European Commission: "the content is the crime," so let's break encryption
Topic
Country/Region
24 May 2023
The EU's proposed Child Sexual Abuse Material (CSAM) Regulation is perfectly legal, the European Commission has argued, in response to the Council Legal Service's arguments that the "detection orders" set out in the proposal would be illegal.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
The Commission argues that "the content is the crime", and so access to the content of encrypted communications is necessary.
The CSAM proposal foresees a regime of "detection orders" that could be issued against providers of "interpersonal communication services" - for example, messaging services such as Signal and Whatsapp.
In a widely-reported leaked opinion (pdf), the Council Legal Service (CLS) argues that the regime of detection orders set out in the proposal is "not being sufficiently clear, precise and complete."
Furthermore, it would either "[compromise] the essence of the above-mentioned fundamental rights in so far as it would permit generalised access to the content of interpersonal communications," or fail to meet the proportionality requirement due to:
- requiring "the general and indiscriminate screening of the data processed by a specific service provider, and apply without distinction";
- requiring access to the content of communications; and
- it "would pursue the general objective of fighting child sexual abuse crimes which, although they are serious crimes, do not constitute threats to national security."
In a note (pdf) circulated in the Council on 16 May, the Commission sets out why it thinks otherwise:
"The Commission services are of the view that there are numerous elements that, especially when considered in their totality, likely justify the conclusion that the proposed system of detection orders is proportionate."
The Commission seeks to use the same case law as the CLS to argue that the CSAM proposal would in fact be entirely legal.
The CLS opinion also notes that:
"...the providers would have to consider (i) abandoning effective end-to-end encryption or (ii) introducing some form of 'back-door' to access encrypted content or (iii) accessing the content on the device of the user before it is encrypted (so-called 'client-side scanning')."
As has been pointed out multiple times, this would fatally undermine the way the internet works, putting the privacy and security of all users at risk - but this point does not appear to be a deterrent to the Commission.
On the issue of undermining encryption - and thus the privacy and security of communication via the internet more generally - the Commission's paper remains silent.
Documentation
- NOTE from: Commission services: Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse - Balancing the rights of children with users’ rights (Council doc. 9512/23, LIMITE, 16 May 2023
- Council Legal Service opinion: Proposal for a Regulation laying down rules to prevent and combat child sexual abuse – detection orders in interpersonal communications – Articles 7 and 8 of the Charter of Fundamental Rights – Right to privacy and protection of personal data – proportionality (Council doc. 8787/23, LIMITE, 26 April 2023, pdf)
Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.
Further reading
EU-USA cooperation on biometric data, breaking encryption, radicalisation
The minutes of the recent EU-US Senior Officials Meeting on Justice and Home Affairs, held in Stockholm on 16 and 17 March, demonstrate cooperation on a vast range of topics - including a "proof of concept" of the "Enhanced Border Security Partnership" involving the transatlantic sharing of biometric data, the need to "reinforce law enforcement’s legitimacy to investigate" in debates around breaking telecoms encryption, and US "concerns on radicalisation among police forces."
EU: Anti-encryption Regulation: Presidency compromise proposals for Chapter I and Chapter III
Negotiations are proceedings on the EU's proposed Regulation laying down rules to prevent and combat child sexual abuse, which will oblige communications service providers to undermine encryption and use unproven automated detection technologies in the hope of detecting online child abuse imagery. In mid-October, the Czech Presidency of the Council circulated compromise proposals on Chapter III, dealing with supervision, enforcement and cooperation. Two weeks later, proposals on Chapter I (general provisions) followed. They are published here.
EU: Discussion on encryption ponders "retention of vulnerabilities and exploitation by the authorities"
At a recent event hosted by Europol's Innovation Hub, participants discussed questions relating to encrypted data and the ability of law enforcement authorities to access digital information. One issue raised was a possible "EU Vulnerability Management Policy for Internal Security," which could allow for "temporary retention of vulnerabilities and their exploitation by the relevant authorities." In effect, this would mean identifying weaknesses in software and, rather than informing the software developers of the problem, exploiting it for law enforcement purposes.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.