CEPIS against total surveillance of digital communications in the EU

The Legal and Security Issues (LSI) expert group has produced a statement opposing the European Commission’s plans to oblige communication services providers (e-mail, messaging, video conferencing, etc.) to monitor all content, even if it is encrypted.

The regulation is pre-announced to be published before the end of 2021 or soon after. CEPIS firmly rejects this plan.

The Commission regards monitoring (for detecting and reporting) as an important tool in the fight against child sexual abuse and child pornography. While the fight against child pornography may ask for new methods, the Commission seems to accept the undermining of the principle of digital communication confidentiality. CEPIS urges the European Commission, the European Parliament and the governments of the EU member states to prevent this serious and far-reaching violation of fundamental rights. The European Parliament, in particular, is called upon to take immediate and decisive action against the Commission’s plans that are damaging to our community.

Background

The Directive on privacy and electronic communications (2002/58/EC) for the processing of personal data and the protection of privacy on the Internet has existed since July 1, 2002. On July 6, 2021, the EU Parliament approved a 3-year relaxation of this Directive in order to combat child abuse on the Internet and legalized the scanning of unencrypted content – previously illegally carried out by a number of providers. In the opinion of CEPIS, even this relaxation of the Directive violates the Charter of Fundamental Rights of the European Union, in particular Article 7 (Respect for private and family life), Article 8 (Protection of personal data) and Article 11 (Freedom of expression and information): these basically guarantee confidential communication. This is in line with the assessment by the former ECJ judge Ninon Colneric (see source here in an external link).

Nevertheless, the Commission would like to transform the temporary regulation into permanent and extend it to encrypted content. The Commission launched an open public consultation in this regard, and a clear majority of the respondents spoke out against this scanning, especially against breaking the encryption. Breaking the encryption would result in confidential communication no longer being guaranteed, and moreover, far-reaching attacks on IT systems become possible. CEPIS had already earlier pointed out the essential importance of cryptography to protect the confidentiality of communication.

Recently the term “Client-Side Scanning” (CSS) was introduced that may give the impression that scanning on users’ devices would be less risky for the privacy of communication than earlier proposals. However, an extensive analysis by leading experts in the field clearly shows the opposite: “The introduction of CSS would be much more privacy invasive than previous proposals to weaken encryption. Rather than reading the content of encrypted communications, CSS gives law enforcement the ability to remotely search not just communications, but information stored on user devices.”

There is no question that child abuse needs to be combated. However, this fight must be waged in the real world, above all, by taking children seriously, investigating suspected cases more quickly and strengthening the responsible authorities. It cannot be that automated procedures are used to combat crime, which has the consequence that IT systems’ security is impaired and fundamental principles of our democracy are abandoned.

---

References

1. Ylva Johansson, Member of the Commission, Speech in the European Parliament (Paragraph 7).
2. Ministerial conference on the prevention and investigation of child sexual abuse (Page 4, Paragraph 2),
3. Legal opinion commissioned by MEP Patrick Breyer, The Greens/EFA Group in the European Parliament, Prof. Dr. Ninon Colneric, March 2021 (pdf in browser)
4. EU Open Public Consultation on “Fighting child sexual abuse: detection, removal and reporting of illegal content online”.
5. Contribution file of the Survey related to the EU Open Public Consultation on “Fighting child sexual abuse: detection, removal and reporting of illegal content online”
6. CEPIS statement “Right to Encryption Instead of a Master Key for Encrypted Communication” (PDF in browser)
7. Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, Carmela Troncoso: “Bugs in our Pockets: The Risks of Client-Side Scanning”.