Spain’s position on the EU’s proposed Chat Control regulation is even more extreme than the Commission’s, as the country has been calling for a complete EU-wide ban on end-to-end encryption technology used by popular messaging apps, according to a document leaked to Wired earlier this month.
The so-called Child Sexual Abuse Regulation (CSAR), dubbed Chat Control by critics, would force service providers to scan the private messages of Europeans, both texts and pictures, in an effort to clamp down on the dissemination of illicit content linked to child sexual exploitation material (CSEM). Messages and media, including audio and video files, that draw suspicion of the automated scanning system would be flagged and then sent to a central database for further investigation.
Naturally, the proposal prompted waves of backlash directed at the Commission, with critics (including human rights NGOs and watchdogs dealing with digital freedom) calling Chat Control a clear violation of the fundamental right to privacy, raising serious doubts about its efficacy in achieving what it set out to, and even pointing out its ambiguous support among stakeholders who were consulted, such as child protection agencies and the teenagers themselves.
According to the Pirate Party MEP Patrick Breyer, perhaps the loudest opponent of the proposal in Brussels (with whom we had a detailed interview), the main problem is that there is still not enough awareness of this legislation among the general population to put up a meaningful resistance. “If [European] citizens were aware of Chat Control, the debate would be tremendous,” he told The European Conservative.
To add another layer, the draft proposal also includes the scanning of messages protected by end-to-end encryption, which is deployed by many popular messaging apps and is used by millions every day, including WhatsApp, Signal, and Telegram, which is the primary subject of the leaked document obtained by Wired.
For his part, Breyer believes that this amendment will be dropped during EU negotiations, but it’s still interesting to see where countries stand with the idea. Or, rather, where they stood in mid-April, when the survey, sent out by the European Council, was dated.
The document detailing the position of 20 EU member states revealed that the majority are in favor of scanning the private correspondence of European citizens, and most of them support extending the measure to encrypted communication as well. Among them, the Spanish socialist government appears to be the one that would like to go one step further in dealing with encrypted information, proposing to ban the whole technology in the EU.
“Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” the Spanish position in the document says, later adding that “It is imperative that we have access to the data … and it is equally imperative that we have the capacity to analyze them, no matter how large the volume.”
Of the 20 countries whose views have been compiled in the document, 15 also favor including encrypted communication under the scope of the law. Many of them identified encrypted messaging services as the primary channel for dissemination of CSEM and recommended that the final law should include clear wording to make sure companies comply.
Some countries, including Denmark, Ireland, and the Netherlands, signaled support for scanning encrypted messages, but would also add further measures to protect the end-to-end encryption of these apps from weakening. This a noble sentiment, but cybersecurity experts say it’s technically impossible to do both.
“They want to keep the security of encryption whilst being able to circumvent it … they want privacy but they also want to indiscriminately scan encrypted communications,” Ella Jakubowska, a senior policy advisor at the European Digital Rights (EDRi) said, adding that she is “unsurprised but nevertheless shocked” at some EU member states’ “really shallow understanding” of the technology they would like to regulate.
Others, such as Germany, Italy, Finland, and Estonia, were not as convinced as the majority that the benefits of being able to scan encrypted messages outweigh the potential harm of weakening the entire system and putting the user at risk of being hacked by malicious actors or prompting service providers to leave the European market.
These responses “demonstrate a more comprehensive understanding of the stakes in the CSA regulation discussions,” said Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory. “The regulation will not only affect criminal investigations for a specific set of offenses; it affects governments’ own data security, national security, and the privacy and data protection rights of their citizens, as well as innovation and economic development.”
