The EU is seen as a danger to privacy. EPA-EFE/IAN LANGSDON


EU ‘chat-control’ plan goes back to drawing board


A controversial bill giving the European Union digital powers including the ability to look into citizens’ private online chats will not now be voted on.

As Belgium’s term as President of the Council of the EU nears its end, the country had tried to push through a final initiative on the child-sex abuse (CSA) regulation.

Under the guise of tackling online abuse of minors, the CSA would have introduced mass surveillance on EU citizens.

Opponents called it “chat-control”, because it would introduce a scan system using Artificial Intelligence (AI) on all private messaging and a de facto override on end-to-end encryption.

That would mean all texts sent via messaging services such as WhatsApp, Signal, Telegram would be open to governments to monitor.

The proposals prompted criticism across the board.

On June 20, the Belgian Presidency appeared to capitulate, saying there was a need for “more negotiations” between the Member States regarding the planned legislation.

The latest effort was a second version of an original plan, which the European Commission said now had been toned down and did not do away with end-to-end encryption but would scan messages before they were sent. Critics said that would effectively bypass encryption.

Privacy organisations, human rights defenders and representatives of the technology sector have been increasingly critical of the proposals.

Meridith Walker, President of major messaging app Signal, said the EU “undermines end-to-end encryption” with its plans.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe.

“We can call it a backdoor, a front door, or ‘upload moderation.’ But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation States, removing the protection of unbreakable maths and putting in its place a high-value vulnerability,” she said.

Walker called the bypassing of end-to-end encryption “a disastrous proposition”.

Threema, a Swiss-based messaging app, said “the consequences would be devastating” if the CSA vote passed as was.

“Under the pretext of child protection, EU citizens would no longer be able to communicate in a safe and private manner on the Internet,” a company spokesperson said.

“The European market’s location advantage would suffer a massive hit due to a substantial decrease in data security. And EU professionals, like lawyers, journalists, and physicians, could no longer uphold their duty to confidentiality online.

“All while children wouldn’t be better protected in the least bit. On the contrary, Chat Control could have a negative impact on minors in particular,” Threema concluded.

Matthew Green, a cryptography lecturer at Johns Hopkins University, said on X: “People think chat control is about specific crimes. No, that’s not what’s at stake.

“What’s being made is an architecture decision for how private messaging systems work: if it passes, by law these systems will be wired for mass surveillance. This can be used for any purpose.

“Once you build an architecture where every interpersonal private message goes through a scanning filter, one that reports to the police, the only question in the future is: what software updates do you push to that filter?” Green said.

Greens MEP Patrick Breyer called for EU citizens to contact their government’s representatives and ask them to vote against chat control.

Germany, Luxembourg, the Netherlands, Austria and Poland have said they opposed the law but that is not enough in itself to block it.

In Sweden, opposition has also been mounting in the past few days.

In the last draft that had been proposed by Belgium, scans would be limited to photographs, videos and URLs, and users would have to agree to them. Anyone who did not consent would be unable to post or share photos and videos.

A presidency source told Brussels Signal that the presidency intended to reach a partial mandate at today’s Coreper, but that the required qualified majority would just not be met.”

The presidency therefore decided to “withdraw the item from today’s agenda, and to continue the consultations in a serene atmosphere.”

“This remains a high priority for the Council, and the work will continue to find a position and start the negotiations with the European Parliament. ”

According to the European Court of Human Rights, legislation that increases data retention and erodes encryption is against its rules. In its criticism in February, the court spoke of an “extremely broad duty of retention” and “exceptionally wide-ranging and serious interference”.

It called the statutory obligation to decrypt end-to-end encrypted communications “disproportionate” and said that the legislation was not “necessary in a democratic society”.

At the time, the European Data Protection Supervisor (EDPS) told Brussels Signal it “does not comment court rulings as a matter of fact”.

It did point towards reports where the EDPS had expressed concern and said European legislation proposals “would result in general and indiscriminate monitoring of private communications” and would thus “restrict individuals’ fundamental rights to privacy and personal data”.

The European Commission said the proposal for CSA regulation was technology-neutral and neither incentivised nor discouraged the use of end-to-end encryption.

It said the plans aimed to enhance the protection of minors by imposing extensive new obligations on online companies to “detect, report, block and remove” child sexual abuse material from their platforms.

*this text has been updated with a reaction from a presidency source