EU tech companies have written to ministers across the European Union (EU) urging them not to support a proposed regulation on child sexual abuse that could undermine the security of internet services that rely on end-to-end encryption.
Some 18 companies, which include encrypted email and messaging providers, warn that the proposals by the European Commission (EC) would “negatively impact children’s privacy and security” and could have “dramatic unforeseen consequences” for cyber security.
Their open letter, published 22 January 2024, warns that the EC’s draft regulation, which requires the mass scanning of encrypted communications, will create security vulnerabilities that will put citizens and businesses at greater risk if they are implemented into EU law.
The letter aims to end an impasse between member states, the European Commission and the European Parliament, which disagree on whether the EC’s proposal for mass-scanning encrypted messages is a proportionate and workable response to concerns about child safety.
Its signatories include the Swiss encrypted email service Proton; Germany’s Tuta Mail; German cloud storage specialist NextCloud; and Element, a UK company which provides encrypted collaboration and communication services.
The group of small and medium-sized tech companies urged EU leaders to back a more measured version of the regulation proposed by the European Parliament, which “experts believe will be more effective and more efficient” than mass scanning of encrypted email and messaging services.
Romain Digneaux, public policy specialist at Proton, told Computer Weekly: “We want to show the EU governments that the debate is not just a dichotomy between privacy and child protection, but that privacy and child protection go hand in hand.”
The EC’s version of the regulation requires technology companies to introduce “backdoors” or to use technology known as “client-side scanning” to scan the contents of all encrypted communications for text, photos and videos that indicate child sexual abuse.
“Even if this mechanism is created with the purpose of fighting crime online, it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all uses,” they wrote.
Client-side scanning technologies compare “hash values” of encrypted messages against a database of “hash values” of illegal content stored on a user’s own phone or computer. It has been widely criticised by security experts and cryptographers.
In 2021, 14 of the world’s top computer scientists, including cryptography pioneers Ron Rivest and Whit Diffie, warned in a scientific paper that client-side scanning “creates serious security and privacy risks” and could be exploited by hostile nation-states, malicious actors and even child abusers to harm others or society.
Last year, scientists and researchers from more than 30 countries warned that the scanning technology proposed by the European Commission is “deeply flawed” and vulnerable to attacks. They said that the technology would leak “illegal information” and would struggle to detect illegal content “reliably”.
Leaked internal legal advice show that the Council of Europe’s own lawyers have serious questions about the lawfulness of the planned measures, which they say could lead to the de facto “permanent surveillance of all interpersonal communications”.
Digneaux said that once mass scanning has been introduced for one purpose, policy-makers would face inevitable pressure to expand its use for other purposes, such as terrorism or organised crime.
The technology could be used by used by repressive regimes to monitor political dissent. “We have a lot of users in countries like Russia or Iran that rely on our services, such as journalists or people just expressing their political opinions,” he said.
Risk to cyber security
According to the letter, the EU’s strong focus on data proteciton has led to the growth of ethical, privacy-focused tech companies in Europe that have been able to compete with larger American and Chinese companies.
The tech companies argue that the EC’s proposals are at odds with other EU Regulations, including the Cyber Resilience Act (CSA) and the Cybersecurity Act that encourage the use of end-to-end encryption to manage cyber security risks.
Supporting an opposite approach for the CSA regulation would “undermine the EU cyber security framework” and lead to “incoherent and inefficient measures” that tech companies would not be able to enforce without putting citizens at risk.
Alternative proposals from the European Parliament include alternatives to mandatory scanning that would be “more effective” and would “prioritise data protection and security” and “would better protect children online”, they claim.
Tech companies willing to discuss solutions
Digneaux told Computer Weekly that tech companies were willing to discuss solutions with the European Commission and were not “simply saying no”.
“We are saying, ‘Let’s build something as close as possible to the European Parliament’s proposals and have this text adopted as quickly as possible and have a proper framework in place for child protection’,” he said.
He added that Proton had automated systems in place, which were checked by humans to identify suspicious interactions and relied on reports from its users, but that it was not technically possible for Proton to see the content of its users’ encrypted emails.
“Our goal is to be able to cooperate with police, and we can do without necessarily providing the content of conversations,” said Digneaux. “We will not deliver the number one greatest evidence that will convict someone, that is true, but we can help police with their investigations.”
Matthias Pfau, founder of Tuta Mail, said: “Security experts agree that the chat control proposal by the European Commission to scan every chat message and every email would create a backdoor – one that could and will be abused by criminals.”
The legislation “would hinder economic growth and stop businesses from trusting EU-based companies with their data”, he added.