Once Again, Chat Control Flails After Strong Public Pressure:
The European Union Council pushed for a dangerous plan to scan encrypted messages, and once again, people around the world loudly called out the risks, leading to the current Danish presidency to withdraw the plan.
EFF has strongly opposed Chat Control since it was first introduced in 2022. The zombie proposal comes back time and time again, and time and time again, it's been shot down because there's no public support. The fight is delayed, but not over.
It's time for lawmakers to stop attempting to compromise encryption under the guise of public safety. Instead of making minor tweaks and resubmitting this proposal over and over, the EU Council should accept that any sort of client-side scanning of devices undermines encryption, and move on to developing real solutions that don't violate the human rights of people around the world.
As long as lawmakers continue to misunderstand the way encryption technology works, there is no way forward with message-scanning proposals, not in the EU or anywhere else. This sort of surveillance is not just an overreach; it's an attack on fundamental human rights.
The coming EU presidencies should abandon these attempts and work on finding a solution that protects people's privacy and security.
Previously:
• Scientists Urge EU Governments to Reject Chat Control Rules
• EU Chat Control Law Proposes Scanning Your Messages — Even Encrypted Ones
• EU Parliament's Research Service Confirms: Chat Control Violates Fundamental Rights
• Client Side Scanning May Cost More Than it Delivers
« Cyber Exec with Lavish Lifestyle Charged with Selling Secrets to Russia | Tesla's ‘Robotaxis' Keep Crashing-Even With Human ‘Safety Monitors' Onboard »
Related Stories
From Malware Bytes Blog
On May 11, 2022, the EU will publicize a proposal for a law on mandatory chat control. The European Commission wants all providers of email, chat and messaging services to search for suspicious messages in a fully automated way and forward them to the police in the fight against child pornography.
[...] Similar developments are taking place in the US and the supporting narrative has expanded from domestic terrorism to other illegal content and activity, such as child sexual exploitation and abuse, terrorism, foreign adversaries‚ and attempts to undermine democratic values and institutions.
[...] What most, if not all, of these activities have in common is that you usually won't see the criminals using the same platforms as those of us that want to stay in touch with friends and relatives. They are already conducting their "business" in illegal marketplaces on the Dark Web, or they are using encrypted phone services.
[...] Since client-side scanning technologies may represent the most powerful surveillance system ever imagined, it is imperative that we find a way to make them abuse-resistant and auditable before we decide to start using them. Failures from the past have taught us that it's often the other way around. We learn from our mistakes, but how costly are they?
Also at:
The Guardian
Patrick Breyer
MEP Patrick Breyer (Germany, Pirate Party), one of the few representatives fighting for preserving rights online rather than against them, has posted a summary about the EU Parliament's assessment of the proposed "Chat Control" legislation. In short, the "Chat Control" proposal violates basic human rights:
The experts made clear that an "increase in the number of reported contents does not necessarily lead to a corresponding increase in investigations and prosecutions leading to better protection of children. As long as the capacity of law enforcement agencies is limited to its current size, an increase in reports will make effective prosecution of depictions of abuse more difficult."
In addition, the study finds: "It is undisputed that children need to be protected from becoming victims of child abuse and depictions of abuse online... but they also need to be able to enjoy the protection of fundamental rights as a basis for their development and transition into adulthood." It warns: „With regards to adult users with no malicious intentions, chilling effects are likely to occur."
There is an obfuscated link at the bottom of his post to the study, Proposal for a regulation laying down the rules to prevent and combat child sexual abuse: Complementary Impact Assessment. He also has older overview of the problems with the proposed legislation at his blog, too.
Signal, MEPs Urge EU Council To Drop Encryption-Eroding Law
Arthur T Knackerbracket has processed the following story:
On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.
[...] Known to detractors as Chat Control, the proposal seeks to prevent the online dissemination of child sexual abuse material (CSAM) by requiring internet service providers to scan digital communication – private chats, emails, social media messages, and photos – for unlawful content.
The proposal [PDF], recognizing the difficulty of explicitly outlawing encryption, calls for "client-side scanning" or "upload moderation" – analyzing content on people's mobile devices and computers for certain wrongdoing before it gets encrypted and transmitted.
The idea is that algorithms running locally on people's devices will reliably recognize CSAM (and whatever else is deemed sufficiently awful), block it, and/or report it to authorities. This act of automatically policing and reporting people's stuff before it's even had a chance to be securely transferred rather undermines the point of encryption in the first place.
Europe's planned "regulation laying down rules to prevent and combat child sexual abuse" is not the only legislative proposal that contemplates client-side scanning as a way to front-run the application of encryption. The US Earn-It Act imagines something similar.
In the UK, the Online Safety Act of 2023 includes a content scanning requirement, though with the government's acknowledgement that enforcement isn't presently feasible. While it does allow telecoms regulator Ofcom to require online platforms to adopt an "accredited technology" to identify unlawful content, there is currently no such technology and it's unclear how accreditation would work.
With the EU proposal vote approaching, opponents of the plan have renewed their calls to shelve the pre-crime surveillance regime.
In an open letter [PDF] on Monday, Meredith Whittaker, CEO of Signal, which threatened to withdraw its app from the UK if the Online Safety Act disallowed encryption, reiterated why the EU client-side scanning plan is unworkable and dangerous.
"There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe," wrote Whittaker.
European countries continue to play rhetorical games. They’ve come back to the table with the same idea under a new label
"Instead of accepting this fundamental mathematical reality, some European countries continue to play rhetorical games.
[...] Threema said if it isn't allowed to offer encryption, it will leave the EU.
And on Tuesday, 37 Members of Parliament signed an open letter to the Council of Europe urging legislators to reject Chat Control.
"We explicitly warn that the obligation to systematically scan encrypted communication, whether called 'upload-moderation' or 'client-side scanning,' would not only break secure end-to-end encryption, but will to a high probability also not withstand the case law of the European Court of Justice," the MEPs said. "Rather, such an attack would be in complete contrast to the European commitment to secure communication and digital privacy, as well as human rights in the digital space." ®
Scientists urge EU governments to reject Chat Control rules:
As the final vote draws closer, an open letter has highlighted significant risks that remain in the EU's controversial 'Chat Control' regulation.
617 of the world's top scientists, cryptographers and security researchers have released an open letter today (10 September) calling on governments to reject the upcoming final vote on the EU's 'Chat Control' legislation.
The group of scientists and researchers – hailing from 35 countries and including the likes of AI expert Dr Abeba Birhane – has warned that the EU's proposed legislation targeting online child sexual abuse material (CSAM), known colloquially as Chat Control, would undermine the region's digital security and privacy protections and "endangers the digital safety of our society in Europe and beyond".
The group also warned that the new rules will create "unprecedented capabilities" for surveillance, control and censorship, and has an "inherent risk for function creep and abuse by less democratic regimes".
This is not the first time this collective has warned against the regulation, having previously published its recommendations in July 2023, May 2024 and September 2024.
The proposed legislation would require providers of messaging services such as WhatsApp, Signal, Instagram, email and more to scan its users' private digital communications and chats for CSAM material. This scanning would even apply to end-to-end encrypted communications, regardless of a provider's own security protections.
Any content flagged as potential CSAM material by the scanning algorithms would then be automatically reported to authorities.
Currently, 15 EU member states have issued support for the legislation – including Ireland. Six member states oppose the rules, while six remain undecided in their stance.
While the latest draft of the legislation has been amended to exclude the detection of audio and text communications – limiting detection to "visual content", such as images and URLs – the scientists argue that the legislation in its current form is still unacceptable.
The group argues that none of the legislation's changes address its major concerns, namely the infeasibility of scanning hundreds of millions of users for CSAM content with appropriate accuracy, the undermining of end-to-end encryption protections and the heightened privacy risks to EU citizens.
While the latest draft of the regulation has reduced the scope of targeted material (limited to visual content and URLs), the group of scientists states that this reduction will not improve effectiveness.
"There is no scientific basis to argue that detection technology would work any better on images than on text," reads the letter, with further assertions that CSAM detection methods can be easily evaded. The group states that just changing a few bits in an image is "sufficient to ensure that an image will not trigger state-of-the-art detectors".
The group also criticises the EU's proposal of using AI and machine learning to detect CSAM imagery due to the technology's unreliability.
(Score: 0) by Anonymous Coward on Tuesday November 04, @06:47AM (5 children)
I was still in the big glassy boxes when phrase "insider threats" emerged. I was participating in the writing of software to handle them, but was known to voice the notion that a more robust solution would be to hire ethical people, pay them well, and be mindful of unusual behavior when it arises rather than pour so much money in to a technical solution. Of course I still cashed the checks.
Anyway, I'm reminded of that. Hey government, if you're not mis-behaving, you have nothing to be afraid of. Plainly the spy agencies of various countries are not going to pay attention to this. They'll move whatever they need via "numbers stations", "stego" or even a diplomatic pouch full of thumb drives. Secret communications by your allies aren't threatening, are they?
Good. Then consider the citizens your allies, and treat them at least as well if not better. You should have very few problems.
(Score: 4, Insightful) by Anonymous Coward on Tuesday November 04, @09:46AM (1 child)
I feel you're missing the point.
These people are like cops. Their jobs are to investigate, and charge people with crimes. To better charge people with crimes, and more thoroughly investigate, they need to see *everything*. It doesn't matter if people are innocent, or if they deserve privacy, or if they have human rights. Their job is to *investigate* and charge criminals with crimes. If they have to make more things illegal so that they can charge more people, success! Job well done! If they strip away protections from the populace, success! More investigation!
It's the standard single-issue platform, where politicians are supposed to be balancing the needs and wants of the people with the needs for protection, etc, but the politicians fail utterly. Usually they cave to groups giving them money, and cops, because "Protect the XYZ!!" is always a popular platform, and money talks.
(Score: 2, Touché) by Anonymous Coward on Tuesday November 04, @03:49PM
Except that they wear masks, do not have a warrant, are untrained, and unaccountable.
But other than that they are a bit like cops, but much more like enemy soldiers in their appearance.
(Score: 2) by canopic jug on Tuesday November 04, @10:13AM
Then consider the citizens your allies, and treat them at least as well if not better. You should have very few problems.
That is a textbook example of the pygmalion effect [simplypsychology.org] in action. People tend to behave like you treat them. If you treat them well and expect the best, they tend to comply.
Money is not free speech. Elections should not be auctions.
(Score: 2) by c0lo on Tuesday November 04, @11:22AM (1 child)
You mean... in a neonatal intensive care unit incubator?
Ummm... it only takes one Cyber Exec with Lavish Lifestyle [soylentnews.org]. How much better beyond lavish you want that one be treated?
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday November 04, @10:03PM
That's the exception that proves the rule. Spy cases in the US have historically been *rare*, but (surprise, surprise) when we start torturing people via extraordinary rendition, when whistle blowers are hounded, when mass surveillance is the worst-kept secret then suddenly "espionage" is everywhere.
(Score: 3, Insightful) by SemperOSS on Tuesday November 04, @10:54AM (1 child)
Chat Control has now been taken off the agenda (for now 😟) after Germany (and other countries) said they would not vote for it.
It is a victory for common sense … at least until someone else finds a new way to re-packet the idea in the hope of a universal panopticon.
Open Source Solutions and Digital Sovereignty is the new black
(Score: 3, Interesting) by JoeMerchant on Tuesday November 04, @07:14PM
It's a good day on the battlefield, one skirmish to the good guys.
They're going to keep pushing this until they get little pieces of it, and build the little pieces up over time until it's something we never would have accepted in the first place.
We are the frogs in the pot.
🌻🌻🌻 [google.com]
(Score: 5, Informative) by pTamok on Tuesday November 04, @11:15AM (2 children)
The Security and Intelligence services of each nation-state will never give up on wanting to be able to access the content of encrypted messages at their will. It is too big a prize. They can also apply a great deal of pressure to politicians.
Note that I said "access the content of encrypted messages", as the point about 'Chat Control' was that messages are scanned on-device before being encrypted and sent: so that formally, the encryption is not being broken, you just are not being allowed to use encryption until after your message has been scanned by the official software. This allows people to say with a straight face that encryption, in and of itself, is not being broken.
This means that you could encrypt your message off-device, print the code generated by the encrypter in some form, take a picture of it, and send that picture. The recipient could then print the received picture, scan it off-device and decrypt the message off-device. It certainly makes sending encrypted messages more difficult, but not impossible. You then get an arms race of the scanner attempting to prevent pictures of encrypted messages being sent... The inevitable end result is 'the authorities' attempting to make the use of non-official encryption illegal. In the England & Wales legal jurisdiction this is handled in such a way that you can be sent to jail for refusing to decrypt information when it is demanded of you by the police. Once you have served your term, they can demand again, and if you continue to refuse, you can be send to jail again - but because it counts as a 'new' crime, the law against indefinite/unlimited jail terms does not apply, so you just remain in jail for a sequence of limited terms. If you are presented with seemingly random data and told to decrypt it, it is difficult to prove that you do not have a key and are just refusing to disclose it.
The Danish Justice Minister, Peter Hummelgaard, is on record as saying to the TV2 TV channel in Denmark in August 2024 (last year):
(Note, I'm leaving links and text in original Danish so you can use your translator of choice, or consult a Danish speaker)
My (offline) Firefox translator translates the above as:
Reporting on the DR media in this: DR: Hummelgaard vil åbne en bagdør til vores telefoner – og vil ikke sige, hvor grænsen går [www.dr.dk]
Link to the TV2 article where the quotation is (first) printed: TV2: For få dage siden efterlyste anonyme profiler "lejesvende" til Danmark – nu overvejer minister stort indgreb: Det skal være muligt for Danmark helt at blokere hjemmesider, hvor vold og drab udbydes som jobopslag, siger minister. [tv2.dk]
I don't believe there is complete agreement within the Danish government with Hummelgaard's position.
He was given the opportunity to modify his view when asked officially. The Danish Parliament has a website recording questions and responses:
https://www.ft.dk/samling/20231/almdel/REU/spm/1425/index.htm [www.ft.dk]
That question is:
My (offline) Firefox translator translates the above as:
The response (within several paragraphs of text in PDF) is:
My (offline) Firefox translator translates the above as:
A follow up was:
https://www.ft.dk/samling/20231/almdel/REU/spm/1426/index.htm [www.ft.dk]
Rather than answer directly, in the answer PDF the questioner is referred to a previous question and response:
Which means that he certainly did not withdraw his assertion, and obfuscated the reply.
Hummelgaard is certainly working hard in wanting something like "Chat Control". He relates in his book* "Der er noget, vi skal tale om" that he was raised in a family with a violent father. This could well influence his opinions on using encryption to hide evidence of violence against children.
Altinget: Peter Hummelgaard er ikke bare landets justitsminister. Han er søn af en voldelig far [altinget.dk]
(Local Firefox translation: "Peter Hummelgaard is not just the country's attorney general. He is the son of a violent father")
Europe does not have a First Amendment 'guaranteeing' freedom of speech, but members of the Council of Europe, which has more members than 'simply' the EU, requires that a country is a signatory to the European Convention on Human Rights. Article 8 states:
I recommend reading the guidance on the ECHR Article 9 issued by the European Court of Human Rights: https://ks.echr.coe.int/web/echr-ks/d/guide_art_8_eng [coe.int]
A pertinent extract regarding mass surveillance:
This part of the guidance probably influences the design of "Chat Control": mandatory surveillance/scanning before encryption. In this way the weakening of encryption is sidestepped: you can have encryption as effective as you like as it is the plain text that is being scanned before encryption. Of course, those promoting "Chat Control" will claim adequate controls against abuse, which is a preoccupation of the Court..
Just to confuse matters, the European Union Charter of Fundamental Rights Article 7 [europa.eu] is an effective copy of the ECHR Article 8: but applies only in the EU. But debates within the EU will refer to that, rather than Article 8 of the ECHR.
The question, as far as ECHR Article 8 is concerned, is whether mandatory scanning of your messages before encryption "is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
The debate over this will run and run. Plenty of people will make a strong argument that being able to assess the content of all messages "is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others." Opposing such well-meaning people is a Sisyphean task. It will never be over.
*Listed in his bibliography on the Danish Wikipedia page about him, not on the English one.
(Score: 2, Interesting) by pTamok on Wednesday November 05, @10:35AM (1 child)
...And here we go again
Euronews: New Danish proposal for chat control: three fat problems remain [euronews.com]
There's a link in the article to Patrick Breyer's website: Patrick Breyer: 2025-10-30: Half-good new Danish Chat Control proposal [patrick-breyer.de], He also has a Mastodon presence: https://digitalcourage.social/@echo_pbreyer [digitalcourage.social] . I think what he writes is worth reading.
(Score: 2, Informative) by pTamok on Wednesday November 05, @11:02AM
(Hit 'Submit' instead of 'Preview'. Again. Sigh.)
Anyway, as Patrick Breyer points out on his Mastodon feed:
A perfidious trick? The EU Council Presidency wants to introduce mandatory #ChatControl through the backdoor [digitalcourage.social]
So eternal vigilance is still required.
Given that illegal material can be stored on removable media (like USB sticks) and distributed physically, should all data being written to removable media be scanned in the same way the 'Chat Control' proposals? Would that be a 'reasonable mitigation measure'?