Europe, long seen as a bastion of privacy and digital rights, will debate this week whether to enforce surveillance on citizens' devices.
Representatives from member states will meet on Friday to consider legislation critics call Chat Control, aka "laying down rules to prevent and combat child sexual abuse," which seeks to require ISPs or messaging app providers to scan user content or backdoor encryption so that intelligence agencies can do it themselves. It's the latest attempt in a three-year campaign by some in the community to allow government agencies unprecedented access to private communications.
The proposed legislation has been in the works since 2022 but immediately drew fire from security professionals. After being rejected by EU member states repeatedly, this latest attempt has come at the request of the Danish delegation, which currently holds the EU presidency, and should go to a full vote next month.
An open letter signed by more than 600 security academics, practitioners, and stakeholders has called on the proposals to be dropped and claimed they are unworkable and highly intrusive. It also points out that the false positive detection rate for such a serious crime is unacceptable and could lead to many people being unfairly smeared.
One signatory, Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, told The Register that the plans, if implemented, would be a "national security disaster."
He pointed out that if encryption backdoors were implemented, adversarial nations would see it as a "Manhattan Project" which could be used to expose all data, and if client-side scanning was used then it would create a privacy nightmare.
The revised legislative proposals call for systems to be set up to find all current "and new" forms of CSAM, but decline to give any guidance as to how this seemingly impossible task would be achieved. Government and military communications would be exempt from the plan.
"It is science fiction," fellow signatory Bart Preneel, the Belgian cryptographer and former president of the International Association for Cryptologic Research, told us. "The latest draft extends the detection order to new CSAM – it is assumed that AI can do this in a reliable way 'quod non.'" This is a Latin term loosely translated as "which it does not."
While there are plenty of companies that would love to provide this service, they lack the technical expertise to do so, he pointed out. Also, the best estimates show around a 10 percent false positive rate for client-side scanning – which could see a huge number of people accused of crimes they didn't commit.
If passed, the legislation would require encrypted app makers like WhatsApp, iMessage, Signal, Telegram, and Tuta to find ways to enforce such scanning – something they have neither the ability nor the desire to do.
Similar legislation has passed in the UK, but with an admission that the plans for message scanning are unworkable at the moment. Attempts to enforce them have failed, and drawn the ire of the US government, which has warned it would not look on such proposals favorably.
Signal, possibly the gold standard of end-to-end encrypted services, has said it will fight any moves to enforce such rules. Tuta spokesperson Hanna Bozakov told us that the company would not comply and would consider moving outside the EU if the legislation passed, but only after fighting it in the courts.
"First of all, we will sue, because we are pretty certain that this will not stand up in court," she said. "You can't do this because we have privacy rights in the EU Constitution, and you can't just overwrite this."
However, sources told The Register that some EU members might be getting cold feet about the plans. Two people told us that the German delegation, which has previously been highly skeptical of the proposals, could ask for a delay for further consideration. We'll see on Friday what happens. ®