EU pushes new law to allow bulk scanning of your chat messages

European elections are over, and the European soccer championship is in full swing – why not greenlight bulk searches of people’s private communications, even encrypted ones? The proposed EU legislation has activists all over the continent up in arms.

Thursday’s vote by the EU governments in an important Permanent Representatives Committee wouldn't have been not the last hurdle for the proposed legislation, aimed at detecting child sexual abuse material (CSAM). The controversial question was removed from the agenda in the last minute.

But if the EU Council endorses the Chat Control bill later rather than sooner, experts say it will probably be adopted at the end of the complex political process. Thus, the activists have urged Europeans to take action and keep up the pressure.

Officially, the proposed Chat Control bill is called the Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse, and its current draft is here.

EU Council deaf to criticism

Actually, the regulation that would require chat apps such as WhatsApp and Facebook Messenger to selectively scan users’ private messages for CSAM and grooming, was already proposed in 2022.

Needless to say, privacy experts condemned it, and cryptography professor Matthew Green even said that the document described “the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR.”

“Let me be clear what that means: to detect “grooming” is not simply searching for known CSAM. It isn’t using AI to detect new CSAM, which is also on the table. It’s running algorithms reading your actual text messages to figure out what you’re saying, at scale,” said Green.

Callum Voge, a tech policy researcher at the Internet Society, a global nonprofit, also told Cybernews in an interview that the proposal would undoubtedly weaken end-to-end encryption, quite obviously crucial for the security and privacy of internet users, or even break it.

However, the EU has not climbed down, and now, the proposed law is moving through the system. To be more specific, the new regulation would introduce an “upload moderation” system to scan all your digital messages, including shared images, videos, and links.

The document is quite wild, indeed. Take end-to-end encryption – on the one hand, the proposed legislation says it is necessary but then goes on to point out that encrypted messaging platforms could “inadvertently become secure zones where child sexual abuse material can be shared or disseminated.”

The solution is apparently to scan the content of messages before apps like WhatsApp, Messenger, or Signal encrypt them. If that sounds unconvincing, that’s because it probably is.

“No technical solutions currently exist that would allow service providers to give their users end-to-end encrypted services while still complying with the detection obligations under the proposal,” Voge told Cybernews in early 2023.

There’s still hope

Law enforcement agencies around Europe are certainly not unhappy, too, as they have been pushing for encryption backdoors for years now, Voge added – even though it’s “highly unlikely officials would be able to process the mass of data and use it efficiently.”

Other experts and tech leaders are terribly worried. Signal president Meredith Whittaker said the app would stop working in the EU if the proposed rules become law because they “fundamentally undermine encryption.”

“Some European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label. Instead of using the previous term ‘client-side scanning,’ they’ve rebranded and are now calling it ‘upload moderation.’ Some are claiming that ‘upload moderation’ does not undermine encryption because it happens before your message or video is encrypted. This is untrue,” Whittaker wrote in a blog post.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe.”

Signal president Meredith Whittaker. Image by Getty Images.

Several organizations, such as the Electronic Frontier Foundation, Mozilla, and the Center for Democracy & Technology, have also signed a joint statement urging the EU to reject the controversial legislation.

It’s, of course, not clear what is going to happen. But there’s hope, Patrick Breyer, a digital activist and a German member of the European Parliament, thinks.

Dozens of European Parliament members expressed their disagreement with the proposal in a letter to the EU Council this week, and in November, the Parliament – a significant majority – actually voted to reject attempts to roll out mass scanning of private and encrypted messages.

Besides, according to Breyer, even if only Germany, Luxembourg, the Netherlands, Austria, and Poland have said they would not support the proposal, many other countries – Italy, Finland, Czechia, Sweden, Slovenia, Estonia, Greece, Portugal – might join them and form a blocking minority. Already on Thursday, the uproar forced the Eurocrats to remove the question from the meeting's agenda.

And even if the legislation gets the nod from EU governments, more trouble might await ahead because the general public might realize what’s at stake. Last year, a poll by the European Digital Rights group said that 66% of young people in the EU disagree with the idea of their private messages being scanned.