After Push Back From EU Members, EU Commission Drops Anti-Encryption Wording From CSA Bill
from the finally-some-common-sense dept
Well, here’s some welcome news! It appears the EU Commission may have learned something from the less-than-wholehearted support it received following the introduction of its CSA (Child Sexual Abuse) bill.
The proposal hoped to curb the spread of CSAM (child sexual abuse material) by mandating (among other things) client-side scanning of user content. All well and good if the communications aren’t encrypted. But many of them are, thanks to companies offering end-to-end encryption by default to better secure users’ content and communications.
Sure, the bill had its defenders. One in particular (EU Commissioner for Home Affairs Yiva Johansson) has offered multiple incoherent defenses of the proposal that would, in effect, criminalize encryption (at worst) or make encryption completely useless as a security option (at best).
Most EU member nations were reluctant to embrace these extremities. There were, of course, a few exceptions. Spain, for example, thought the far-reaching, extremely broad proposal didn’t go far enough when it came to increasing the government’s powers and its surveillance options. On the other side, the EU Commission saw flat-out rejections from a couple of countries, both of which pointed out the CSA law would violate other existing EU privacy laws.
A recent leak of EU members’ positions on the bill likely factored into this recent decision by the EU Commission to scrub the anti-encryption wording from the CSA proposal. Joseph Hall of the Internet Society posted the alterations to Twitter, noting that this was a “huge win for encryption, confidentiality, and integrity in the EU.”
The changes can be seen starting on page 5 of the updated CSA proposal [PDF]. Here’s where the EU Commission changes tack and decides it’s time to leave encryption alone:
This Regulation shall not lead to any general obligation to monitor the information which providers of hosting services transmit or store, nor to actively seek facts or circumstances indicating illegal activity.
This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users. This Regulation shall not create any obligation to decrypt data.
Breaking/backdooring/criminalizing encryption is off the table for the time being. This proposal still seems like it’s a long way from adoption, but with just a couple of paragraphs, it has suddenly become a whole lot more palatable.
The PCY (presidency of the council, a rotating office shared by all EU members) has also appended a footnote to the paragraph forbidding the weakening of encryption which, if adopted, would take anti-encryption proposals off the table for far longer.
PCY comment: the following recital could be included: “Cybersecurity measures, in particular encryption technologies, including end-to-end encryption, are critical tools to safeguard the security of information within the Union as well as trust, accountability and transparency in the online environment. Therefore, this Regulation should not adversely affect the use of such measures, notably encryption technologies. Any weakening or circumventing of encryption could potentially be abused by malicious third parties. In particular, any mitigation or detection measures should not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures irrespective of whether the data is processed at the device of the user before the encryption is applied or while the data is processed in transit or stored by the service provider.”
This recital adds facts that have been conveniently overlooked by those who support undermining encryption to combat CSAM. The recital would also expand this protection against government interference to cover more than just the end-to-end variety.
This is the direction this legislation needs to go. Fighting CSAM is a noble and important goal. But as noble and important as it is, it still doesn’t justify subjecting everyone in the EU to decreased security and worthless faux encryption options. Encryption protects far more than criminals. And I’m heartened to see the push back against this draconian proposal is finally paying off.
Filed Under: client side scanning, csam, encryption, eu, yiva johansson
Comments on “After Push Back From EU Members, EU Commission Drops Anti-Encryption Wording From CSA Bill”
Good news. “For the children” is often overused and is a noble goal especially in cases of CSAM. But there’s no magic bullet to stop everything and some cures can be worse than the disease. Criminals might use encryption, but so do the tools that protect children, and keep their parents employed and their money safe.
There’s still questions here, but at least destroying security isn’t one of them for the moment.
Heartening to see some rational decision-making, for once.