The EU could end the privacy of internet messaging users

Legal - November 8, 2022

The European Commission has released the new Regulation on Rules to Prevent and Combat Child Sexual Abuse (CSA Proposal).

The proposal, published on 11 May 2022, contains a regulatory framework aimed at preventing and combating child sexual abuse.

The protection of children is a priority of the European Union, which intends to exercise it with appropriate tools and methodologies both offline and online, as underlined by the UN Committee on the Rights of the Child, which stressed that these rights, enshrined in the UNCRC, but also in Art. 24(2) of the Charter of Fundamental Rights of the European Union, must be protected in a compliant manner also in the digital environment.

Therefore, the proposal imposes qualified obligations on operators of hosting, messaging and other online services, concerning the detection, reporting, removal and blocking of known and new online child sexual abuse material, as well as grooming of children.

This means that internet platforms operating services such as whatsapp and signal will have to – in order to detect, report and remove – scan every single message, which is in stark contrast to end-to-end encryption.

End-to-end is an encrypted communication system in which only the people who are communicating can read the messages. It is an internet evolution of ‘scramblers’ applied to two-way radios to make conversations unintelligible to those who do not have the same encryption card on their device. Thanks to end-to-end, the intermediaries managing the service are not allowed to access the encryption with which two parties send each other messages via the Internet, thus ruling out any possibility of surveillance, intrusion and manipulation of the message. This particular type of encryption takes place ‘in transit’, so that the sending and receiving of the message is unencrypted for the users who are using the service, while their privacy and consequently their freedom is safeguarded.

However, it happens that in the event of suspected unlawfulness, since no third party, including the service provider, is able to intercept and decipher the message, it cannot be handed over to the authorities on request.

The consequence of this new European regulation is that the Internet giants, in order to enforce compliance with the rule, will have to remove or greatly weaken encryption, with serious consequences for the privacy and protection of the fundamental rights of users, who will see their conversations potentially infringed, without committing any offence.

It is indeed paradoxical that these rules are in conflict with Articles 7 and 8 of the same Fundamental Bill of Rights mentioned above. This was noted by the European Data Protection Board and the European Data Protection Supervisor – who issued a joint statement calling for the regulations to be amended.

Adding to this new surveillance scenario is the creation of an inter-state supervisory body, a kind of decentralised EU agency, based on a network of EU national authorities that will deal with online child sexual abuse.

Child abuse is a very serious and odious crime, but the new rules that are supposed to help combat it seem very disproportionate. It is not by weakening the protection mechanisms that protect all European citizens that a particular crime, even the most serious, can be better combated. It must also be taken into account that the regulation seems to have been developed without a proper study of the technological and commercial implications of what is regulated. Most of the operators of instant messaging apps are global economic and technological players that at the moment do not seem to have adequate solutions to comply with what the EU requires, other than renouncing encryption, as many fear, and making their chats insecure. This, however, would not be accepted by users worldwide and therefore big tech might decide to withdraw from the EU market rather than accept regulations that undermine the quality of the communication product or service offered. In addition, technology companies have a responsibility under international human rights law to ‘prevent, address and remedy human rights violations’. Over the past few days, specifically on 21 October, a global network of civil society organisations, top corporate executives, security experts and Internet activists gathered to celebrate the second World Encryption Day. There is an annual event on this subject that over the years has taken on specific connotations of security and the preservation of freedoms and human rights, devoted to defending encryption in places where it is threatened from West to East because, as in the case of the EU, whose path is certainly paved with good intentions, the violation of privacy and fundamental freedoms is not always the manifest will of a dictatorial regime, but sometimes lurks in those very places where certain values were born and should be promoted and preserved by all available means.

We all want the Internet to be a safe place for everyone. But weakening encryption will not make us safer or protect children from abuse. It will, however, make us all more vulnerable.

It is also worth remembering that since the dawn of Russian aggression in Ukraine, the citizens of Kiev have been able to communicate safely and coordinate resistance thanks in part to encrypted messaging apps, thus keeping infiltration attempts by Russian military hackers at bay. It is also worth mentioning how the European Commission itself in 2020 felt compelled to recommend all its staff to download Signal, a popular open source encrypted messaging app, and to use this service for external communications after the European institutions were hit by several communication incidents related to privacy breaches. Furthermore, encrypted messaging in some areas of the world such as the Middle East and North Africa has become an essential tool for the protection of members of the most marginalised and repressed minorities such as members of the LGBTQ+ communities. In her report ‘Digital Crime Scenes: How Police Use a Mosaic of Private Data to Harass LGBTQ People in the Middle East and North Africa’, Afsaneh Rigot senior researcher at ARTICLE 19 and affiliated with the Berkman Klein Center at Harvard University, studies the impact of communication technology in relation to repressive regimes of civil liberties, such as sexual identity. Dating apps used, messages sent, nicknames used, photos shared with one’s partner can be used to target, harass, arrest and prosecute homosexuals, Rigot explains. Another critical example of how encryption is crucial is the protection of journalists in the field and at home, as well as their sources. Encryption is a key element of the broader cybersecurity policy that must necessarily be implemented to protect reporters involved in war scenarios. The amount of sensitive information and material that journalists can and must convey in critical cases such as a conflict is very often of military interest to the parties involved, and it is the right of journalists to use all useful tools to protect their communications, freedom and safety. Even in times of peace, journalists run risks and must be protected by all lawful means. One thinks of inconvenient reporters in autocratic regimes and the need to be able to communicate safely in those countries that only allow limited and controlled access to the internet.

In the light of what has been written so far, a change to this regulation becomes more necessary with every passing day. This is not the way to protect minors in Europe.