Subscriber OnlyTechnology

EU making ill-judged move towards mass digital surveillance

Step intended to combat child sexual abuse online has been widely condemned as ineffective and in breach of fundamental rights

The proposal from the Belgian EU presidency strips basic privacy rights from all internet users, opens holes in European internet security and creates broader risks while inadequately addressing the problem of child sexual abuse material. Photograph: iStock
The proposal from the Belgian EU presidency strips basic privacy rights from all internet users, opens holes in European internet security and creates broader risks while inadequately addressing the problem of child sexual abuse material. Photograph: iStock

The EU will this week take an unsettling step towards enabling mass digital surveillance. As of today, when a critical vote takes place in Brussels on a proposed regulation for a form of communications surveillance popularly dubbed “chat control”, it is very likely that the content, links and images you send via messaging apps will be open to state surveillance by default.

The result will be “fully automated real-time surveillance of messaging and chats and the end of privacy of digital correspondence”, according to German MEP Patrick Breyer.

He is one of a very broad range of stakeholders fighting against a step that is widely seen as incompatible with guaranteed EU fundamental human rights, EU legislation such as the General Data Protection Regulation (GDPR) and existing European case law.

The “regulation laying down rules to prevent and combat child sexual abuse (2022)” has been controversial since its inception, not for its intended goals but for its flawed means of trying to reach them.

READ MORE

Keeping children safe in the online world of social media platformsOpens in new window ]

There is a clear and unacceptably long-standing need for much better regulatory and societal approaches to tackle the horrors of online child sexual abuse material. But the current proposal from the Belgian EU presidency, unexpectedly rushed to an interior ministers vote and likely to be passed, strips basic, crucial privacy rights from all internet users, opens holes in European internet security and creates broader risks while inadequately addressing the problem of child sexual abuse material.

This is the paper-world equivalent of having the state open and examine all correspondence, check every photo taken and examine every piece of writing or image shared with others

If passed, encryption, a cornerstone of internet security and privacy, will become largely meaningless for communications. Messages, and any images and links contained in them, will be automatically surveilled before being sent. According to the proposals, providers of chat and messaging services will be required to “install and operate technologies to detect, before transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material”.

The proposed regulation would apply even to fully encrypted apps, relied upon by millions of people of all ages worldwide to keep correspondence private and secure, including corporate and government whistleblowers, human rights defenders, politicians, businesses and journalists protecting sources.

At least two of these, Threema and Signal, have indicated they will withdraw their apps from the EU if the vote goes through as proposed. Threema has called the proposals an “unprecedented mass-surveillance apparatus of Orwellian proportions”.

Why the Garda watchdog is now under fire over surveillance on journalists’ phonesOpens in new window ]

European digital rights organisation EDRi has said the proposed regulation is perhaps “the most criticised draft EU law of all time”. EDRi notes that, in a rare critique of a major legislative proposal, the EU Council’s official legal services opinion warned it creates a “serious risk” of generalised monitoring and the gutting of encryption.

The European Parliament’s civil liberties committee says the regulation is disproportionate and fails to demonstrate that the questionable effectiveness of such surveillance methods would warrant such an erosion of human rights guaranteed in articles 7 and 8 of the European Charter of Fundamental Rights.

Last month, 312 scientists, technologists and researchers from 35 countries signed an open letter expressing alarm over the current proposals which, they say, fail to adequately address risks and problems outlined in a previous letter in July 2023.

Meta gets 11 EU complaints over use of personal data to train AI modelsOpens in new window ]

One of their key objections is that little proof has been offered on the effectiveness of the proposed scanning techniques, which they described as “flawed”, not least because they produce many false positives which could translate to millions of people being wrongly suspected of grotesque crimes they have not committed.

The group also notes that, for the proposed detection techniques to be effective, draconian levels of general communications surveillance would become the norm and “completely undermine communications and systems security”.

The letter continues: “Instead of starting a dialogue with academic experts and making data available on detection technologies and their alleged effectiveness, the proposal creates unprecedented capabilities for surveillance and control of internet users. This undermines a secure digital future for our society and can have enormous consequences for democratic processes in Europe and beyond.”

Young people in Europe do not want their communications surveilled, either. EDRi notes that in a large French survey of EU youth, two-thirds of respondents said they used encrypted messaging services and 80 per cent said “they would not feel comfortable and safe being politically active or exploring their sexuality if authorities were able to monitor their digital communications on the basis of finding child abuse material”.

TikTok video revealing access to medical records spurs inquiry into HSE data breachesOpens in new window ]

The European Parliament has also strongly opposed these proposals. And so should all of us.

In a climate of broad and legitimate concern about online abuses, it is far too easy for inept, risky and damaging state surveillance “solutions” to be slipped past a worried general public. Technological surveillance is opaque and presented as benign: yet this is the paper-world equivalent of having the state open and examine all correspondence, check every photo taken and examine every piece of writing or image shared with others.

The regulation will go to final trilogue discussion between the EU Parliament, the council and the commission before approval. That offers one last chance to rein in the insanity of imposing chat control’s sweeping surveillance on us all.