A vote by European Union (EU) countries on considering proposed legislation to tackle online child sexual abuse material (CSAM) has now been delayed after the move came under heavy criticism from tech companies and digital rights groups alike.
Members of the European Council were originally expected to take a decision on Thursday, June 20, about jointly supporting a 2022 draft amendment that would require instant messaging apps such as WhatsApp and Signal to mandatorily scan users’ photos and links before they were sent.
However, even a small step towards making the proposal into law has been staunchly opposed by various stakeholders who believe that it threatens end-to-end encryption (E2EE) and undermines the privacy of individuals. As a result, many EU countries like Germany, Poland, Austria, the Czech Republic, and the Netherlands were expected to oppose or abstain from voting, Politico reported.
Although the vote was removed from the Council’s agenda on Thursday, Belgium and other EU member States have been pushing for stronger measures to detect and remove child sexual abuse material that’s being circulated online.
What does the proposed legislation say?
Dubbed as the ‘Chat Control law’, the latest version of the draft legislation requires online interpersonal communication services to implement “upload moderation”.
“In order to implement this Regulation, providers of interpersonal communications services shall install and operate technologies to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material,” the proposal reads.
According to the draft, messaging apps are required to scan “images and the visual components of videos and URLs” while the detection of audio communication and text are excluded. Furthermore, it requires such apps to obtain the explicit consent of users before scanning their private communications as part of the terms and conditions of use.
“Users not giving their consent should still be able to use that part of the service that does not involve the sending of visual content and URLs,” the draft reads. Notably, the accounts that are used by the State for national security purposes, maintaining law and order or military purposes will not be subjected to the scanning mechanism.
What are the key arguments against the proposal?
While the draft legislation looks to prevent the spread of online child sexual abuse, encrypted messaging platforms and privacy advocates have strongly resisted attempts to finalise the proposal into law. They have argued that requiring providers to scan users’ content for CSAM effectively breaks end-to-end encryption.
“For decades, experts have been clear: there is no way to both preserve the integrity of end-to-end encryption and expose encrypted contents to surveillance. But proposals to do just this emerge repeatedly — old wine endlessly repackaged in new bottles, aided by expensive consultancies that care more about marketing than the very serious stakes of these issues,” read a statement from Meredith Whittaker, the president of Signal which is considered to be one of the most secure encrypted messaging apps.
“So let’s be very clear, again: mandating mass scanning of private communications fundamentally undermines encryption. Full stop. Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted,” she added.
With E2EE, messaging providers themselves cannot access the contents of messages sent by users. However, many believe that the EU’s proposal could lead to tech companies collecting large amounts of personal user data. Governments could potentially force the messaging platforms to monitor and censor political content, thus stifling free speech and dissent.
Experts argue that decrypting the contents of messages sent by users could make them more vulnerable to hacks and data leaks. Additionally, photos and videos exchanged over messaging apps could get wrongfully flagged as CSAM. For instance, German publication Der reported that among the thousands of reports of child sexual abuse material reported to the authorities, many of them were false positives. The move could also eventually lead to apps like Signal pulling out of the EU, making their services no longer accessible in the region.
Weakened encryption in the EU could even have implications in countries like India. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, has a traceability provision which requires significant social media intermediaries to locate the “first originator” of a message.
Though WhatsApp has challenged the IT Rules before the Delhi High Court, an EU law forcing it to break its E2EE protocol could bolster arguments for similar compliance in India.