The Global Encryption Coalition’s Steering Committee (GEC-SC)1 is alarmed by the latest proposal for a compromise presented by the Belgian Presidency of the Council of the European Union to advance the negotiations on the ‘Regulation laying down rules to prevent and combat child sexual abuse’ (EU CSAM).
We are particularly concerned about:
- The restrictive language used in the new proposal implies that service providers offering encrypted services could still be compelled to undermine or circumvent end-to-end encryption using methods like client-side scanning (CSS).
- The new wording introduced in Recital 26 narrows the definition and understanding of end-to-end encryption “as data in transit protected by means of encryption”, which subjects stored data to little protection and subsequent CSS.
The GEC-SC takes note of the Presidency’s efforts to unblock the negotiations by introducing new provisions aimed at protecting cyber security and encrypted data. However, the latest text maintains end-to-end encrypted services within the scope of detection orders and introduces restrictive interpretations of general concepts that are troublesome. We also take note of news released on 16 April indicating that under the Presidency’s new proposal, messaging services encrypted end-to-end would be deemed “high risk” and thus subject to detection orders that would require providers to scan all messages on their encrypted service.
The latest proposal also modifies the language previously agreed under the Spanish presidency2 in Article 1(5) setting out the scope of the Regulation. Article 1(5) now states that “This Regulation shall not create any obligation that would require a provider of hosting services or a provider of interpersonal communications services to decrypt or create access to end-to-end encrypted data, or that would prevent the provision of end-to-end encrypted services.”
The Belgian Presidency attempts to address the concerns regarding the necessity of protecting encryption by explicitly stating that the Regulation does not oblige providers to break encryption or create backdoors. However, the restrictive language it uses implies that providers could still be compelled by the regulation to undermine or circumvent end-to-end encrypted mechanisms using alternative methods, such as deploying client-side scanning (CSS). Client-side scanning is fundamentally inconsistent with the promise and purpose of end-to-end encryption, which is that only the user and the intended recipients can access the contents of a communication encrypted end-to-end.
This concern is heightened by the proposed new wording inserted in Recital 26 that narrowly defines end-to-end encryption technology, “as data in transit protected by the means of encryption”. This appears to be an attempt to remove stored data from the scope of E2EE services to leave it unprotected from the prohibition against breaking encryption so it can be subjected to client-side scanning. However, as acknowledged by the European Data Protection Supervisor and the European Data Protection Board in their Joint Opinion 4/2022, CSS inherently undermines cybersecurity and mitigation measures for which Recital 26 calls cannot effectively address the risk posed by access to data for purposes such as scanning.
The GEC-SC reiterates its long-standing position on CSS and recalls the latest landmark case of the European Court of Human Rights on Podchasov vs Russia. The ECtHR categorically confirmed that solutions that weaken encryption or create backdoors to facilitate access by law enforcement authorities to encrypted communication data violate the right to private life under Article 8 European Convention on Human Rights (ECHR) of all users.
The Court took a strong stance in favour of encryption by recognizing not only measures that break encryption, but also any measures that weaken the effectiveness and intended purpose of encryption. The Court took into consideration a number of sources from international bodies such as the Office of the United Nations High Commissioner for Human Rights and the Council of Europe inter alia, that state that techniques that weaken or circumvent security measures or exploit their existing weaknesses should be strictly prohibited just as much as mandated encryption backdoors.
We call on the Member States to reject the Belgian Presidency’s proposal and to hew to the language adopted by the European Parliament which would exclude from the scope of this regulation any data to which end-to-end encryption is, has been or will be applied.
- The Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users. The Coalition has over 400 members across the world, including civil society organizations, companies, and technical experts. The Global Encryption Coalition’s Steering Committee consists of the Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla Corporation. ↩︎
- Article 1(5) agreed under the Spanish Presidency: “This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users. This Regulation shall not create any obligation to decrypt data.” ↩︎