Chat apps’ end-to-end encryption threatened by EU legislation

A European Union legislative body is closing in on a final proposal for chat surveillance controls, despite growing opposition from industry groups and privacy advocates.

Last November the Civil Liberties Committee of the European Parliament voted to exclude bans on end-to-end encryption from a draft regulation on combatting child sexual abuse, and to limit scanning of uploaded files to targeted cases with judicial oversight in its version of the bill.

However, another branch of the European Union’s legislative structure, the European Council, is reportedly close to finalizing a proposal that would make scanning of uploaded files mandatory. A decision by justice and home affairs officials, due this week, would be followed by a negotiation designed to reconcile the differing political positions.

The proposed upload moderation mechanism is designed to guard against the abuse of messaging platforms to share child sexual abuse material. Content would be scanned before it is encrypted using as yet undefined methods.

The proposed EU regulation covers encrypted messaging apps, email services, cloud storage, and any platform that allows sharing of messages, images or videos.

The European Parliament and European Council must reach a compromise with a third body, the European Commission, before their text can become law.

Business communications under suspicion too

Alan Woodward, a computer scientist from the University of Surrey, told CSOonline that any messaging systems, even if it primarily used by businesses, would fall under the scope of the proposals.

Mandatory scanning would undermine end-to-end encryption which is crucial for protecting confidential business communications, trade secrets, and sensitive data from hacking and surveillance.

Enterprises rely heavily on encrypted communications and cloud services for secure operations. Weakening encryption could expose them to heightened risk of data breaches, intellectual property theft, and other threats.

Government exemptions

According to the latest leaks of draft of the EU Child Sexual Abuse Regulation proposal (pdf), ministers are seeking to exempt the staff of intelligence agencies, police and military from the scanning of chats and messages.

“The fact that the EU interior ministers want to exempt police officers, soldiers, intelligence officers and even themselves from chat control scanning proves that they know exactly just how unreliable and dangerous these snooping algorithms are,” said Member of the European Parliament (MEP) Patrick Breyer. “The confidentiality of government communications is certainly important, but the same must apply to the protection of business and of course citizens communications.”

The promise that professional secrets will not be affected by chat control is misleading, according to Breyer.

“No provider and no algorithm can know or determine whether a chat is being conducted with doctors, therapists, lawyers, defence lawyers, etc. so as to exempt it from chat control,” Breyer argued in a blog post.

A backdoor by any other name

Some companies, including the provider of secure messaging app service Signal, have threatened to stop offering services in the EU if the scanning proposal passes.

Woodward told CSOonline that to enforce the proposed measures governments would need the co-operation of both Apple and Google to remove non-compliant apps from their app stores for particular countries and regions.

As such, the proposal could fragment the internet by requiring different technical standards and policies in the EU compared to other regions.

Meredith Whittaker, president of messaging service Signal, waded into the debate on Monday by arguing that the chat control proposals undermine secure communications.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” Whittaker wrote.

She characterised the latest proposals as a rebranding of older, unworkable schemes to control encryption.

Governments have argued for decades that they need controlled access to encrypted messages in order to fight terrorism, organised crime and organised crime.

But there is no way to both preserve the integrity of end-to-end encryption and expose encrypted contents to surveillance, Whittaker argues.

“We can call it a backdoor, a front door, or ‘upload moderation’.” But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states.”

Amandine Le Pape, co-founder and COO of secure messaging platform Element, expressed similar privacy-focused concerns.

“We’re disappointed in signs that the European Council will be again discussing proposals which would introduce requirements for media scanning, and effectively entail the mass surveillance of Europeans,” Le Pape told CSOonline.com. “Plainly, end-to-end encryption cannot survive this type of requirement.”

Le Pape concluded: “Vague promises to take security and privacy into account are not enough, we need the EU to commit to the protection of end-to-end encryption and, by extension, its citizens.”