Chat control: The latest EU plans to outlaw encryption and introduce telecommunications surveillance

EU Commission plans to proactively involve telecommunications providers in the surveillance of their customers’ e-mail and chat messages has been a contentious issue for some time. mailbox.org has reported on this repeatedly, criticised the proposals, and contributed to open letters. Instead of taking the public response into account, the EU has opted to double down and tighten their surveillance requirements even further than was originally planned – to an extent that data protection professionals have denounced the plans as a blatant attempt to abolish the legal protection of private correspondence in the digital realm. The proposed changes include a ban of properly encrypted communication, disguised as a measure to combat child pornography. We believe this would open the door to the widespread surveillance of all telecommunication activity, threaten the privacy of all people and shake the foundations of our values and fundamental rights as European and German citizens.

mailbox.org CEO Peer Heinlein says:

“It is alarming how the fight against child pornography, which in itself is necessary and right, is being used here as an excuse to pursue much broader and general goals. In reality, this legislative initiative will undermine the protection and security of all private communication, which is protected by the German constitution, and introduce mass surveillance with the use of artificial intelligence. This is yet another attempt to railroad the abolition of secure, encrypted communication through parliament in the middle of a heated debate. The entire approach is wrong and trying to ram it down people’s throats repeatedly does not make it right. It is no surprise that IT professionals and victim organisations stand united to criticise the current draft law as dangerous and counterproductive.”

Summer 2021: The EU tightens the reins

The EU Commission signed a transitional law (“Procedure 2020/0259/COD”) in July 2021. This law allows platform and service providers to access and search customer data (Heise reported). Normally, such course of action would be either prohibited, or in the least severely restricted by current GDPR legislation, so an exemption was required to go ahead. Providers like Google and Microsoft do already process messages to search for indicators for child and youth pornography without probable cause. If their search algorithms report a hit, the affected users can get automatically reported to the police, despite the system being highly unreliable. There is also no requirement for them to inform the users about what has happened.

Extending the current “exemption” to permit more surveillance has been on the cards for some time. For example, Apple received a lot of media attention after announcing that they would integrate special software agents into their iPhones that would search for criminal content and automatically report or even delete data using AI, even before any of it gets uploaded to the cloud. This was entirely in line with the EC guidelines but after widespread protest, also from mailbox.org, the company decided to withdraw these plans for the time being.

Mandatory surveillance and a ban of secure encryption

In the autumn of 2021, it transpired that the EU Commission intends to make the previous “voluntary participation” in their surveillance measures mandatory. They also plan to widen the scope to include other serious offenses such as terrorism and violent crime. Until now, only those providers who already process customer data for purposes such as offering personalised ads were required to monitor communications for potential legal offences. The documents published by the EU parliament reveal plans that would force all providers to engage in the same activities. Those who currently cannot monitor the data are supposed to install suitable technology to make sure they can do so in the future and change their existing practices. Secure methods like end-to-end encryption that make sure only the sender and the receiver can read a message would be undermined. Telecommunications providers would be asked to actively prevent encryption, or search messages for targeted content before encryption takes place and would be required to give law enforcement authorities access to their data. Once such a process to systematically remove protections is in place, the data would eventually become exposed to unauthorised access by competitors, criminals, or dictators. A detailed summary of the possible technologies and danger scenarios has been compiled by Netzpolitik.

Originally, a decision was to be made in December 2021 but as of today (November), the item has miraculously disappeared from the commission’s schedule. However, European parliamentarians such as Patrick Breyer (Pirate Party) reported that this does in no way mean the topic is off the agenda. The planned parliamentary vote has been merely postponed until the first quarter of 2022.

mailbox.org sharply criticises the EU’s plans

We are convinced that the current EU plans should be rejected outright. If implemented, the proposed measures would weaken everyone’s security, undermine trust in communication tools, and turn everyone into a suspect without probable cause. The measures would also weaken trust in state and law enforcement authorities and endanger social cohesion. They would expose to great dangers those people who have special protection needs such as lawyers, doctors, journalists, or whistleblowers. The measures would also be counterproductive because they make it easier for hackers to obtain personal information from data. Once message and chat control technologies are established, there is a danger that they will be misused for shady purposes. This door must remain firmly shut.

We at mailbox.org openly protest against these efforts and call on all citizens to do the same. We recommend people visit the website of the MEP Patrick Breyer, who has made available a lot of information about the topic, including explainer videos, background details, and links to legal documents, as well as a list of the EU commissioners who are involved in this initiative. All citizens should call them or write to them directly to make their views heard.

We at mailbox.org support this call to action.

Author: Markus Feilner