A ”potentially catastrophic” cyberattack(nieuw venster) against United States broadband infrastructure has likely given the Chinese government access to swathes of highly sensitive security information, including from systems the federal government uses for court-authorized network surveillance requests.
As terrible as this news is for US national security, it also highlights the problem inherent with all surveillance systems that give governments “backdoor” access to critical data. These systems can be compromised, notably by state-sponsored foreign actors.
This is a lesson the EU would be wise to take to heart. As Hungary is currently assuming the rotating Presidency of the Council of the EU, Hungarian Prime Minister and close friend to Russia(nieuw venster) and China(nieuw venster), Victor Orban, has been pushing hard(nieuw venster) to make EU countries agree on a common position regarding the highly controversial(nieuw venster) “chat control” legislation.
Crucially Hungary, similar to Belgium before it, wants to push for an extremely intrusive and dangerous approach that could ultimately force end-to-end encrypted(nieuw venster) (E2EE) services to create a backdoor for law enforcement. The European Parliament, on the other hand, went in a totally different direction, arguing that the legislation shouldn’t weaken end-to-end encryption(nieuw venster).
What happened in the US?
In an attack that may have lasted “months or longer”, the Chinese hacking group “Salt Typhoon” compromised the networks of key US internet suppliers, including AT&T, Verizon, and Lumen. Salt Typhoon accessed the federal government-mandated surveillance systems that allow internet providers to intercept domestic electronic information related to criminal and national security investigations. It’s unclear if systems for monitoring foreign intelligence were also compromised.
Authorities investigating the incident are looking into whether Salt Typhoon gained access to US internet infrastructure through Cisco Systems routers(nieuw venster), which are responsible for routing a large percentage of all internet traffic. However, no such link has been confirmed, and while Cisco is investigating the matter, they claim to have found no indication their routers are involved.
What is chat control?
The EU’s chat control legislation, formally called the “Regulation to Prevent and Combat Child Sexual Abuse,” aims to address the growing problem of child sexual abuse material (CSAM) online. Introduced in 2022, it opens the door for mandatory scanning of digital communications, including images, videos, and links, on platforms like messaging apps and email services.
Proponents, including EU officials and child protection advocates, argue that this regulation is necessary to protect children from online exploitation and highlight the difficulty law enforcement faces in accessing encrypted messages used by perpetrators. The proposed law focuses solely on fighting against the “content”, and aims to catch and prevent CSAM from spreading using technology-based mechanisms.
One of the more controversial aspects that arose during the legislative process is the Commission and EU governments’ push for client-side scanning, where messages would be scanned for illegal content before being encrypted. This would potentially allow law enforcement to view not only the content you share(nieuw venster), but also the content you simply save on your device.
The legislation faces strong opposition(nieuw venster) from privacy advocates, academics, digital rights groups, and privacy-focused tech companies, including Proton(nieuw venster). While we fully support measures that help safeguard children, this legislation is not the answer. It would effectively create a new method for mass surveillance, requiring service providers to scan all digital communications indiscriminately. Even worse, such surveillance would do very little, if anything, to catch the perpetrators or help the victims of such despicable acts.
Chat control and end-to-end encryption
A particular point of contention has been E2EE, where only the sender and their intended recipient can access communications between them.
While the European Parliament understands the importance of E2EE in safeguarding citizens’ (including children) privacy while ensuring a high level of cybersecurity, EU Member States see it differently. Despite the ineffectiveness of such measures at protecting the real victims, most EU governments(nieuw venster) are more than happy to use the fight against CSAM as an excuse to require online services to develop systems that allow law enforcement access to all encrypted communications.
Lessons to be learned
There is no such thing as end-to-end encryption with a “backdoor” that only lets the good guys in. Even assuming that governments would not extend the scanning of encrypted communications to any sort of minor criminal offense in the future, implementing a backdoor amounts to creating a weakness that compromises the entire system. And the Salt Typhoon attack on the United States surveillance systems clearly demonstrates that if “authorized personnel” can access a backdoor, so can hackers.
This includes state-sponsored hackers, and it may be no coincidence that Victor Orban, an authoritarian leader who overtly supports and admires other authoritarian leaders such as Vladimir Putin and Xi Jinping, is so keen to introduce weakness into the encryption standards that keep us all safe.
