The executive of the European Union today published a draft law proposal (text) which, if it becomes law, would be a disaster for online privacy in the EU and around the world. In the name of fighting crimes against children, the European Commission has proposed new rules that would require a wide range of internet services, including hosting and messaging services, to search for and report child pornography.
The Commission’s new requirements would require regular plain-text access to users’ private messages, from emails to text messages to social media. Private companies would not only be tasked with finding and stopping the distribution of known child abuse images, but could also be required to take action to prevent future “grooming” or alleged child abuse. This would be a massive new surveillance system, as it would require the infrastructure to analyze user messages in detail.
The new proposal is too broad, disproportionate and infringes on everyone’s privacy and security. By damaging the encryption, it could actually make the problem of child safety worse, not better, for some minors. Abused minors, as much as anyone else, need private channels to report what is happening to them. The scanning requirements are subject to safeguards, but they are not strong enough to prevent the privacy-intrusive actions that platforms will be required to take.
Unfortunately, this new attempt to impose a backdoor in encrypted communications is part of a global pattern. In 2018, the Five Eyes – an alliance of intelligence services from Canada, New Zealand, Australia, the United Kingdom and the United States –warned that they “will pursue technological, enforcement, legislative or other measures to achieve lawful access solutions” if companies do not voluntarily provide access to encrypted messages. With the urging from the Department of Justice, the US Congress attempted to create encryption backdoors through the EARN IT Act, in 2020 and even earlier this year. Last fall, government agencies pressured Apple to offer a system of software scanners on every device, constantly checking child abuse images and reporting to authorities. Fortunately, the apple the program seems to have been abandoned for the momentand WIN IT is still not a law in the United States
The European Union prides itself on its high standards for data protection and privacy, as evidenced by the adoption of the General Data Protection Regulation, or GDPR. This new proposal suggests that the EU could take a radically different direction, forgoing privacy and instead seeking state-controlled analysis of all messages.
European civil society groups dealing with digital freedoms, including European Digital Rights (EDRi)germany Society for Civil Rightsthe Netherlands’ Pieces of freedomand Austria epicenter.works also expressed serious concerns about this proposal.
Fortunately, the misguided proposal released today is far from having the final say on this issue. The European Commission cannot legislate alone. We don’t believe the EU wants to override the privacy and security of ordinary citizens, and we’re ready to work with MEPs and representatives of EU member states to defend privacy and encryption.