Reporters Without Borders (RSF) is alarmed by draft EU regulation on suspicionless surveillance of confidential communications. The European Commission on Wednesday (11.05.) published a draft regulation of platforms and chat messaging service providers to combat the sexual abuse of children and the dissemination of relevant images and video material.
The EU Commission is proposing drastic measures in this regard: Messenger applications are to be required to automatically scan all communications for depictions of abuse and suspicious message texts. The draft also does not exclude encrypted messengers from its scope, thus attacking the basis of confidential communication in the daily work of journalists. Federal Minister of the Interior Nancy Faeser (SPD) expressly welcomed the draft immediately after it was presented.
"Requiring confidential message content on devices to be scanned is tantamount to banning confidential communications. The proposal disregards numerous fundamental rights and is fundamentally contrary to the EU Commission's stated goal of protecting media professionals more effectively," said RSF CEO Christian Mihr.
For journalists who need to protect their sources, encrypted messaging services are indispensable tools in everyday digital life. Especially in autocratic states, they grant independent media professionals and their sources essential protection from surveillance and persecution. RSF therefore calls for promoting encrypted communications in the EU and globally, rather than endangering them through such surveillance coercion.
Contrary to concerns already expressed by many civil society actors during the consultation phase, the Commission maintained the obligation to systematically monitor content exchanged through messaging applications. The responsible EU Commissioner Ylva Johansson emphasized in recent months that perpetrators would hide behind end-to-end encryption. Contradiction to this statement came most recently from the Child Protection League, among others; the majority of such depictions are "shared via platforms and forums". Even abuse depictions known to the police often remain available there for a long time, as a Panorama 2021 investigation revealed. Investigators would focus on finding perpetrators, according to their own statements.
Unrealistic demand – unless you want mass surveillance
In presenting the text, Johansson made a point of noting that the draft was not formulated against encryption of data, but "to fight child pornography content online more effectively". Only content in dispute would be monitored and reported by service providers. However, this is an impossible undertaking unless all content is systematically scanned and, if necessary, humanly verified. The already existing error rates of corresponding filter technologies are also growing with the additional requirement that previously unknown depictions of abuse should also be detected.
End-to-end encrypted messengers are based on the principle of "enforced trust": even the services that provide these messengers cannot decrypt the content of a conversation. Only the sender and the receiver, the two "ends" of the conversation, can read the content of the messages. If the content is accessible to a third party at a single point in time, security is irretrievably compromised.
The commission must realize that it is asking platforms to open a technically undefined "backdoor," or hidden access to software that allows it to interfere with the service it provides without worrying about the consequences for source protection and the confidentiality of journalistic work.
In 2020, the Forum for Information and Democracy Expert Group, initiated by RSF, published a report with 250 proposals to states and platforms to ensure democratic regulation of digital spaces in dealing with disinformation and illegal content. The report recalled the importance of encryption for communications: "It is important to note that creating vulnerabilities or limitations in encryption is problematic and inconsistent with human rights standards," and recommended that under no circumstances should the use of systems that compromise end-to-end encryption be mandated.