
alexskopje - stock.adobe.com
EU Chat Control plans pose ‘existential catastrophic risk’ to encryption, says Signal
As EU member states prepare to vote on plans to mandate tech companies to introduce technology to scan messages before they are encrypted, Signal warns that Chat Control will create new security risks
European proposals to require technology companies to scan the contents of communications sent through encrypted email and messaging services pose an “existential catastrophic risk”, it was claimed last night.
Encrypted messaging service Signal, which is widely used by governments, businesses and the public to send secure messaging services, warned that passing new legislation “negates the very purpose of encryption”.
The European Council is due to vote on Danish proposals on 14 October to mandate emailing and messaging services to install machine learning and scanning technology on mobile phones and computers to identify and report suspected child abuse images.
European Union (EU) member states are divided on the scheme, dubbed Chat Control, which has been widely criticised by cryptographers and security researchers who claim that mandatory scanning would create security vulnerabilities that could be exploited by hackers and hostile nation states.
Signal’s vice-president for global affairs, Udbhav Tiwari, said that if the proposals became law they would introduce “massive glaring vulnerabilities” into operating systems used on phones and computers.
“Malicious actors will start using this capability to gain access that would simply be unthinkable for them under the current security paradigms of how operating systems have been implemented,” he said.
Under the Danish proposals, technology companies would be required to introduce client-side scanning technologies that will use hash functions to identify known abuse images and machine learning algorithms to identify unknown images. One way to enforce it would be to require software companies to introduce scanning capabilities in widely used operating systems, such as Windows, Apple’s MacOS and iOS, and Google’s Android.
Security vulnerabilities
Tiwari, speaking in an online-discussion, said that law enforcement and intelligence agencies in Europe have pressed for government devices to be exempt from mandatory scanning to protect the security of government data from security vulnerabilities.
“You can imagine, if an intelligence agency wants to make sure that its servers and services don’t have this technology, the CEO of a multibillion-dollar company probably doesn’t want its C suite to be susceptible to the same risks,” he added.
Critics say that Chat Control would be expensive to implement, as it would require EU countries to deploy thousands of law enforcement officers to manually review images that had been identified as suspect by scanning algorithms that are prone to produce false positives or false negatives.
The proposals are likely to face legal challenges if they are enacted, said Asha Allen, secretary general for the Centre for Democracy and Technology Europe.
She said the European Council’s own lawyers had raised reservations about the lawfulness of the proposals.
The European Court of Human Rights, for example, found that in the case of Podchasov v Russia that attempts to weaken encryption or create “backdoors” are in breach of privacy rights.
The Chat Control proposals are “inherently disproportionate” as they would “require scanning private messages and content of users who have no allegations or suspicions or wrongdoing against them”, said Allen.
What does Denmark’s compromise agreement say about encryption?
- Publicly available messaging services using end-to-end encryption will be required to detect abuse material before it is transmitted.
- Providers should remain free to offer services using end-to-end encryption, and should not be obliged to decrypt data or create access to end-to-end encrypted data.
- Users of encrypted services will be asked to consent to have images, videos and URLs they send through an end-to-end encrypted service monitored.
- Users who do not consent may be able to send messages that do not include images, videos or URLs using other functions of the messaging service.
- Detection technologies for end-to-end encrypted services will be certified and tested by an EU centre to verify that their use cannot lead to a weakening of the protection provided by encryption.
- The EU Commission will have powers to approve detection technologies.
- Providers of detection services should have human oversight to reduce false positives and false negatives.
- Detection technologies must not “introduce cyber security risks for which it is not possible to take any effective measures to mitigate such risk”.
Source: Draft proposal
They are also likely to breach General Data Protection Regulation data protection regulations, which require people to give their “informed consent” before their private messages are scanned.
Those that refuse will not have full access to encrypted messaging or email services, in what Allen said amounts to “coercive consent” and a breach of data protection law.
Critics say that Europe may ultimately need to make it unlawful for people to use techniques that could bypass client-side scanning if the measures become law, by, for example, making it illegal to modify operating systems that contain client-side scanning software, and banning the use of virtual private networks.
Tiwari said that criminals and bad actors would find ways to circumvent Chat Control, but that people who want to use encryption for legitimate purposes would lose their privacy.
Top computer and security experts warned in a scientific paper that now-abandoned plans by Apple to introduce client-side scanning in 2021 were unworkable, prone to abuse by criminals, and a threat to safety and security.
EU member states are divided on the Chat Control proposals, with 12 in favour, including France, Denmark and Spain. The Netherlands, Finland and Poland are among six countries opposing. The eight undecided states include Belgium, Germany, Sweden and Greece.
Cryptowars: Read more about the debate on encryption
- Chat Control: EU to decide on requirement for tech firms to scan encrypted messages.
- Crime agency criticises Meta as European police chiefs call for curbs on end-to-end encryption.
- Ofcom will consult on standards to enforce new powers, but tech companies remain concerned about the impact of the bill’s ‘spy clause’, which could require them to scan encrypted messages.
- Technology companies say reassurances by government ministers that they have no intention of weakening end-to-end encrypted communication services do not go far enough.
- BCS, The Chartered Institute for IT, argues the government is seeking a technical fix to terrorism and child abuse without understanding the risks and implications.
- Government boosts protection for encryption in Online Safety Bill but civil society groups remain concerned.
- CEO of encrypted messaging service Element says Online Safety Bill could pose a risk to the encrypted comms systems used by Ukraine.
- Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms.
- Protecting children by scanning encrypted messages is ‘magical thinking’, says Cambridge professor.
- Proposals for scanning encrypted messages should be cut from Online Safety Bill, say researchers.
- GCHQ experts back scanning of encrypted phone messages to fight child abuse.
- Tech companies face pressure over end-to-end encryption in Online Safety Bill.
- EU plans to police child abuse raise fresh fears over encryption and privacy rights.
- IT professionals wary of government campaign to limit end-to-end encryption.
- John Carr, a child safety campaigner backing a government-funded campaign on the dangers of end-to-end encryption to children, says tech companies have no choice but to act.
- Information commissioner criticises government-backed campaign to delay end-to-end encryption.
- Government puts Facebook under pressure to stop end-to-end encryption over child abuse risk.
- Former UK cyber security chief says UK government must explain how it can access encrypted communications without damaging cyber security and weakening privacy.
- Barnardo’s and other charities begin a government-backed PR campaign to warn of dangers end-to-end encryption poses to child safety. The campaign has been criticised as ‘one-sided’.
- Apple’s plan to automatically scan photos to detect child abuse would unduly risk the privacy and security of law-abiding citizens and could open up the way to surveillance, say cryptographic experts.
- Firms working on UK government’s Safety Tech Challenge suggest scanning content before encryption will help prevent the spread of child sexual abuse material – but privacy concerns remain.
- Private messaging is the front line of abuse, yet E2EE in its current form risks engineering away the ability of firms to detect and disrupt it where it is most prevalent, claims NSPCC.
- Proposals by European Commission to search for illegal material could mean the end of private messaging and emails, says MEP.
Read more on Information technology (IT) in Italy
-
Chat Control: EU to decide on requirement for tech firms to scan encrypted messages
-
Europol seeks evidence of encryption on crime enforcement as it steps-up pressure on Big Tech
-
Crime agency criticises Meta as European police chiefs call for curbs on end-to-end encryption
-
Chat control: Tech companies warn ministers over EU encryption plans