European tech companies have written to ministers across the European Union (EU) urging them not to support a proposed regulation on child sexual abuse that could undermine the security of internet services that rely on end-to-end encryption.
Some 18 companies, which include encrypted email and messaging providers, warn that the proposals by the European Commission (EC) would “negatively impact children’s privacy and security” and could have “dramatic unforeseen consequences” for cyber security.
Their open letter, published on 22 January 2024, warns that the EC’s draft regulation – dubbed “chat control” – which requires the mass scanning of encrypted communications, will create security vulnerabilities that will put citizens and businesses at greater risk if they are implemented into EU law.
The letter aims to end an impasse between member states, the European Commission and the European Parliament, which disagree on whether the EC’s proposal for mass-scanning encrypted messages is a proportionate and workable response to concerns about child safety.
Its signatories include the Swiss encrypted email service Proton; Germany’s Tuta Mail; German cloud storage specialist NextCloud; and Element, which provides encrypted collaboration and communication services.
The group of small and medium-sized tech companies urged EU leaders to back a more measured version of the regulation proposed by the European Parliament, which “experts believe will be more effective and more efficient” than mass scanning of encrypted email and messaging services.
Romain Digneaux, public policy specialist at Proton, told Computer Weekly: “We want to show the EU governments that the debate is not just a dichotomy between privacy and child protection, but that privacy and child protection go hand in hand.”
The EC’s version of the regulation requires technology companies to introduce backdoors or to use technology known as client-side scanning to scan the contents of all encrypted communications for text, photos and videos that indicate child sexual abuse.
“Even if this mechanism is created with the purpose of fighting crime online, it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all uses,” they wrote.
Client-side scanning technologies compare hash values of encrypted messages against a database of hash values of illegal content stored on a user’s own phone or computer. It has been widely criticised by security experts and cryptographers.
In 2021, 14 of the world’s top computer scientists, including cryptography pioneers Ron Rivest and Whit Diffie, warned in a scientific paper that client-side scanning “creates serious security and privacy risks” and could be exploited by hostile nation-states, malicious actors and even child abusers to harm others or society.
May 2022: The European Commission presents a proposal, which becomes known as chat control, to require all email and messaging providers to conduct mass scanning of all messages and emails sent on their platforms, including end-to-end encrypted messages, for child abuse material without the need for any prior suspicion of wrong-doing.
November 2023: The European Parliament sets out its negotiating position, opposing the EC’s proposal for blanket scanning of all messages on the grounds that they would breach the fundamental rights of EU citizens and would not survive legal challenges. It opposes client-side scanning technology and other mechanisms to scan the content of encrypted messages.
January 2024: Belgium takes over presidency of the Council of the European Union.
Late 2024: A “trialogue” meeting of the European Commission, the European Parliament and the European Council is expected to decide on the final text of the “chat control” legislation.
Last year, scientists and researchers from more than 30 countries warned that the scanning technology proposed by the European Commission was “deeply flawed” and vulnerable to attacks. They said that the technology would leak “illegal information” and would struggle to detect illegal content “reliably”.
Leaked internal legal advice shows that the Council of Europe’s own lawyers have serious questions about the lawfulness of the planned measures, which they say could lead to the de facto “permanent surveillance of all interpersonal communications”.
Digneaux said that once mass scanning has been introduced for one purpose, policymakers would face inevitable pressure to expand its use for other purposes, such as terrorism or organised crime.
The technology could be used by repressive regimes to monitor political dissent. “We have a lot of users in countries like Russia or Iran that rely on our services, such as journalists or people just expressing their political opinions,” he said.
According to the letter, the EU’s strong focus on data protection has led to the growth of ethical, privacy-focused tech companies in Europe that have been able to compete with larger American and Chinese companies.
The tech companies argue that the EC’s proposals are at odds with other EU regulations, including the Cyber Resilience Act (CRA) and the Cybersecurity Act that encourage the use of end-to-end encryption to manage cyber security risks.
Supporting an opposite approach for the CRA regulation would “undermine the EU cyber security framework” and lead to “incoherent and inefficient measures” that tech companies would not be able to enforce without putting citizens at risk.
Proposals from the European Parliament include alternatives to mandatory scanning that would be “more effective”, “prioritise data protection and security” and “better protect children online”, they claim.
Digneaux told Computer Weekly that tech companies were willing to discuss solutions with the European Commission and were not “simply saying no”.
“We are saying, ‘Let’s build something as close as possible to the European Parliament’s proposals and have this text adopted as quickly as possible and have a proper framework in place for child protection’,” he said.
He added that Proton had automated systems in place, which were checked by humans to identify suspicious interactions and relied on reports from its users, but that it was not technically possible for Proton to see the content of its users’ encrypted emails.
Proton cooperates with law enforcement under Swiss law which places limits on what information Swiss companies can disclose.
“Our goal is to be able to cooperate with police [under Swiss law], and we can do without necessarily providing the content of conversations,” said Digneaux. “We will not deliver the number one greatest evidence that will convict someone, that is true, but we can help police with their investigations.”
Matthias Pfau, founder of Tuta Mail, said: “Security experts agree that the chat control proposal by the European Commission to scan every chat message and every email would create a backdoor – one that could and will be abused by criminals.”
The legislation “would hinder economic growth and stop businesses from trusting EU-based companies with their data”, he added.
Source: computerweekly