.jpg)
The EU is currently considering a new plan to scan citizens' encrypted communications, in yet another chapter of its fight against online child sexual abuse material (CSAM).
After harsh criticism, legislators have abandoned the idea of allowing law enforcement to access text messages and audio—shared photos, videos, and URLs are now the target. Yet, experts still warn that citizens' privacy is at risk
-----------------------------------------------------------------------------------------------------------------------------
Brussels, 08 May 2024 WK 6697/2024 INIT LIMITE JAI ENFOPOL CRIMORG IXIM DATAPROTECT CYBER COPEN FREMP TELECOM COMPET MI CONSOM DIGIT CODEC
This is a paper intended for a specific community of recipients. Handling and further distribution are under the sole responsibility of community members.
From: Presidency
To: Law Enforcement Working Party (Police)
- Presentation of the new approach proposed by the Presidency
-----------------------------------------------------------------------------------------------------------------------------
People must consent to the shared material being scanned before being encrypted. Choosing to reject the scanning will lead to users being prevented from using this functionality at all.
The tech world isn't buying it, in fact, Romain Digneaux, Senior Public Policy Associate at Proton, describes it to TechRadar as "a blatant attempt to pull the wool over our eyes."
DID YOU KNOW?
"This compromise from the Belgian Presidency is a depressing step backward compared to the European Parliament’s position," Digneaux told me.
"It will potentially subject all EU citizens to mass surveillance, undermining their fundamental rights while doing nothing to address the spread of CSAM online, nor any of the criticism from the European Data Protection Supervisor and countless experts."
Encryption, meaning the process of scrambling data into an unreadable form to prevent third-party access, is at the base of online communication's security behind today's privacy software.
Virtual private networks use it to secure internet communications and conceal your online activities, for example. Popular messaging apps, like WhatsApp and Signal, or secure email providers like ProtonMail implement encryption to guarantee your messages remain private between you and the sender (end-to-end). Not even the provider itself can access it. As the presentation leaked by digital rights group Netzpolitik shows, Belgian legislators now recognize the need to protect end-to-end encryption.
"Regulation shall not create any obligation to decrypt or create access to end-to-end encrypted data, or that would prevent providers from offering end-to-end encrypted services," the proposed wording reads. So, how are they planning to implement the CSAM scanning then?
User consent or blackmail?
The key here is the 'user consent' clause. That's the way to make the scanning of privately shared multimedia files not an obligation but a choice. How they plan to do so resembles more to blackmail, however. As we mentioned, if you want to share a photo, video, or URL with your friend on WhatsApp you must give consent, or just stick to texting, calls, and vocal messages.
Commenting on this point, Digneaux said: "There is no consent. There is no choice. If innocent users don’t agree to let the authorities snoop on their messages, emails, photos, and videos they will simply be cut off from the modern world."
Worse still, experts also warned that such intrusive powers might end up being unfit for catching the bad guys.
Commenting on this point, Digneaux said: "There is no consent. There is no choice. If innocent users don’t agree to let the authorities snoop on their messages, emails, photos, and videos they will simply be cut off from the modern world."
- Proton isn't alone in feeling this way. A group of over 60 organizations—including Proton, Mozilla, Signal, Surfshark, and Tuta, alongside 50+ individuals, signed a joint statement to voice their concerns against the new proposal.
Worse still, experts also warned that such intrusive powers might end up being unfit for catching the bad guys.
- That's because cybercriminals could simply embed the illegal photos or video on a different type of file, for instance.
- Moreover, as Digneaux pointed out, criminals already use their own services to conduct illegal activity.
A rebrand of client side scanning
The plan to perform CSAM scanning while protecting encryption also includes a new 'upload moderation' provision. Legislators seek to implement content detection before being transmitted—so, before being encrypted. Again, tech experts believe this approach is rather "a mere cosmetic change" from the Chat Control proposal.
The original bill was pushing for client-side scanning instead, a method that requires the device to automatically analyze files for unlawful material and flag them to authorities. To date, there's no way to do this without creating dangerous backdoors into the encryption. This is further supported by the fact that the UK postponed its side-scanning provision for the Online Safety law until it is "technically feasible" to do so.
The original bill was pushing for client-side scanning instead, a method that requires the device to automatically analyze files for unlawful material and flag them to authorities. To date, there's no way to do this without creating dangerous backdoors into the encryption. This is further supported by the fact that the UK postponed its side-scanning provision for the Online Safety law until it is "technically feasible" to do so.
However, experts now argue that also scanning messages at the upload point defeats the end-to-end principle—complete protection between the sender and receiver—that characterizes strong encryption. They warn this may create new security vulnerabilities for third parties to exploit too.
Digneaux deemed the move as just a "disingenuous rebrand" of client-side scanning. He told me: "No matter what the Presidency claims, it is not a silver bullet to protect privacy. It’s simply a backdoor to encryption in disguise. European users will become ideal targets for hackers, putting people and businesses more at risk."
This is why secure end-to-end encrypted messaging apps like Signal (see above) are already reiterating they will leave the EU market rather than undermine privacy protections.
As Netzpolitik reported, though, the new approach remains ambivalent among the country members. During a meeting held at the end of May, Germany and the Czech Republic expressed perplexities about the Belgian proposed scanning solutions before encrypting the messages. Austria, Estonia, and Luxembourg also criticized the 'user consent' provision. While France said that they could accept 'upload moderation' under user consent but demanded that "there should be no circumvention of encryption."
Overall, though, France seems more positive about the proposal and ready to find a compromise that could work for all. That's also why the country's support is set to be decisive for the final agreement.
"We’re counting on France to maintain its support for cybersecurity, encrypted services, and privacy," Digneaux told me. "If these proposals are not thrown out now we risk dismantling the vital cybersecurity protections that encryption offers putting everyone at risk. But saddest of all, EU citizens will be treated as guilty before being proven innocent by the very people appointed to protect them."
It is also worth noting that legislators plan to exempt staff of intelligence agencies, police, and the military from the CSAM scanning.
As Netzpolitik reported, though, the new approach remains ambivalent among the country members. During a meeting held at the end of May, Germany and the Czech Republic expressed perplexities about the Belgian proposed scanning solutions before encrypting the messages. Austria, Estonia, and Luxembourg also criticized the 'user consent' provision. While France said that they could accept 'upload moderation' under user consent but demanded that "there should be no circumvention of encryption."
Overall, though, France seems more positive about the proposal and ready to find a compromise that could work for all. That's also why the country's support is set to be decisive for the final agreement.
"We’re counting on France to maintain its support for cybersecurity, encrypted services, and privacy," Digneaux told me. "If these proposals are not thrown out now we risk dismantling the vital cybersecurity protections that encryption offers putting everyone at risk. But saddest of all, EU citizens will be treated as guilty before being proven innocent by the very people appointed to protect them."
It is also worth noting that legislators plan to exempt staff of intelligence agencies, police, and the military from the CSAM scanning.
-----------------------------------------------------------------------------------------------------------------------------
EU Council Presidency’s Last-Ditch Effort For Mass Scanning Must Be Rejected
As the current leadership of the EU Council enters its final weeks, it is debating a dangerous proposal that could lead to scanning the private files of billions of people.
EFF strongly opposes this proposal, put forward by the Belgian Presidency at the EU Council, which is part of the EU’s executive branch.
EFF strongly opposes this proposal, put forward by the Belgian Presidency at the EU Council, which is part of the EU’s executive branch.
- Together with European Digital Rights (EDRi) and other groups that defend encryption, we have sent an open letter to the EU Council explaining the dangers of the proposal. The letter asks Ministers in the Council of the EU to reject all proposals that are inconsistent with end-to-end encryption, including surveillance technologies like client-side scanning.
If the proposal is adopted, it would represent a significant step backwards. Since 2022, the EU has been debating a file-scanning regulation that would eviscerate end-to-end encryption. Realizing that this system of client-side scanning, which some have called “chat control,” would violate the human rights of EU residents, a key European Parliament committee agreed in November to amendments that would protect end-to-end encryption.
How We Got Here
EFF’s advocacy has always defended the right to have a private conversation online, and the technology that can enable that: end-to-end encryption. That’s why, since 2022, we have opposed the efforts by some EU officials to put a backdoor into encrypted communications, in the name of protecting children online.
Without major changes, the child protection proposal would have been a disaster for privacy and security online. In November, we won a victory when the EU Parliament’s civil liberties agreed to make big changes to the proposal that would make it clear that states could not engage in mass scanning of files, photos and messages in the name of fighting crime.
Without major changes, the child protection proposal would have been a disaster for privacy and security online. In November, we won a victory when the EU Parliament’s civil liberties agreed to make big changes to the proposal that would make it clear that states could not engage in mass scanning of files, photos and messages in the name of fighting crime.
The Belgian proposal, which EFF has reviewed, specifies that online services would be forced to install software so that child abuse material “should remain detectable in all interpersonal communications services.”
- To do this, the online services must apply “vetted technology”—in other words, government-approved software—that would allow law enforcement to scan the photos, messages and files of any user.
We reject mass-scanning as a means of public safety.
- Phones and laptops must work for the users who own them, not act as “bugs in our pockets” in the service of governments, foreign or domestic.
- Government eavesdropping in the name of crime-fighting must always be targeted, narrowly limited, and subject to judicial oversight.
The Belgian Presidency’s proposal is the latest in a long line of attempts by governments to evade this basic human rights concept.
As its details become more widely known, this colossally unpopular spying idea will be rejected not just by EFF and other NGOs, but by voting publics in the EU and beyond.
As its details become more widely known, this colossally unpopular spying idea will be rejected not just by EFF and other NGOs, but by voting publics in the EU and beyond.
THE LATEST
The recent wave of protests calling for peace in Palestine have been met with unwarranted and aggressive suppression from law enforcement, universities, and other bad actors. It’s clear that the changing role of surveillance on college campuses exacerbates the dangers faced by all of the communities colleges...
No comments:
Post a Comment