Is EU’s Chat Control law undermining online privacy? | Explained

EU’s proposal to thwart child sexual abuse online could potentially create a backdoor for authoritarian governments to snoop on citizens

EU’s proposed Chat Control law has become a bone of contention between members of the bloc. First proposed by the European Commissioner for Home Affairs Ylva Johansson in May 2022 as part of bloc’s push to combat child sexual abuse online, the framework of the bill has now come under fire, earning itself a derisive term “Chat Control”. 

France, Germany and Poland have particularly refused to accept a clause that allows for mass scanning of private messages by breaking end-to-end encryption. Some tech companies, along with trade associations, and privacy experts have all vehemently opposed the regulation. 

On the other hand, Interior Ministers of Spain and Ireland have supported the proposal. Separately, a network of organisations and individuals, advocating for children’s rights in Europe, have lashed out at EU leaders for failing to tackle child sexual abuse online. 

What are the concerns of those against the proposal?

Scanning end-to-end encrypted messages has remained a controversial issue. That’s because there is no way to do this without opening risky backdoors that can be accessed by third parties who can exploit the vulnerability, in turn ending the promise of end-to-end encryption.

Tech firms that treaded the encryption bypassing path have have often been made to retreat. In 2021, Apple announced NeuralHash, a feature that could automatically scan iCloud photo libraries of individual devices for child sexual abuse material, or CSAM. Employees and activist groups expressed concerns over the loss of privacy. A year later, Apple said it had abandoned the initiative. 

Another looming issue the iPhone maker recognised in the process was how authoritarian governments could potentially misuse the feature by using it as a tool to target individuals who oppose the regime.

Erik Neuenschwander, Director of user privacy and child safety at Apple, admitted this in a note saying, “It would […] inject the potential for a slippery slope of unintended consequences. Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types.” 

When brining in a similar clause through the UK’s Online Safety Bill, lawmakers attempted to make way for client-side scanning of private and encrypted messages. The proposal was postponed after receiving pushback from encrypted messaging app owners like WhatsApp and Signal. The duo threatened to leave the UK if such a law was passed. In its final stages, in September, 2023, the House of Lords considered the potential security threat that the clause would bring saying it would not implement scanning until it was “technically feasible.” 

What is the status of EU’s Chat Control law?

On June 30, a new draft of the proposal is set to be be reviewed. Legislators have now left the idea of scanning text messages and audio, and are instead targetting shared photos, videos and URLs with an adjustment to appease the naysayers. 

Another tweak in the making could be people’s consent in sharing material being scanned before being encrypted. But this compromise has been largely called out as a farcical one. A report by Euractiv which has been confirmed by internal documents show that if a user refuses the scanning, they will simply be blocked from sending or receiving images, videos and links hardly leaving them with a choice.

Despite these measures, EU’s enforcement of such regulations have seen exemptions to the rule. In November 2023, the European Commission reportedly published a proposal to amend the regulation on a temporary derogation of the E-Privacy Directive against CSAM. Under the regulation, specific online communications service providers were allowed to sift through or scan messages to detect, report and remove online child sexual abuse material or CSAM and content that solicits children. The regulation is set to expire in early August . The initial plan on the table was to simply extend this regulation for another three years. But, according to media reports, plans for further extensions were stalled in February this year.

Meredith Whittaker, President of Signal app called the measures to assuage concerns as “cosmetic”, and has signed a joint statement along with a group of over 60 other organisations like Mozilla, Proton, Surfshark and Tuta, voicing out her concerns. Whittaker has echoed her earlier warning saying Signal will leave the UK rather than undermine end-to-end encryption. 

A blog, co-authored by Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory and Callum Voge, director of government affairs and advocacy at the Internet Society, notes, ”If government surveillance is a concern in an established democratic entity like the EU, what hope is there for beleaguered democracies like Turkey, India and Brazil, much less autocracies?”