “His plan seems to be: implement the law and then it won't really matter,” he wrote in a tweet.
Rand Hindi, CEO of open source crypto company Zama, drew attention to the EU's apparent double standard when it comes to data privacy. “Europe is being so hypocritical here: “On the one hand, they force companies to comply with strict privacy regulations (this is a good thing!), but at the same time they demand that governments have FULL surveillance capabilities,” he wrote.
“What's happening now with Chat Control is a disaster in the making. It's not a hypothetical scenario, it's one of the most dangerous proposals to ever go this far, and we must aggressively fight it.”
Whats Next?
As we mentioned, lawmakers are expected to vote on Chat Control 2.0 on June 20, after being pushed back a day from the original date.
According to Patrick Breyer, MEP of the German Pirate Party, Italy, Finland, the Czech Republic, Sweden, Slovenia, Estonia, Greece and Portugal are still undecided about tomorrow's vote. By contrast, Germany, Luxembourg, the Netherlands, Austria and Poland are “relatively clear that they would not accept.”
While opposed at first, France appears more inclined to vote in favor at this time, under the deal that Signal, WhatsApp and other platforms that use end-to-end encryption will be outside the scope of the law at first. However, the risks of scanning still remain for photos and videos you can share in social media direct messages, game chats, and the like.
It's also worth noting that lawmakers plan to exempt personnel from intelligence agencies, police and the military from CSAM scanning. Furthermore, the European Court of Human Rights deemed attempts to break the encryption illegal last February.
Now, Breyer is urging everyone in Europe to take action before it's too late. To learn more about the steps you can take, I suggest visiting his dedicated page here.