"It’s not about security, it’s about control" – How EU governments want to encrypt their own comms, but break our private chats

Data sovereignty. Communication security. Strong encryption. These are the words I heard the most in my day at the Matrix Conference in Strasbourg last week.

An event organized by the creators of Matrix, an open-source protocol that developers can use to build decentralized and secure messaging applications, showcased multiple iterations of how organizations have used this federated system.

It was especially interesting to see that, while there are some examples of Matrix-based apps for everyday users, most of those harnessing the power of this protocol are governments.

These include Germany, where Matrix has been used to encrypt the communications of the government, armed forces, and healthcare system; and France, where, starting from last September, all public officials are required to use the Matrix-based Tchap app instead of Signal or WhatsApp.

Even more staggering, perhaps, was seeing representatives for the IT department of the European Commission talking on stage about how they are trialing Matrix to replace Signal and secure their own communications.

Yes, the European Commission, the same body that proposed to weaken people's private chats with an encryption backdoor, with the infamous Child Sexual Abuse Regulation (CSAR) bill known as Chat Control. And France is among the 12 countries supporting the proposal, according to the latest data.

All of this struck me – European governments clearly understand how crucial encryption is to preserve privacy and security. Yet, these crucial factors for their own communications seem to be something that citizens will have to make peace with and lose in the name of the common good.

I couldn't help but think about this dual vision on encryption, and how unbalanced it felt. But, what do the people working to secure government and organizations' communications make of all of this? I was on a mission to find out.

Encryption is under attack – but only for citizens

End-to-end encryption (E2EE) is the technology that applications like the best VPN and messaging services use to scramble data into an unreadable form to prevent unauthorized access. A guarantee that our online communications will stay private between us and who we are talking to.

In the wake of ever-larger and frequent cyberattacks – think of the Salt Typhoon in the US – encryption has become crucial to shield everyone's security, whether that's ID theft, scams, or national security risks. Even the FBI urged all Americans to turn to encrypted chats.

Law enforcement, however, often sees this layer of protection as an obstacle to their investigations, pushing for "lawful access" to encrypted data as a way to combat hideous crimes like terrorism or child abuse.

That's exactly where legislation proposals like Chat Control and ProtectEU in the European bloc, or the Online Safety Act in the UK, come from.

Yet, people working with encryption know that these solutions are flawed.

"It makes perfect sense that some folks are pushing to undermine encryption, but it makes no sense at all that that would be a good thing for society," the Co-Founder of Matrix, Matthew Hodgson, told me.

As Hodgson (and many other experts I've been talking to) explained, thinking of being able to create a backdoor into encryption that only authorities can access is naive and technically impossible.

Once this entry point is there, everyone will be able to exploit it. Period.

Naivety might only be one side of the story, though. According to the CEO and Co-Founder of Denmark-based Meedio, Runi Hammer, governments know well what they are doing.

"This is the dual usage problem – when governments say everybody needs to do something, they usually mean everybody else."

Runi Hammer hit the nail on the head, here. The Danish proposal of Chat Control – the latest iteration of the bill – excludes all government and military accounts for mandatory scanning of private and encrypted chats in the lookout for child sexual abuse material (CSAM).

"They know we need encryption to have safe and secure communications. But why can't I have a safe and secure conversation with my friends without having Chat Control's scanning? I don't think that the cause justifies the means; it's too intrusive," said Hammer.

On a more balanced view is Julie Ripa, the Product Manager of Tchap within the French government agency for digital services (DINUM). She points out that there is a stark difference in the need for secure and encrypted communication between governments and citizens.

Yet, "We shouldn't break privacy for any reason. There will always be some drug dealers, even though we control the data. I'm not sure that creating back doors will solve any problem. We're just attacking something that is not the root of the problem."

Beyond the encryption conundrum

On a technical level, experts all agree that an encryption backdoor cannot guarantee the same level of online security and privacy we have now.

Is then time to redefine what we mean when we talk about privacy?

This is what's probably needed, according to Rocket.Chat's Strategic Advisor, Christian Calcagni. "We need to have a new definition of private communication, and that's a big debate. Encryption or no encryption, what could be the way?"

Calcagni is, nonetheless, very critical of the current push to break encryption.

He told me: "Why should the government know what I think or what I'm sharing on a personal level? We shouldn't focus only on encryption or not encryption, but on what that means for our privacy, our intimacy."

The Founder and CEO of Rocket.Chat, Gabriel Engel, however, has no doubts. An encryption backdoor isn't about security; it's about control.

He told me: "Governments want to know what's going on and be able to monitor their citizens, while wanting the opposite for themselves. It's going to be a never-ending battle for citizens to keep their privacy rights and to hold their own data."

If not an encryption backdoor, then what?

Virtually everyone I interacted with during the conference was outspoken about their opposition to Chat Control-like proposals.

However, the issues motivating lawmakers' approach – terrorism, drug dealing, child abuse – are undoubtedly serious crimes that need to be dealt with. So, if not weakening encryption, what's the right fix?

According to Hodgson, who is also the Co-founder and CEO of the Matrix-based Element, a solution could be developing a better infrastructure that, while remaining privacy-preserving, could allow society to self-police.

He told me: "The thing we need to build is not mass surveillance. But we, the people here at the Matrix conference, need to do a much better job of providing the trust and safety tools needed to report and flag these crimes when they happen on the platform. I wish Matrix were better funded to build this alternative."

On my way out of the conference, I left with some unanswered questions, but also a certainty – technology and politics are moving on two parallel lines, struggling to find a meeting point.

On one side, the tech tells lawmakers that building a backdoor that can preserve security and privacy is an impossible task. Yet, the political agenda keeps pushing through with this ill-conceived idea against all odds.

The challenge now is finding a way to bridge this discrepancy between the privacy and security we deserve with the data usability that law enforcement requires.

We are still far from it, but it's a mission we need to pursue. After all, as Hammer from Meedio told me: "This is about our right, our freedom, our right to communicate freely with each other. Mass surveillance is not the way forward for a world that becomes even more digitalized."

You might also like

• "We need to go beyond Signal" – How today's AWS outage shows the weaknesses of centralized apps
• The vote on Chat Control has been postponed, but the “fight isn’t over” yet – here's what we know
• The Online Safety Act isn't just about age verification – end-to-end encryption is also at risk