Data Privacy Week kicked off in the EU with a pledge from the industry to defend encryption in 2024.
Some of the companies using this technology to develop security software, including VPN services, and secure email and messaging apps, are now calling EU ministers to defend their citizens' privacy and withdraw a worrying proposed regulation.
Deemed by critics as Chat Control, the EU Child Sexual Abuse Material (CSAM) Scanning Proposal could allow authorities to scan people's private and encrypted chats for dangerous content as a way to halt child sexual abuse (CSA) online. Yet, experts argue that going down this route rather endangers users (children included) instead.
Encryption at risk
"We all agree that ensuring children are safe online is one of the most important duties of tech companies and for this reason, we find the European Commission’s proposed Regulation extremely worrying. If it were implemented as proposed, it would negatively impact children’s privacy and security online, while also having dramatic unforeseen consequences on the EU cybersecurity landscape, creating an ineffective administrative burden," wrote the experts in an open letter.
The group, composed of trade associations, and small and medium-sized tech companies, especially pointed out the risk of having a "backdoor" to allow authorities to scan messages in end-to-end encrypted environments.
So-called client-side scanning may help fight online crime, but, they argue, "it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all users alike."
Among the signatories (22 in total) are popular VPN provider Surfshark, Swiss-based security software firm Proton, secure email service Tuta (formerly known as Tutanota), and encrypted messaging app developer Element.
Today, we call on all Interior, Justice & Economy ministers of EU countries, to choose the right side: #privacy or #surveillance.Together with other privacy-first companies we call on our ministers to defend encryption & protect privacy. 🔒Read the full text here:… pic.twitter.com/rGYGm6NS9yJanuary 22, 2024
The recent attack on encryption and the concept of client-side scanning began filling the news last year as tech companies raised the alarm on similar proposed legislation in the UK. While the Online Safety Act is now law, the messaging scanning requirement has been postponed until "it's technically feasible to do so" without breaking encryption—a solution that delays the issue rather than solving it.
In October the EU Parliament reached a historical agreement, though, asking for the removal of the Chat Control clause in order to safeguard online security and encryption. Now, it's the time for each EU Member State to agree on their own position.
"We call on our ministers, specifically on Nancy Faeser (SPD, Germany), to choose the right side in this discussion: uphold strong encryption and protect the human right to privacy of millions of EU citizens and businesses," said Matthias Pfau, founder of German secure email provider Tuta Mail.
According to Pfau, Europe cannot pride itself on the progress made with GDPR legislation while simultaneously promoting client-side scanning. "Such a move would destroy any credibility the EU currently holds in matters of privacy and cybersecurity," he said.
One of the most secure VPN providers out there, Mullvad VPN got vocal last year to raise awareness of the risks of the EU Chat Control law. It sends hundreds of emails to both journalists and politicians, while even putting giant banners across airports and the streets of some European cities. "Mullvad is usually a very silent company. This is probably the first time we really got mad enough to speak out," Jan Jonsson, CEO at Mullvad, told me when the company began its campaign in March last year.
EU State members are expected to vote on the proposed CSA regulation in the next few weeks and they hope to reach an agreement by March. Romain Digneaux, Public Policy Specialist at Proton, explained that only after that trilogue negotiations will be able to start. With EU Parliament elections happening in June, though, time is everything.
"We hope that the Belgian Presidency will act as an honest broker and take inspiration from the European Parliament to make sure that children are adequately protected, as well as everyone's right to privacy and security online," Digneaux told me. "However it looks like deep divisions still remain between member states."
All in all, experts are calling for finding a balanced approach alongside technically feasible solutions that could enhance child protection rather than undermine it. Specific requests include preserving the confidentiality of correspondence, refraining from forcing tech companies to perform mass surveillance and minimizing the administrative burden of the proposal by finding alternatives to mass scanning.
Commenting on the latter point, Digneaux told me: "There are many methods for combating crime online, as has been proven time and time again, which don’t compromise privacy and security. While we can’t publish the exact methods that we use (as that would play into the hands of the bad actors), at Proton we have a large team who work 24/7 to identify and remove bad actors and we cooperate with law enforcement within the framework of Swiss law.
"To sound horribly pragmatic, there is zero benefit to us to turn a blind eye to this behavior. In fact, the opposite, criminal behavior presents a huge threat to our entire business."
