An urgent appeal has been relayed to ministers across the European Union by a consortium of tech companies, exacting a grave warning against backing a proposed regulation focusing on child sexual abuse as a pretense to jeopardize the security integrity of internet services relying on end-to-end encryption and end privacy for all citizens.
A total of 18 organizations – predominantly comprising providers of encrypted email and messaging services – have voiced concerns about the potential experimental regulation by the European Commission (EC), singling out the “detrimental” effects on children’s privacy and security and the possible dire repercussions for cyber security.
Made public on January 22, 2024, this shared open letter argues that the EC’s draft provision known as “Chat Control,” mandating the comprehensive scanning of encrypted communications, may create cyber vulnerabilities that expose citizens and businesses to increased risk. Further inflating the issue, the letter also addresses a stalemate amongst member states, the EC, and the European Parliament, who haven’t yet reconciled differing views on the proportionality and feasibility of the EC’s mass-scanning strategy in addressing child safety concerns.
Among the signatories are Proton, an encrypted email service from Switzerland; Tuta Mail and NextCloud, specializing in email and cloud storage respectively; as well as Element, a provider of encrypted communications and collaboration services. Together, they implore EU leaders to consider a more balanced version of the mandate, as suggested by the European Parliament, which experts argue to be more potent and efficient than mass scanning of encrypted services.
The proposed version of the regulation by the EC pushes tech companies to inject “backdoors” or leverage “client-side scanning”, to scrutinize the content of all encrypted communications for evidence of child sexual abuse. However, these companies are forceful in their conviction that despite its purpose to combat cybercrime, the mechanism could be swiftly utilized by offenders, “compromising security for everyone.”
The application of client-side scanning – juxtaposing “hash values” of encrypted messages with a “hash value” database of unlawful content residing on personal devices – has met stiff critique from the security community.
In defiance of the EU’s strong standpoint towards data protection, which paved the way for ethical, privacy-centric tech companies to flourish in the European market, these tech firms believe the EC’s proposal could contradict other EU regulations like the Cyber Resilience Act (CSA) and the Cybersecurity Act, which encourage the application of end-to-end encryption to counter cyber risks.
The tech firms propose alternatives to mandatory scanning they believe are more effective and prioritize data protection and security. They argue an approach aligned with the European Parliament’s proposals provides a robust framework for child protection. Moreover, they discuss the danger of such scanning technology being potentially misused by oppressive regimes to squash political dissidents.
They conclude that while they are not solely resistant to solutions, they stress the importance of devising strategies closely aligned to the European Parliament’s proposals. In a statment to Reclaim The Net Matthias Pfau, founder of Tuta, adds that such legislation “to scan every chat message and every email would create a backdoor – one that could and will be abused by criminals.”