Voices say the 'chat control proposal' that monitors private messages in the name of child protection should be abolished immediately



On June 19, 2024 local time, the European Commission will vote on

a proposed child sexual abuse law (also known as chat control), which would allow for widespread monitoring of communications. Many have pointed out that the proposed law, which is being pushed forward in the name of combating sexual violence against children, violates the fundamental right to privacy.

Chat control: incompatible with fundamental rights - GFF – Gesellschaft für Freiheitsrechte eV
https://freiheitsrechte.org/en/themen/digital-grundrechte/chatcontrol

'Encryption is deeply threatening to power': Meredith Whittaker of messaging app Signal | Chat and messaging apps | The Guardian
https://www.theguardian.com/technology/article/2024/jun/18/encryption-is-deeply-threatening-to-power-meredith-whittaker-of-messaging-app-signal

The Chat Control proposal is a framework that the EU is promoting to regulate child sexual abuse, and in particular calls for full cooperation from telecommunications providers to establish mechanisms for scanning for child sexual abuse content (CSAM).

However, due to the risk that the security of communications may be threatened, the bill has been strongly criticized by experts who place importance on privacy protection, and privacy-focused messaging apps such as Signal have suggested leaving the EU after the bill is enacted.

EU's 'chat regulation law' that scans private emails and images is on the verge of being passed, messaging app 'Signal' hints at EU withdrawal - GIGAZINE



The German NGO Gesellschaft für Freiheitsrechte eV (Gesellschaft für Freiheitsrechte eV) said it was 'convinced that the chat control bill violates the Charter of Fundamental Rights of the European Union' and raised five points of opposition to the bill.

◆1: Proposed chat controls violate privacy rights
The Commission's proposal lays out a range of obligations for certain online services, such as internet access providers, app stores and interpersonal communication services, such as email services like Gmail and instant messaging services like WhatsApp.

'Chat control' is sometimes used to refer to the EU Commission's entire proposed regulation, but in a narrower sense it refers to a part of the draft regulation that 'may require communications service providers to monitor private communications.'

Such surveillance significantly limits the right to privacy under Article 7 of the Charter of Fundamental Rights of the European Union and the right to the protection of personal data under Article 8. The targets of surveillance are not limited to persons suspected of committing a crime, and include monitoring of the content of messages as well as 'metadata' - who communicated with whom and when.

Moreover, according to the proposed rule, if authorities identify, for example, a 'significant risk that a messaging app is being used to spread CSAM,' they could order service providers to proactively monitor all communications of all users, not just those suspected of spreading the virus -- a form of unjustified mass surveillance.

Another problem is that the proposed regulations would even target messaging services that use end-to-end encryption, which means that only the sender and receiver of a message can read the message. If a messaging service that does not have a backdoor receives a disclosure order, it would not be able to carry out the order and would be in violation of the law.

◆2: Threats to freedom of communication
The European Court of Justice has already warned several times that indiscriminate mass surveillance has an indirect and negative impact on the freedom of expression enshrined in Article 11 of the Charter of Fundamental Rights of the European Union. This particularly affects journalists, whistleblowers, opposition activists and other people with professional secrecy who communicate with their sources. If end-to-end encrypted messaging services were to install some kind of backdoor to comply with regulations, this could have a chilling effect on these people and risk inhibiting the exercise of the fundamental right to freedom of expression and information.



◆3: De facto filtering obligations for hosting providers that do not have protective measures
The proposed chat control stipulates that all service providers must first conduct their own risk analysis on whether their services are at risk of being exploited for child sexual violence. The scope is large, including platforms such as YouTube where users make content public, private accounts on X (formerly Twitter) that are only open to a limited audience, and completely private cloud storage such as Dropbox. If the authorities believe that the service provider has not taken sufficient measures based on the results of this risk analysis, they will issue a detection order.

Messenger and email service providers are subject to the EU

ePrivacy Directive , which prohibits them from monitoring users' private communications in principle. However, the ePrivacy Directive will be replaced by the Chat Control proposal, which will allow them to monitor communications only in exceptional cases if a detection order is issued.

However, the ePrivacy Directive does not apply to hosting providers, such as cloud storage providers, who may attempt to circumvent the EU detection mandate by “voluntarily” filtering user content.

However, when these service providers implement their own filtering mechanisms, the system itself may become ignorant of user rights, many of which may be fundamental rights. There is no public oversight of such actions, which may result in innocent users being inadvertently locked out of their accounts or falsely reported to law enforcement authorities.

◆ 4: Mandatory website blocking requires monitoring of Internet users
The proposed chat control bill imposes a blocking obligation on internet access providers for individual websites. This measure allows authorities to request information about users from internet access providers, but in order to comply with this, internet access providers would have to comprehensively monitor users' information. However, such monitoring violates the fundamental right to privacy in general. Moreover, if the URL uses the HTTPS protocol, it is impossible to collect information.

In a worst-case scenario, internet access providers could use DNS blocking to block access to entire domains, thereby risking undermining users' freedom of expression and information, or they could implement more targeted blocking in an attempt to monitor user behavior, sacrificing the security of SSL communications in the process.

◆5: Age verification puts freedom of communication at risk
The Chat Control proposal would require providers of messaging and email services that may be used to distribute child sexual abuse material or solicit children (so-called 'grooming') to verify the age of users.

Service providers can choose between biometric or certificate authentication, but both procedures are very personal to the user and essentially ban anonymous internet use. There are also AI-based facial analysis, but this is often outsourced by service providers to external companies, and users have little control over how this type of personal data is handled. If the technology gets it wrong, young-looking adults could even be banned from the app. People who do not have identification documents or do not want to give their biometric information to companies are excluded from important communication technologies. This is especially unreasonable for people who, for good reason, value anonymous internet use (whistleblowers, stalked victims, politically persecuted people).

This is what the Civil Rights Association claims.



Threema, a messaging service operating in the EU, has stated that its service will be subject to the proposed chat control, and has strongly criticized the proposed regulation, arguing that it will inevitably violate human rights through surveillance. Threema has stated that if the proposed chat control is enacted, it will no longer be able to provide its services in the EU.

Meredith Whitaker, chairman of Signal, which has long been a strong opponent of Brexit, said, 'Surveillance has been considered a 'disease' since the beginning of the Internet, and encryption is a serious threat to the powers that be.' He argued that unless we continue to advocate for privacy protection, we will face an increasingly dark future.

Continued
A vote on the 'chat control proposal' that would force all emails to be scanned for child pornography has been removed from the agenda - GIGAZINE

in Posted by log1p_kr