It’s the EU’s turn to admit Chat Control won’t work

Share this page

Last week, the UK government made a statement in the House of Lords acknowledging(new window) that portions of the controversial Online Safety Bill might not even be technically enforceable without breaking end-to-end encryption. This rightly received a lot of attention, as it represented a significant shift in the UK Government’s position. 

The law, as drafted, would require tech companies to somehow scan messages for abusive materials. However, as Proton and other privacy advocates have repeatedly explained(new window), there’s no way to do this without destroying end-to-end encryption for everyone. While the Government’s statement fell short of legal changes to the text (something that we still believe to be vital), it did represent an important victory in its admission that there is no such thing as tech that can scan everyone’s online activity while also providing safety and privacy. It therefore brought the UK in line with long held expert consensus, and any statements to the contrary are a fantasy. 

Unfortunately, the European Commission has offered no such public acknowledgement as it continues to push forward its proposal, commonly referred to as Chat Control. Chat Control is ostensibly a measure to fight child sexual abuse, which we can all agree is abhorrent. But rather than focusing on individuals suspected of engaging in these criminal activities, the text assumes that everyone using a specific service is guilty by default — not because they have done something wrong, but because they are using a particular service. 

Fighting crime while protecting privacy

This is a significant departure from judicial measures taken in the offline world. There are many ways to combat crime online without violating the rights of an entire continent. The European Commission’s draft goes even further than the UK’s plans, including provisions that could effectively ban end-to-end encryption for an even wider selection of services, including messengers, email providers, file storage services, and other platforms. 

Like the Online Safety Bill, Chat Control tries to confront the serious problem of illegal content by creating another serious problem: blowing up the right to privacy. 

Lawyers from different European institutions have already said candidly(new window) that Chat Control would “lead de facto to a permanent surveillance of all interpersonal communications”, which is illegal in the EU. As the Council and the Parliament consider their position on the European Commission’s proposal over the coming weeks, it’s vital that lawmakers in Brussels and the European capitals now follow legal recommendations and amend the text accordingly.

What they mean by ‘permanent surveillance’

For years, governments around the world have targeted tech companies in the name of national security, fighting terrorism, or protecting children. Whatever the reason, their proposed solutions too often rely on some form of mass surveillance or backdoor to encryption.

It’s the same story with the Online Safety Bill and Chat Control. Each proposal empowers regulators to force companies to break their own encryption by way of client-side scanning — a way of scanning messages before they’re sent to the recipient — or some other hypothetical technology that doesn’t exist in reality. The problem is there’s no way to implement these methods while preserving privacy.

Whenever you break end-to-end encryption on your platform for one person, it breaks it for everyone. Not only does this destroy customers’ trust in your service, it invites hackers to find vulnerabilities and steal as much data as they can. There’s no such thing as a backdoor that only lets the good guys in.

The irony is that breaking encryption on the most popular platforms won’t prevent illegal activities from happening online. Criminals will simply move to other secure, non-cooperative platforms, or run their own encryption software (much of which is open source), to keep on conducting their illegal activities outside of the public eye.

Toward safety and privacy in the EU

Proton has been very clear: We would take legal action should we receive any request to break our encryption. Leaving aside the fact that these requests would very likely be illegal under European law, giving us grounds for legal action, it would be unacceptable for us to undermine our encryption and the safety of all users, businesses, and organizations that count on us, both in the EU and around the world.

But we’re not giving up on the European Parliament and Council doing the right thing. We know from speaking with lawmakers in Brussels that there is a growing opposition to the proposals and an understanding of the dangers the draft legislation presents. 

However, “understanding” is not enough. The Council and the Parliament are currently working on their respective positions, and are expected to adopt them in the coming weeks. It’s vital that they take into account the current scientific and technological state of play, and amend the text by introducing strong safeguards for encryption, end-to-end encryption, and fundamental rights in general.

Europe has set a global privacy standard thanks to the GDPR, and with NIS2 it also has a leading position in cybersecurity and support for encryption. The EU needs to build on this leadership rather than undermine it. It’s perfectly possible to fight crime while upholding privacy and encryption. We must find a balance between protecting society and protecting civil rights. 

Protect your privacy with Proton
Create a free account

Share this page

Andy Yen

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe
What is email spoofing?
Email spoofing is a technique attackers use to make a message appear to be from a legitimate sender — a common trick in phishing and spam emails. Learn how spoofing works, how to identify spoofed messages, and how to protect yourself from spoofing a
Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services. Although convenient for
OpenPGP, the standard defining how to encrypt and sign messages using PGP, the most widely used email encryption format, received a major upgrade, introducing various security improvements and more modern cryptographic algorithms. PGP has been used