TLDR
- The EU Commission has revised its Chat Control law proposal, now seeking to mandate “upload moderation” for encrypted messaging apps to detect CSAM before messages are transmitted.
- Signal President Meredith Whittaker argues that “upload moderation” is simply a rebranding of client-side scanning, which fundamentally undermines end-to-end encryption (E2EE) by creating vulnerabilities that can be exploited by hackers and hostile nation states.
- The revised proposal would require users of E2EE messaging apps to consent to scanning to detect CSAM, and those who do not consent would be prevented from sending visual content or URLs.
- Despite the EU Parliament initially voting to exclude E2EE apps from mass surveillance orders in the Chat Control legislation, some European countries continue to push for weakening chat encryption.
- Whittaker emphasizes that mandating mass scanning of private communications fundamentally undermines encryption, regardless of the terminology used, and calls on lawmakers to stop playing “rhetorical games” with such a serious topic.
In a scathing blog post on Monday, Signal President Meredith Whittaker slammed the European Union’s latest proposal to combat child sexual abuse material (CSAM) online, arguing that the revised Chat Control law is nothing more than a thinly veiled attempt to undermine end-to-end encryption (E2EE) through “rhetorical games.”
The EU Commission first proposed the Chat Control law in mid-2022, which would have forced messaging apps to create a backdoor to E2EE messages to detect CSAM.
While the EU Parliament initially voted against mass screening of encrypted communications, a revised draft of the law now seeks to mandate “upload moderation” as an alternative method of mass scanning.
Whittaker argues that “upload moderation” is simply a rebranding of client-side scanning, a controversial technology that security and privacy experts say is incompatible with strong encryption.
The revised proposal would require users of E2EE messaging apps to consent to scanning to detect CSAM, and those who do not consent would be prevented from sending visual content or URLs, effectively downgrading their messaging experience.
“Mandating mass scanning of private communications fundamentally undermines encryption. Full stop,” Whittaker emphasized. “Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted.”
Whittaker stressed that regardless of the terminology used, any approach that creates a vulnerability in E2EE can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and replacing it with a high-value target for attack.
The Signal president’s criticism comes as European police chiefs and some EU member states continue to push for “technical solutions” to ensure “lawful access” to encrypted data, despite warnings from privacy advocates and the EU’s own data protection supervisor that such measures pose a direct threat to democratic values in a free and open society.
Whittaker praised the EU Parliament for initially voting to exclude E2EE apps from mass surveillance orders in the Chat Control legislation, responding to the longstanding expert consensus that subjecting everyone’s private communications to mass scanning against a government-curated database or AI model of “acceptable” speech and content poses serious dangers.
However, she noted that some European countries have continued to play “rhetorical games,” rebranding client-side scanning as “upload moderation” in an attempt to convince non-experts that the risks of the previous plan to undermine E2EE are not present in the new proposal.
Whittaker called on lawmakers to stop playing word games with such a serious topic, emphasizing that the stakes are too high to engage in “embarrassing branding exercises” that do not sway the expert community.
“Either end-to-end encryption protects everyone, and enshrines security and privacy, or it’s broken for everyone,”
Whittaker said.
“And breaking end-to-end encryption, particularly at such a geopolitically volatile time, is a disastrous proposition.”
As the EU continues to debate the Chat Control law, privacy advocates and security experts remain steadfast in their opposition to any measures that would undermine the integrity of E2EE.