The European Union is poised to destroy online privacy and encryption mere months after its last attempt was shot down.
The EU has a complicated relationship with privacy. On the one hand, the bloc is making great efforts to protect its citizens’ data from foreign companies and governments. On the other hand, the bloc also seems hell-bent on undermining privacy and encryption for its own surveillance purposes.
The EU tried to push client-side scanning legislation last year that would have forced companies to scan all messages, including those protected by end-to-end encryption (E2EE). The bill was described as “the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR,” with the EU’s own description acknowledging the “process would be the most intrusive one for users.”
Read More: EU Proposes Most Privacy-Invasive Measure Yet to Tackle Child Abuse
The EU’s internal legal team warned that the measure was likely illegal and would be overturned by the courts since it “would require the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction to all the persons using that specific service, without those persons being, even indirectly, in a situation liable to give rise to criminal prosecution.”
Despite that setback, the EU is once again moving forward with a new proposal that would effectively bring back the legislation with its most controversial elements unchanged, according Patrick Breyer – Digital freedom fighter and Member of European Parliament for the German and the European Pirate Party.
As the Council’s legal service has confirmed, the latest move does not change the nature of detection orders. Millions of private chats and private photos of law-abiding citizens are to be searched and leaked using flawed technology, without them being even remotely connected to child sexual abuse – this destroys our digital privacy of correspondence. Despite lip service being paid to encryption, client-side scanning is to be used to undermine previously secure end-to-end encryption in order to turn our smartphones into spies – this destroys secure encryption.
Breyer goes on to outline the technical issues with the EU’s plans and client-side scanning in general:
Limiting bulk chat searches to ‘high-risk services’ is meaningless because every communication service is misused also for sharing illegal images and therefore has an imminently high risk of abuse. Ireland – one of the strongest proponents of chat control – would be classifying the major services. In any case, the service used is no justification for searching the private chats of millions of citizens who are not even remotely connected to any wrongdoing.
Informing law enforcement only of repeat hits is also meaningless, as falsely flagged beach pictures or consensual sexting rarely involve just a single photo. The EU Commissioner for Home Affairs has herself herself stated that three out of four of the disclosed chats and photos are not actionable for the police. These algorithms and hash databases are totally unreliable in distinguishing legal from illegal content.
Client-side scanning burst onto the tech scene when Apple announced it would use the technology to scan encrypted messages on its platform. The technology uses on-device scanning to match photos and files against a database containing mathematical hashes of illegal content. Once a threshold of matches is exceeded, the case is forwarded to human reviewers and then to law enforcement.
Interestingly, Apple was not the first to come up with the idea of client-side scanning. Princeton researchers developed a similar technology prior to Apple, and then wrote a paper on why it should never be used.
“Our system could be easily repurposed for surveillance and censorship,” the researchers wrote. “The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.”
Despite the warning from Princeton and Apple abandoning its own plans after realizing the same thing, the EU continues to push forward with its attempts to deploy what is essentially the same flawed technology.
See Also: Germany Pushes Back Against EU Client-Side Scanning Plans
As the drama continues, Germany has been a champion of privacy, consistently pushing back against what many see as a draconian and “unprecedented surveillance infrastructure.”
Breyer says the window to block the EU’s attack on privacy is quickly closing.
Now is the time to take to the barricades in favour of privacy and secure encryption, because EU governments that have been critical so far are praising the repackaged plans, which means that the blocking minority no longer stands. Not even a written opinion of the Council’s legal service on this obvious violation of fundamental rights has been requested, it seems.
Only time will tell if the EU succeeds or if privacy advocates will win the day.