The EU is once again trying to regulate away the idea of end-to-end encryption in messaging systems. This time, they’re doing it under the cover of protecting children against sexual abuse. The reality is that it’s another opportunity to destroy the very idea of encryption in private communications.
Here’s the statement we’ve signed, with dozens of other parties in the internet infrastructure, domain, and hosting spaces.
Child sexual abuse is a serious crime that must be addressed by Member states and by other countries around the world. We are concerned, though, that the approach taken by the Commission in this proposed Regulation would have devastating impacts on the security of communications and on user privacy.
The Commission’s legislation would enable Member States to compel online platforms, including those offering end-to-end encrypted messaging, to scan users’ content and metadata for CSA images and for “grooming” conversations and behavior, and where appropriate, report them to public authorities and delete them from their platforms. Such a requirement is fundamentally incompatible with end-to-end encrypted messaging because platforms that offer such service cannot access communications content. This has been confirmed by experts around the world who produced an analysis of how any form of scanning breaks end-to-end encrypted systems in addition to a detailed report on the multiple ways in which client-side scanning, in particular, “can fail, can be evaded, and can be abused.”
Instead of mandating measures that are inconsistent with end-to-end encryption and would diminish the security of everyone, regulators should incentivize measures that address CSA and protect communications security. Among these measures are facilitating user reporting of CSA material.
To be clear, those who have signed the letter are not opposed to steps to make children safe from sexual exploitation; we just disagree that forcing the destruction of one of the things that keeps the internet running smoothly – the encryption of private data – is a way to effectively do it.
We urge the European Commission to rethink this approach.