Signal, MEPs Urge EU Council To Drop Encryption-Eroding Law
Arthur T Knackerbracket has processed the following story:
On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.
[...] Known to detractors as Chat Control, the proposal seeks to prevent the online dissemination of child sexual abuse material (CSAM) by requiring internet service providers to scan digital communication – private chats, emails, social media messages, and photos – for unlawful content.
The proposal [PDF], recognizing the difficulty of explicitly outlawing encryption, calls for "client-side scanning" or "upload moderation" – analyzing content on people's mobile devices and computers for certain wrongdoing before it gets encrypted and transmitted.
The idea is that algorithms running locally on people's devices will reliably recognize CSAM (and whatever else is deemed sufficiently awful), block it, and/or report it to authorities. This act of automatically policing and reporting people's stuff before it's even had a chance to be securely transferred rather undermines the point of encryption in the first place.
Europe's planned "regulation laying down rules to prevent and combat child sexual abuse" is not the only legislative proposal that contemplates client-side scanning as a way to front-run the application of encryption. The US Earn-It Act imagines something similar.
In the UK, the Online Safety Act of 2023 includes a content scanning requirement, though with the government's acknowledgement that enforcement isn't presently feasible. While it does allow telecoms regulator Ofcom to require online platforms to adopt an "accredited technology" to identify unlawful content, there is currently no such technology and it's unclear how accreditation would work.
With the EU proposal vote approaching, opponents of the plan have renewed their calls to shelve the pre-crime surveillance regime.
In an open letter [PDF] on Monday, Meredith Whittaker, CEO of Signal, which threatened to withdraw its app from the UK if the Online Safety Act disallowed encryption, reiterated why the EU client-side scanning plan is unworkable and dangerous.
"There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe," wrote Whittaker.
European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label
"Instead of accepting this fundamental mathematical reality, some European countries continue to play rhetorical games.
[...] Threema said if it isn't allowed to offer encryption, it will leave the EU.
And on Tuesday, 37 Members of Parliament signed an open letter to the Council of Europe urging legislators to reject Chat Control.
"We explicitly warn that the obligation to systematically scan encrypted communication, whether called 'upload-moderation' or 'client-side scanning,' would not only break secure end-to-end encryption, but will to a high probability also not withstand the case law of the European Court of Justice," the MEPs said. "Rather, such an attack would be in complete contrast to the European commitment to secure communication and digital privacy, as well as human rights in the digital space." ®
EU Chat Control Law Proposes Scanning Your Messages — Even Encrypted Ones
Arthur T Knackerbracket has processed the following story:
[...] The proposed solution is to leave messages wide open for scanning — but somehow without compromising the layer of privacy offered by end-to-end encryption. It suggests that the new moderation system could accomplish this by scanning the contents of your messages before apps like Signal, WhatsApp, and Messenger encrypt them.
In response, Signal president Meredith Whittaker says the app will stop functioning in the EU if the rules become law, as the proposal “fundamentally undermines encryption,” regardless of whether it’s scanned before encryption or not. “We can call it a backdoor, a front door, or ‘upload moderation,’” Whittaker writes. “But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”
Several organizations, including the Electronic Frontier Foundation, the Center for Democracy & Technology, and Mozilla, have also signed a joint statement urging the EU to reject proposals that scan user content.
Privacy advocates aren’t the only ones raising alarm bells about the proposal. This week, dozens of Parliament members wrote to the EU Council to express their opposition to the proposal. Patrick Breyer, a German member of the European Parliament, has also spoken out about the bill, saying that “indiscriminate searches and error-prone leaks of private chats and intimate photos destroy our fundamental right to private correspondence.”
[...] “Many lawmakers understand that fundamental rights prohibit mass surveillance, but they don’t want to be seen opposing a scheme that’s framed as combatting CSAM,” Breyer says. “My message is that children and abuse victims deserve measures that are truly effective and will hold up in court, not just empty promises, tech solutionism and hidden agendas.”
Related Stories
Once Again, Chat Control Flails After Strong Public Pressure:
The European Union Council pushed for a dangerous plan to scan encrypted messages, and once again, people around the world loudly called out the risks, leading to the current Danish presidency to withdraw the plan.
EFF has strongly opposed Chat Control since it was first introduced in 2022. The zombie proposal comes back time and time again, and time and time again, it's been shot down because there's no public support. The fight is delayed, but not over.
It's time for lawmakers to stop attempting to compromise encryption under the guise of public safety. Instead of making minor tweaks and resubmitting this proposal over and over, the EU Council should accept that any sort of client-side scanning of devices undermines encryption, and move on to developing real solutions that don't violate the human rights of people around the world.
As long as lawmakers continue to misunderstand the way encryption technology works, there is no way forward with message-scanning proposals, not in the EU or anywhere else. This sort of surveillance is not just an overreach; it's an attack on fundamental human rights.
The coming EU presidencies should abandon these attempts and work on finding a solution that protects people's privacy and security.
Previously:
• Scientists Urge EU Governments to Reject Chat Control Rules
• EU Chat Control Law Proposes Scanning Your Messages — Even Encrypted Ones
• EU Parliament's Research Service Confirms: Chat Control Violates Fundamental Rights
• Client Side Scanning May Cost More Than it Delivers
(Score: 4, Insightful) by anotherblackhat on Friday June 21 2024, @03:40AM (6 children)
Pre-broken encryption is even worse than it sounds.
There are laws forbidding the publishing of pubic information (building codes, court records …), yet they want to force others to reveal private conversations.
Even if you succeeded in making ISP scan messages, all that would happen is people would encrypt on yet another device before submitting the message to “the scanner”.
(Score: 4, Funny) by Anonymous Coward on Friday June 21 2024, @04:29AM
> ... pubic ...
[pre-teen giggles]
(Score: 2) by captain normal on Friday June 21 2024, @06:03AM (3 children)
I don't know where you live,but one can download Uniform Building Codes, Fire Codes, Electrical Codes, Plumbing Codes, etc here in California. Just DDG "Uniform Building Code".
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 2) by captain normal on Friday June 21 2024, @06:23AM
....For free, no money required.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 2, Informative) by Runaway1956 on Friday June 21 2024, @11:41AM (1 child)
I don't know where GP lives either. But the state of Georgia has been in the headlines several times over the past few decades, because they are so secretive with case law, with publishing laws, and with "copyrighting" comments about case law, etc ad nauseum. I'm too lazy (just got out or bed, drinking first cup of coffee) to go research all of that, but you can start here if interested: https://www.nytimes.com/2020/04/27/us/politics/georgia-copyright-code-supreme-court.html [nytimes.com] The costs involved to get copies of those annotated codes were prohibitive for most people. If the state thought that they could copyright state code, who knows what else they may have sought to keep secret.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 2, Interesting) by anubi on Saturday June 22 2024, @12:21AM
Just like software...
They want to enforce ignorance so only the privileged know where the loopholes are.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Touché) by SomeRandomGeek on Friday June 21 2024, @04:33PM
I think that you're underselling it. This is the worst idea ever. We all know why no encryption and weak encryption are bad ideas. But requiring third party applications to spy on their customers is so much worse.
In addition to facilitating spying by both governments and hackers, this proposal would also encourage spying by app developers, create an onerous burden upon app developers, and be extremely easy to circumvent by actual criminals.
Nope. Still underselling it. It would be impossible to apply censorship to every possible app that criminals might use to communicate, since as is immediately obvious to any software developer, the censored app would have to be implemented as a layer on top of an uncensored app. So this law would ONLY have the effect of harming innocent people.
(Score: 4, Insightful) by DrkShadow on Friday June 21 2024, @04:31AM (4 children)
No, It Does Not. That is not the point of encryption! Don't spout BS, like politicians; state things that are correct, and which can be understood, unlike politicians.
Encryption protects your data at rest, and your data in transit, from the purview of unauthorized parties. Unauthorized parties includes the government. Encryption *does not* protect your data from applications running on your system, nor does it protect from you providing your unencrypted data to a party, nor is it meant to. In this case, the suggestion is that you(r app) provides the data to the detection algorithm, which is an authorized party (part of the app). Don't like it, don't use the app. No one "unauthorized" is looking at your data (by implication of your using the app), and there is nothing "undermin[ing] the point of encryption".
State things correctly. It's probably an innocent mistake, but suggests an emotional component that shouldn't be there.
(Score: 2) by DrkShadow on Friday June 21 2024, @04:37AM
That said, the whole point of scanning my content.. on my own system...
Go fuck yourself.
(Signal is developed in Europe, right? So they'll develop their app, in europe, for an entirely non-european audience? Sigh. Nothing against them, props for them if they take that stance, but sigh. The things that people do to other people.)
(Score: 2) by RamiK on Friday June 21 2024, @11:57AM
Yes it does. e.g. Assuming there's no root elevation vulnerability to exploit, a locally run app can't read the memory of a gpg-agent' pinentry runtime so they don't have the pass phrase to decrypt files they can otherwise access.
compiling...
(Score: 3, Touché) by Deep Blue on Friday June 21 2024, @12:07PM
Of course encryption can protect the data from other apps in your device, what the hell are you on about?
So you want some police library embedded in the apps to scan everything? That's up yours, but i don't accept that.
(Score: 2) by PiMuNu on Friday June 21 2024, @12:19PM
In general what you say is true, but not always. For example, I have encrypted data on my hard drive, which I need a password to unencrypt, specifically so that bad actors with access to my system cannot access the data. For example, I do not store plain text passwords on my system but rather require a "master password" to access them.
(Score: 4, Insightful) by tangomargarine on Friday June 21 2024, @04:52AM (5 children)
A service that hires people to lurk everywhere, and whenever somebody uses a "think of the children" argument, the agent punches them in the face.
So fucking sick and tired of this bullshit excuse
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Friday June 21 2024, @04:56AM
The EU has some good ideas that hold corporations accountable, unlike our side of the pond, but they also have horseshit like the "right to force others to forget you", er I mean "right to be forgotten". And now this.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Insightful) by Subsentient on Friday June 21 2024, @07:59AM (3 children)
It's not meant to be a serious excuse. It's meant to be an excuse. This has nothing to do with protecting children, and I think a lot of people by now are hopefully starting to figure that out.
This is another step towards digital totalitarianism. At some point, wrongthink, or even making a grimace when a speech of Dear Leader is playing (facial recognition), will be enough to get you sent to a concentration camp.
This is happening in near-unison in all democratic nations on Earth at the same time. Notice that?
If it wasn't, you might think "oh I'll move to New Zealand/Australia/Canada/Europe/etc", and perhaps the countries would actually suffer for it economically.
But the heat is slowly being turned up on all these different countries' frog pots at the same time in near lockstep.
Pay close attention to that. I know I am.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by janrinok on Friday June 21 2024, @10:20AM
I suspect it is because some of the countries you have mentioned are part of the 5-Eyes community. Their interest is to intercept everything that they possibly can for intelligence purposes. Common people having access to strong encryption is making their job harder - poor souls... There are also larger communities which share data with the 5-Eyes community.
Another way in which such things can be poisoned is to frequently send random data streams so that they have to spend an inordinate amount of time discovering that the data contains no information whatsoever.
(The Five Eyes brings the UK, the United States, Canada, Australia and New Zealand into the world's most complete and comprehensive intelligence alliance.)
[nostyle RIP 06 May 2025]
(Score: 1, Insightful) by Anonymous Coward on Friday June 21 2024, @09:52PM
Hard agree. What kind of sick joke is it that people who push MAPS and practically lived on epstein island care about the welfare of children.
Next step will be scanning for "misinformation" which is really whatever the establishment says it is. Maybe a little "hate speech" too, that can be literally anything and I'm sure our more authority minded people will jump all over it with gusto.
(Score: 5, Insightful) by stormwyrm on Friday June 21 2024, @07:17AM (4 children)
We still have true personal computers today, but only barely. But with advances in technology, especially AI, this may soon no longer be the case. The NPUs that they are embedding into all new microprocessors these days are dual-use technology, in that they can also be used to rapidly analyse what we do on our machines and rat us out whenever they see something that looks suspicious. There was that recent thing about Windows Recall [soylentnews.org] that they announced recently that could easily be turned towards this kind of pervasive AI shoulder-surfing privacy invasion. Naturally, they invoke the Four Horsemen of the Infopocalypse (CSAM is the perennial, and always present member of the four, it's been there since the first Crypto Wars in the 1990s at least), and it is getting really tiresome. The kind of power that comes from having access to a system that can snoop on everything that anyone does on their computers, and with a local NPU that can analyse what is being done so that expensive humans don't have to, and remote and expensive AI clouds don't have to either is truly frightening. It seems not to deter the United States that supposedly has a Bill of Rights that makes all these things unconstitutional, and the similar laws in most EU countries that should have the same effect probably will not stop this either.
Numquam ponenda est pluralitas sine necessitate.
(Score: 1, Informative) by Anonymous Coward on Friday June 21 2024, @07:58AM
Yes, this garbage has been going on for the better part of 30 years now, remember the "Trusted Computing Platform Alliance" from the late 1990s?
You can still buy OpenPOWER POWER9 workstations from Raptor and they say they'll be revealing the successor later this year, so that's good.
(Score: 2) by PiMuNu on Friday June 21 2024, @10:06AM (2 children)
> rat us out whenever they see something that looks suspicious
How is that different to a conventional CPU?
(Score: 3, Interesting) by Subsentient on Friday June 21 2024, @10:19AM
The NPU models will plug any workaround holes if things like Windows Recall can see your screen and reason about what you're doing, and they will have the cognition to report you to the authorities with a low enough (or almost low enough) error rate to prevent widespread riots until it's too late.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by stormwyrm on Saturday June 22 2024, @05:06AM
Numquam ponenda est pluralitas sine necessitate.
(Score: 2, Offtopic) by jasassin on Friday June 21 2024, @07:49AM
Benjamin Franklin once said: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." so I'm going to give these European politicians some ideas for more laws I'm sure they'd love.
Everyone must worship the Flying Spaghetti Monster.
Everyone must wipe a minimum of four times after a bowel movement, but may only use a total of two pieces of toilet tissue.
Everyone must shave their genitals at least twice a week.
If you know math above a high school level, without a permit, you must immediately report for a lobotomy.
Everyone must only walk backwards on Wednesdays if it's raining.
That's about the intelligence level of these assholes who keep trying to outlaw encryption. I wish moronic politicians would stop making, or attempting to make, unenforceable laws.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 5, Informative) by canopic jug on Friday June 21 2024, @08:10AM (1 child)
Netzpolitik has reported that chat control did not advance [netzpolitik.org] yesterday. Unfortunately, it was not shot down either. So all that we have gained is a little time to regroup and try to co-ordinate a proper slap down.
Belgium moves out of its role of council president and Hungary will try to pick up where Belgium left off, unfortunately.
As mentioned often, both sides of the pond have a stake in this because when damage is accomplished on one side, the other side insists on similar damage in the name of "harmonization". It is hard to reach politicians in July and August but this temporary reprieve can be a window of opportunity to kill of chat control for the foreseeable future.
Money is not free speech. Elections should not be auctions.
(Score: 2, Interesting) by pTamok on Saturday June 22 2024, @12:03PM
I feel a bit like the times when the British were fighting IRA terrorism/freedom fighting (depending on your point of view) - the IRA pointed out that they only needed to be 'lucky' once in perpetrating a 'significant event' - the British had to be 'lucky' every time in trying to prevent it [wikipedia.org].
The people trying to introduce back-doors and 'on-device scanning' need only be lucky once. People defending liberty need constant vigilance [wikipedia.org].
The fact that a multi-purpose tool can be used to aid the perpetration of a criminal act should not lead to the banning of use of such multi-purpose tools, especially when its majority use is non-criminal.
(Score: 2, Interesting) by lush7 on Saturday June 22 2024, @12:45PM
United Nations Universal Declaration of Human Rights: Article 12
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."