A new war on encryption is unfolding across the globe, based on an older issue (also known as crypto wars) After years of technological advancements on encryption that have made our Internet safer and our communications private and secure, we are seeing a trend that aims to undo these guarantees.
Draft normative acts proposing an extension to online monitoring of content, instant messages or both, are emerging all around the world. A few examples:
- EARN IT Act, STOP CSAM Act and Kids Online Safety (KOSA) Act in the United States of America,
- The Online Safety Bill in the United Kingdom,
- A Regulation proposal that the civic society calls ChatControl, in the European Union, and
- The Assistance and Access Act, in Australia,
All these proposals have something in common: they ask companies that provide end-to-end encryption as a service to build backdoors into that technology. So instead of providing more security, the companies are asked to undermine it.
A short overview on existing (draft) acts that undermine encryption
The Assistance and Access Act passed in 2019 in Australia. Initially, it forced companies to hand over user data to the authorities when asked. If the data is encrypted, the companies were then forced to develop means to decrypt the data. Amendments were later introduced stating that companies “must not be requested or required to implement or build a systemic weakness or systemic vulnerability”.
The Online Safety Bill was passed, by the United Kingdom Parliament, in September 2023. Civil society organisations, as well as computer science experts criticised this draft bill. Three problematic components of the bill were subject to criticism: the generalised scanning of every user’s private messages (the “spy clause”), upload filters for content and age verification online. Large tech companies, like WhatsApp and Signal, threatened to exit the UK market if the law was passed. Before passing the Online Safety Bill, the UK government conceded that it will not use the “spy clause” to force companies to scan all instant messages before they leave the device of a user until it is “technically feasible” to do so.
The EARN IT Act might allow the US to hold companies criminally liable if authorities perceive that companies aren’t doing enough to prevent child sexual abuse material from being created, shared and stored on their platforms. STOP CSAM Act takes a similar approach, suggesting to make it a civil liability for any company, non-profit, or individual to facilitate or promote cases of child sexual abuse. Using end-to-end encryption is described, in the STOP CSAM Act, as proof of liability. Finally, the KOSA Act will mandate that companies prevent children from encountering harmful content online, which may compel messaging apps to renounce or weaken encryption in order to be able to comply with the legislation.
Neither of the three proposed pieces of legislation in the USA have passed yet. There are ongoing campaigns to have these drafts dropped or revised. All three proposals endanger the privacy and security of online communications and content creation and dissemination.
In the European Union, heated debate is still ongoing both inside the EU institutions and among civil society organisations, on the subject of the Regulation proposal that was nicknamed ChatControl. The mandate to scan all private messages on the devices of users (called client-side scanning) and the mandate to scan online content (before and after it is uploaded) are both part of ChatControl.
Some European Union member states have spoken out against this draft Regulation in the European Council, such as Germany, Poland, the Netherlands, Austria and Sweden. Others are simply withholding support. The proposal has come under additional scrutiny once a recent investigation from Balkan Investigative Reporting Network has exposed that companies offering their technology for child sexual abuse material detection were, in fact, posting as NGOs and trying to push their own unreliable products into the hands on the EU authorities.
From the point of view of security and computer science experts, scanning content or messages protected by end-to-end encryption directly undermines security. A peer-reviewed paper was published that argued, once more, that client-side scanning can not be a backdoor that only the authorities have access to. Once end-to-end encryption is bypassed and weakened, attackers can also gain access to this technological back door and abuse it.
To make clear the point on the lack of confidentiality for such a measure, in the case of ChatControl, the EU governments in the Council proposed to exclude the online communication of state authorities from instant message and content scanning, admitting that this would violate their right to confidentiality of communication.
Why is it “at your door”?
Weakening the security of online communication, which is a core thread that connects all these pieces of legislation, could put all citizens at risk, including the children that some of these legislations claim to protect. And this is a threat for global citizens, as most of these companies are located in one of the countries mentioned above.
But this could get much worse, as this would be a de facto standard for all the global Internet.
In the case of the EU accession countries, this new EU Regulation would be a bitter pill that they can not refuse. Once the decision is taken, the ChatControl Regulation will be presented as a beneficial safe-guard for all children. In practice, these countries can not carry their own assessments of the proportionality, technical feasibility or human rights protection, let alone to understand how that fits in their national institutional framework (hint: look for role and oversight of intelligence agencies).
Countries where abusive surveillance and monitoring is helping to sustain authoritarian regimes (hint: Russia, Belarus), would require the same technology (and backdoors, of course) in their own jurisdictions. Once created, the ability to add a backdoor to devices or online platforms and scan all content can not be contained within the borders of countries that promise to act in good faith. As we can see from the mounting spyware scandals, even when tech companies publicly state that they only sell their products to law enforcement agencies, this does not prevent blatant violations of public lives from targeting journalists, activists and those in the political opposition.
What to do? Speak up!
There are a number of open letters which are still accepting signatures and their scope is not limited to certain countries. For example the NGOs letter led by EDRi already signed by 87 organisations from all over the world is still open for new signatories, as long as the EU decision on ChatControl is not final. The open letter on the position of scientists and researchers on the EU’s proposed ChatControl has already been signed by 465 signatories from 38 countries.
If possible, you should also try to engage with your local actors to understand the importance of the subject and why there are technical limitations to any proposal regulation.
(contribution by ApTI – Romania)