from the listening-to-reason-not-exactly-Council's-strong-suit dept
This was probably supposed to be a slam dunk: a legislative proposal mandating client-side scanning to prevent the spread of CSAM (child sexual abuse material). Who would be against that? Surely no one, thought those pushing the bill through.
But when criticism and resistance started rearing their heads, those pushing the bill went incoherent. Rather than address the arguments against rendering encryption useless, useless arguments about how this would be better for everyone were made by people who failed to bring any facts to the debate.
As the EU government moves forward with this proposal, it’s running into even more resistance. With the exception of a few countries completely on board with breaking encryption and subjecting residents to 24/7 surveillance, the overall mood of EU members is, at best, unreceptive.
A recently leaked document detailed the positions of several European governments, with Spain being the most supportive of breaking all the eggs to whip up a few CSAM-curtailing omelets. The rest of the EU nations polled are far less likely to wholeheartedly support what amounts to the criminalization of end-to-end encryption in order to catch a few criminals.
Riana Pferfferkorn has posted an informative breakdown of EU nations’ positions on the proposed law. It points out — as responding governments did (most notably, Estonia) — that the new mandates would break existing European privacy laws, thus making this legislation unlikely to survive a cursory review by the EU human rights court.
We’ll start with Spain, as Pfefferkorn does. Spain not only welcomed the EU’s proposal, but suggested it might not actually go far enough in terms of undercutting privacy and security protections enjoyed by its citizens.
Spain’s response has received press attention for stating outright that end-to-end encryption should be banned by law entirely. “Ideally, in our view,” they say, “it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption.” Spain is also against including any language in the CSA Regulation “excluding E2EE weakening,” saying (in essence) it should be up to each member state to decide how much data protection is too much to allow their citizens to have.
Spain’s stance is frankly shocking. It is vanishingly rare in 2023 to hear any democratic government – even any law enforcement agency – take such an extreme stance.
Spain’s response is the most problematic. But there are several other countries who believe some sort of encryption circumvention is needed to prevent CSAM distribution. Cyprus, Slovenia, Lithuania, Croatia, and Hungary all believe if there’s a compromise needed to enable client-side scanning, it should be tech companies and their users sacrificing their own security for the common good.
Cyprus, Slovenia, Lithuania, Croatia, and Hungary all adopt a similar stance: Law enforcement access to E2EE content should be written into the CSA Regulation (and thus detection orders to E2EE services should be in-scope), because E2EE is used to shield child abuse offenses. Cyprus and Slovenia at least gesture in the direction of caring about privacy rights, whereas Lithuania thinks everyone should just trust the police. Croatia is skeptical that there are effective alternatives for CSAM detection in E2EE environments, and Hungary wants to mandate law enforcement access to data.
Belgium and Poland are both in the “encryption is important, but…” camp. Each government asserts its support for strong encryption, but couches these affirmations in language that suggests they believe encryption shouldn’t be so strong that service providers or law enforcement can’t scan servers/devices for illegal content. Poland goes so far as to state only a court order should have the power to compel decryption. But even that limitation shows the country’s government doesn’t know how E2EE works: it’s either impervious or it’s worthless. You can’t break encryption at will and still pretend it’s secure. But that’s what Poland appears to believe.
Then there are a few who believe E2EE should be excepted from the law, but maybe not entirely, if there’s reason to believe an encrypted service is spreading CSAM. This internally incoherent view is shared (to differing extents) by Denmark, Ireland, Romania, and Slovakia. Once again, there’s that problem: either encryption is unbroken or it isn’t. Suggesting there’s some way to keep encryption secure while still requiring client-side monitoring of content is no less potentially damaging than Spain’s all-in approach. The only difference would be that E2EE wouldn’t immediately be treated as aiding and abetting distribution of illegal content.
Then there’s the rest. Fortunately, there’s still a significant number of EU members that aren’t on board with any of this anti-encryption BS. Here’s Pfefferkorn’s chart of EU member preferences with those in direct opposition of this proposal highlighted by me:
The Netherlands still thinks client-side scanning is possible even with the presence of end-to-end encryption, which is a supremely weird stance to take. On the other hand, Bulgaria believes it has the tools to circumvent E2EE, thus rendering it pretty much irrelevant and in no need of direct regulation. Both of these arguments have severe flaws, but at least neither argument relies on compelled decryption or anti-encryption mandates.
The final six countries are not on board with this plan, at least not completely. The “hesitant pragmatists” think something should be done about CSAM but have yet to see a EU proposal they agree with. The remaining three have basically told the EU they won’t be enforcing this proposal if it becomes law.
Kudos to those six countries for slowing the EU’s push to make everyone less secure in hopes of rounding up a few CSAM distributors. The strongest defenders of encryption are well aware that this isn’t just about CSAM. If the proposal becomes law, it will only be a matter of time before governments start using compelled flaws in encryption to go off task and engage in surveillance wholly unrelated to the heinous crime being used to justify this intrusion.
The problem here is that more countries aren’t outright rejecting this proposal, as Pfefferkorn explains:
It is unacceptable in a democratic society to make digital intermediaries monitor everyone’s communications without any suspicion of wrongdoing. Child sex crimes are abhorrent, but that doesn’t justify discarding the fundamental rights of half a billion people (and everyone they talk to). Suspicionless mass surveillance is a wildly disproportionate invasion of individual privacy. And when democracies do it, they give repressive regimes an excuse to do the same – and for “crimes” far afield from child sex abuse. Europe should not set a precedent in this regard.
This proposal is harmful. And it will do little to address the issue supporters claim can’t be addressed without undermining encryption and encouraging round-the-clock surveillance of everyone with a smart phone or access to online communication services. Hopefully, those who have already given this bill the boot will convince other nations this isn’t the way forward.