Leaked Document Shows Spain Is Fully On Board With The EU Commission’s Plan To Criminalize Encryption
from the if-it-ain't-broke,-let's-break-it dept
For a few years now, the EU Commission has been pushing legislation that would undermine, if not actually criminalize, end-to-end encryption. It’s “for the children,” as they say. To prevent the distribution of CSAM (child sexual abuse material), the EU wants to mandate client-side scanning by tech companies — a move that would necessitate the removal of one end of the end-to-end encryption these companies offer to their users.
The proposal has received push back, mainly from security experts who have repeatedly pointed out how this would make everyone’s communications less secure, not just the criminals the EU wants to target. It has also received push back from the companies offering encrypted communications, all of which have informed the EU they will take their business elsewhere, rather than break their encryption.
The most significant push back (at least as far as the EU’s governing body is concerned) has come from one EU member: Germany. Germany’s government flat out told the EU government that it would not be enforcing this law mandating broken encryption, if and when it goes into force.
But that’s just Germany. Most EU nations seem fine with breaking encryption for everyone, just to target a very small percentage of the population. A document [PDF] leaked to Wired shows widespread support for the proposed mandate, with one country in particular suggesting the encryption-criminalizing proposal doesn’t go far enough.
Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain’s position emerging as the most extreme. “Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” Spanish representatives said in the document.
[…]
“It is shocking to me to see Spain state outright that there should be legislation prohibiting EU-based service providers from implementing end-to-end encryption,” says Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory in California who reviewed the document at WIRED’s request. “This document has many of the hallmarks of the eternal debate over encryption.”
The document dates back to April of this year. The 20 countries offering at least partial support for undermining encryption were unwilling to explain to Wired why they felt this way. Only one country supplied a comment, and that comment — along with its comments in the leaked document — suggest it, too, at some point may be providing significant push back of its own.
WIRED asked all 20 member states whose views are included in the document for comment. None denied its veracity, and Estonia confirmed that its position was compiled by experts working within related fields and at various ministries.
Estonia’s responses to the EU’s questions make it clear it thinks the proposal is, at best, half-baked. This answer in particular shows Estonia’s government calling out the EU for creating a proposal that mandates companies break other existing EU data privacy laws:
[EU]: Are you in favour of including audio communications in the scope of the CSA proposal, or would you rather exclude it as in Regulation (EU) 2021/1232?
We are a bit reserved and concerned with the potential inclusion of “audio communication”. For us the question is about what communication are we discussing – FB voice messages or direct special services or applications offering only voice communication service, including encrypted ones? Secondly the initial proposal and assessment (Interinstitutional File: 2022101 55(COD) ) focused mainly on visual material and sites and web links – indeed, this is the most pressing issue here. Audio communication was not included in that with a big attention scope.
This does not mean that Estonia doesn’t think grooming etc. criminal activities are not important. They are and we support any action fighting against this issue! We also want to remind, that EUCJ has forbidden the state regulation retention obligation of metadata by service providers. Now, we create a regulation which forces service providers to carry out mass interception of content data, which, as we want to emphasise, was the counter-argument regarding the metadata retention in the court. This is something we don’t want to do in Europe. This may also create more friction with the EU Parliament.
More directly, the Estonian Ministry of Economic Affairs and Communications says this:
Estonia does not support the possibility of creating backdoors for end-to-end encryption solutions.
That’s what happens when you actually talk to “experts working within related fields,” rather than just legislators who believe any sacrifice “for the children” is acceptable, as long as they are not expected to sacrifice anything themselves.
But the rest of the document is a mixed bag, with more countries showing support for some sort of direct regulation of E2EE. This is disappointing, but it’s too be expected when loaded language is used to create the proposal and held over the heads of EU member countries — language that suggests that if they’re for protecting encryption, they’re also for the continued sexual exploitation of children. That’s the kind of peer pressure that’s difficult to shrug off. But even if some countries (looking at you, Spain) are just looking for excuses to start breaking encryption, others are publicly demonstrating they won’t be shamed into passing a bad law that makes millions of residents’ communications less secure.
Filed Under: csam, encryption, end-to-end encryption, estonia, eu, eu commission, for the children, germany, protect the children, spain
Comments on “Leaked Document Shows Spain Is Fully On Board With The EU Commission’s Plan To Criminalize Encryption”
That’s a nice HTTPS connection you’ve got there. Shame if anything were to happen to it.
Re:
HTTPS is not affected, as companies can read anything you send them over HTTPS. However should you want to use PGP to hide you email contents from Google, you will be using an illegal technology.
Re: Re:
I don’t think PGP even exists anymore.
Will just cause a lot of stuff to move to the “dark web.” If they attack that, we’ll just create another web, although you may have to “buy into” a specific VPN to get there.
Newton’s third law applies directly to social engineering, “For every action, there’s an equal and opposite reaction,” although, in this case, “equal” and “opposite” provide a wide range of choices.
Pig Latin is now illegal .. it’s for the children.
Because a few people abuse children, nobody can have any privacy in their communications, and we pinky promise we will mot use this to ensure that we stay in power.
Clouds gather...
…lightning splits the sky as the tomb opens, the thick stench of decay spilling out and the shambling abomination known as Clipper rises from its grave.
Re: To be fair...
It never really died. It just took on another form. It’s just another variant on the question of if you should be allowed to have a private conversation without being spied on.
The Encryption Wars never ended, just instead of terrorists being the justification for invading your privacy, it’s “for the children”.
This is why I don’t praise crap like the GDPR because every other thing the EU does makes it worthless.
However, VPN servers in Belarus are subject to this.
Because I have posted things here in the past that almost have certainly attracted the attention of the Feds I have gone to elaborate lengths so I cannot be traved
I use a VPN server in Belarus, to jump on Tor to get on here, so there is no possible way the Feds could ever trace me.
Belarus, right now, is not likely to cooperate with the United States because of the sanctions we have on them now.
Belarus would likely to the US Government to flag off.
Governments, of course, will be exempt
Governments will keep using encryption, naturally. After all, national security is important, your banking information is not.
Re: Good
…but not the ministers on their personal phones and laptops!
Once the EU breaks encryption, a concerted, targeted effort to obtain those ministers’ most intimate and private conversations and publish them on the web will be a just and fitting punishment.
Re: Re:
Arguably this would serve the public good, because if white hats don’t publish such things, black hats will use them for blackmail to influence their policy decisions.
Re: Re: Re:
This argument is not much better than the “banning encryption will allow governments to protect the children” argument. Yours is slightly better only because of the type and size of the target population
Re: Re: Re:2
Clarifying the direction of my previous comment:
Publishing the supporting officials’ private conversations in response to encryption bans would contribute to the public good for reasons not limited to “the officials will realize their mistake” and “the public will know who not to trust”, but “blackmailers will have less ammo” is not a good reason
Re: Re: Re:2
You may have misunderstood my argument. I’m saying that if end to end encryption is banned, private communications and documents will be available to be broken into. The only options will be to allow them to be accessed only by bad actors (because they’re going to get them no matter what), or to break into them and make them public so that everyone has them equally. Keeping everything private would no longer be an option.
Because of, at least, local government, the 7 year olds in my city must endure trans activists explaining how to use anal lube. The federal government is, at least, not coming to the aid of the children here.
But now governments also want to ban encryption to protect children.
Re:
Next up on Things That Didn’t Happen…