On Thursday October 26th, MEPs in the European Parliament held press conferences outlining the compromises reached within the EU Parliament negotiators on the controversial Chat Control proposal. The original legal draft, published by the European Commission last year, represented a dangerous attack on privacy and security in Europe. Since then many figures from the world of tech, politics, and civil society, including Proton, have been campaigning hard for changes to the legislation.
Thankfully it appears that progress is being made in the fight to preserve privacy. According to MEPs, Parliamentarians have agreed to remove the clauses that would give law enforcement the power to demand end-to-end encrypted platforms hand over users messages, emails, and files as part of criminal investigations.
If public statements are to be believed and the Parliament has taken as strong a position as is claimed, it’s going to be vital that MEPs stand firm and don’t allow the European Council and Commission to water down the rights of law-abiding Europeans in the negotiations to come.
What’s been reportedly agreed?
Under the new proposals, law enforcement would only be able to make detection orders against groups or individuals suspected of child sexual abuse and those detection orders could only apply to platforms that are not end-to-end encrypted. Client-side scanning would crucially not be part of the potential measures that can be put in place. We already explained why mandating client-side scanning to encrypted services would have been a disaster for privacy(new window).
In other words, European citizens would no longer be presumed guilty simply for using an encrypted messaging, email, or storage service. Furthermore, companies wouldn’t be forced to break their own encryption and European cyber security won’t be unnecessarily diminished. Numerous additional positive changes were also made to other provisions of the text, guaranteeing a better protection of privacy and fundamental rights, while making sure that children are safer online.
Why is this vitally important?
The original proposal opened the door to a new mass surveillance regime that would require companies to scan everyone’s digital communication at all times. It would also force encrypted services like Proton to break their end-to-end encryption to scan user messages and files.
There were many unintended consequences of this well-meaning but seriously flawed proposal. It would completely undermine personal privacy, something that millions have fought for over the decades. Since there’s no such thing as a backdoor to encryption that only lets the good guys in, it would also decimate the continent’s cybersecurity and thus put individuals and companies at risk. At a time when cyber crime is exploding and Europe is increasingly becoming the center of a cyber war prompted by Russia’s invasion of Ukraine, it makes no sense to weaken the EUs cyber defenses.
Moreover, the campaign in favor of Chat Control is largely orchestrated and financed by a network of organizations with close ties to US law enforcement and technology firms that would financially benefit. If the EU passes the proposals and mandates the scanning of all encrypted communications, the primary beneficiaries will be these US companies which sell these scanning tools. In other words, not only are foreign interests trying to undermine European privacy rights, but they are trying to get Europeans to pay for it. Such a scenario would be a disaster for privacy in Europe and would seriously harm European digital sovereignty.
We’ve previously discussed this in more detail here: https://proton.me/blog/eu-chat-control(new window)
Is Europe becoming the global leader?
This announcement from the European Parliament appears to show that once again Europe is taking a more progressive stance on tech regulation. GDPR put Europe at the forefront of privacy regulation. The Digital Markets Act represented the world’s most forward-thinking and comprehensive approach to improving competition in the tech sector. And now, the European Parliament is trying to set Europe apart from the UK and elsewhere on encryption.
Just this week the UK passed the Online Safety Act(new window) which included exactly the sort of provisions that the European Parliament is trying to remove. The UK Government had previously admitted that it’s “technically unfeasible” to undermine encryption and preserve privacy. Despite this acknowledgment, they passed the law anyway without changing the legal text. MEPs now appear to be trying to do better, recognizing technical impossibilities and removing ambiguity from legislation.
Next Steps for Europe
But the devil is in the detail. The set of compromise amendments has not been published yet. But, based on what’s been seen and heard so far, this sounds like a very positive step. A Parliamentary vote is expected on November 13th which will hopefully endorse the compromises reached between negotiators yesterday. But until then, the news coming out of Brussels appears positive.
We’re also still waiting to hear what the European Council’s (the representatives of the EU Member States) position will be. Rumour has it that the Council’s conclusion will be closer to the original anti-encryption version of the law. But the fact that the Parliament has reportedly made such a strong stance gives hope that we may yet see a version of this law enacted that finds a sensible balance between giving law enforcement the tools they need to fight crime and giving law-abiding citizens the right to operate and communicate privately online.
The people of Europe needed its politicians and leaders to make a stand for them, for their privacy, for their security, and for their rights. It now appears that MEPs have done just that. We eagerly await the official text. But if the drafts are as great an improvement as MEPs have made them out to be, it’s vital that Parliament holds its ground as negotiations between the Parliament, Council, and Commission begin in the coming months.