Callum Vogue is a Senior Government Affairs and Advocacy Advisor at the Internet Society.
Governments across Europe are seeking to create a stronger policy response to the curse of online child sexual abuse material (CSAM). And EU policymakers have seized on the common targets of such legislation: private messaging platforms such as Signal, WhatsApp, Snapchat and Facebook.
The EU Commission’s proposal will require messaging platforms to access private data and messages to detect instances of child sexual abuse. The theory is that we will continue to enjoy the privacy and security afforded by encryption while also preventing criminals and abusers from exploiting online platforms, thanks to technical shortcuts.
But this is wishful thinking. The only way for service providers to comply with the EU regulation would be to weaken end-to-end encryption (E2EE) for everyone, a disastrous outcome that will harm the Internet, cost the economy, and undermine the security and privacy of every Internet user in Europe and beyond, including the children the legislation seeks to protect.
When you break encryption, there is no going back. All our online data and communications will be exposed to not just governments, but third parties who can, and will, gain access.
The proposal will dismantle European privacy and security
The Commission says that its approach is compatible with E2EE, but there is no technological fix in existence for service providers to offer this access while also ensuring strong encryption. To comply, providers would either need to break encryption entirely or undermine its purpose by using client-side scanning technologies, which scan the content on our phones before a message is even sent.
This debate is not new. Law enforcement has called for encryption “backdoors” for years despite warnings from the technical community on the security risks. In response, policymakers are increasingly redirecting their focus to shortcuts like client-side scanning.
Encryption is essential to keeping our online lives private and secure. It allows us to share our financial details, medical records, and personal information with confidence, knowing that our sensitive data is not intercepted and that our private messages stay private. When it comes to strong encryption, E2EE is the gold standard of security in a world that increasingly operates online.
Shortcuts like client-side scanning fundamentally undermine the purpose of E2EE as it means that there is now an uninvited stranger in the room. European Internet users will be exposed to new online scams and cyber-attacks, and children’s data and communications could be obtained by the abusers the bill is trying to hinder.
The proposal will hobble European businesses
European businesses will be faced with a slew of expensive requirements to create costly and technically challenging systems for scanning and encryption backdoors. Only the largest providers will be able to afford it, cementing their dominance in the market and strangling the ambitions of European startups.
The proposal will also limit how companies can use E2EE in new technologies and new products, restricting innovation across the continent in every industry and leaving Europe hobbled in the face of the tech giants in Silicon Valley. This all risks derailing the EU’s ambitions for the Digital Decade.
The proposal will open the floodgates of surveillance
Every Internet user will find themselves more easily surveilled by the state and other actors. For Central and Eastern Europeans, where analogue surveillance and political retaliation were conducted within their lifetimes, the proposal would be a depressing rollback of the freedoms hard-won by previous generations.
Members of the LGBTQ+ community, abuse survivors, refugees, and minority groups that are the targets of discrimination or attack, will no longer find refuge on the Internet. Professions such as journalists, who depend upon encryption to keep themselves and their sources safe, will be less able to investigate corruption and criminality. The murders of Slovak journalist Ján Kuciak and Maltese journalist Daphne Caruana Galizia in recent years are a reminder of the high stakes for reporters who are exposed.
The value of strong encryption as a tool for security and privacy was underscored in the early days of the war in Ukraine when thousands of people there downloaded E2EE messaging services to communicate with friends and family and to find safety.
Thankfully, there are stirrings of discontent in Brussels. The European Digital Privacy Supervisor and European Digital Protection Board published a joint opinion on the CSAM proposal, calling the efforts to undermine E2EE “disproportionate”, and declaring that encryption contributes “in a fundamental way to the respect for private life and confidentiality of communications, freedom of expression as well as to innovation and the growth of the digital economy.”
Members of the European Parliament have also spoken out. German MEP Patrick Breyer described the measures proposed as “mass surveillance”, and warned that the loopholes it creates “can be exploited by anyone with the technical means needed, for example by foreign intelligence services and criminals.” He is joined in his concern by the Deputy Prime Minister of the Czech Republic, the Global Encryption Coalition, and the European Digital Rights Initiative.
It is imperative that every European speak out against this proposal, and the destructive belief that stripping away online privacy and security will solve criminality and social problems. A solution is needed, but unravelling encryption will have consequences that we surely cannot stomach. The EU Commission must go back to the drawing board. End-to-end encryption is our best defence – that’s why we need to protect it.