The European Union's proposed Regulation to Prevent and Combat Child Sexual Abuse (CSAR) is fraught with flaws, posing significant risks to privacy, information security, and fundamental rights. SecureCrypt, as a member of the Global Encryption Coalition, staunchly opposes this move, viewing it as detrimental to digital society.
In 2022, the European Commission introduced a proposal mandating the automatic scanning of all private chat messages to detect content violating Child Sexual Exploitation Materials (CSEM) laws. Known as "Chat Control 2.0," the CSAR (Commission proposal COM/2022/209 final) would expand current frameworks, requiring pre-emptive scanning on devices before information is encrypted and sent.
Amid growing opposition, the Belgian presidency postponed the Council's scheduled vote on June 20, 2024. However, Hungary, set to assume the Council presidency on July 1, intends to reopen negotiations.
SecureCrypt's Stand Against the Regulation
This proposal is the latest in a series of misguided attempts to protect vulnerable populations online. While combating abuse is crucial, this regulation is not the solution. Alongside other surveillance measures, it marks a troubling shift towards undemocratic oversight.
Organizations including the Signal Foundation, the Wikimedia Foundation, and the Global Encryption Coalition warn that this initiative endangers European citizens' security, undermines digital democracy, and violates fundamental privacy rights.
Technological and Security Risks
Pre-emptive scanning is technologically unfeasible and unreliable. It would necessitate inspecting all EU network traffic, an endeavor even oppressive regimes like Iran and Russia struggle to enforce. Client-side scanning also introduces vulnerabilities exploitable by cybercriminals, compromising data sovereignty and security.
Undermining Privacy
The digital society relies on trust in security mechanisms like encryption. Undermining this trust hampers the adoption of e-government, e-commerce, and other digital services, counteracting efforts to enhance citizens' digital engagement.
Ineffectiveness and Practical Challenges
Cybercriminals are adept at circumventing technological barriers, and encryption is vital for legitimate uses, including protecting activists in oppressive regimes. Blocking encryption tools jeopardizes dissidents without effectively curbing cybercrime. Additionally, the administrative burden on CSIRTs, law enforcement, and software providers would divert resources from genuine security efforts.
Economic Impact
The regulation would impose significant costs on technology companies, stifling innovation and competitiveness, especially for SMEs. European software could become less competitive internationally, as customers opt for more secure alternatives, undermining the EU's technology sector.
Potential for Warrantless Surveillance
Intrusive controls, once implemented, are rarely repealed. Client-side scanning could extend to broader surveillance, potentially targeting political dissidents, journalists, and other vulnerable groups. Weakening encryption could also facilitate abuse, exacerbating risks for individuals.
Violation of Fundamental Rights
The proposal undermines key principles of European law and human rights. It violates Article 8 of the EU Charter of Fundamental Rights, which guarantees the protection of personal data and the right to private communication. This sets a dangerous precedent for surveillance and erodes trust in digital privacy.
Better Alternatives
Modern encryption technologies, like homomorphic encryption, can match known bad patterns in encrypted data without decryption. Law enforcement already has various effective tools in their arsenal as well as cooperation and assistance from industry partners. Undermining online security for everyone is not the way forward. Enhancing Europol’s coordination capabilities would be a more effective approach to combating cybercrime.
Conclusion
Laws must not cause more harm than they prevent. The EU must uphold rights, liberty, and democracy. SecureCrypt calls on the European Parliament, the European Commission, and the Council of the EU to abandon the CSAR and reconsider technological surveillance policies to protect our digital society.
References
1. EU Parliament made the correct decision on Chat Control today [https://proton.me/news/chat-control-decision]
2. EU Chat Control: Proposal for Mandatory Scan of User Chat Conversations is Back [https://techweez.com/2024/01/24/eu-chat-control-proposal/]
3. The EU wants to scan your WhatsApp chats—and privacy experts are furious [https://www.techradar.com/news/eu-chat-control-privacy-experts]
4. Stand Against Chat Control: Protecting Privacy and Data Security in the EU [https://wire.com/blog/stand-against-chat-control/]
5. Voices say the 'chat control proposal' that monitors private messages should be abolished immediately [https://gigazine.net/news/20240619-chat-control-proposal-abolish/]
6. Global Encryption Coalition Members - SecureCrypt - [https://www.globalencryption.org/about/members/#SecureCrypt]
Comments