BLOG Chat Control: The EU Going Dark
David Schmid

The recent push by EU authorities to implement measures like the "Chat Control" proposal, which undermines end-to-end encryption (E2EE), is a troubling development that threatens to weaken digital security on a large scale and erode trust in technology. This move also contradicts the landmark ruling by the European Court of Human Rights (ECHR) in the "Podchasov vs. Russia" case, which emphasized the importance of strong encryption. Instead, a balanced approach to crime prevention that preserves robust encryption should be adopted, as outlined in this article.

Main Image

End-to-end encryption (E2EE) ensures that only the sender and recipient can read the content of a message, keeping it protected from everyone else, including service providers and potential intruders.

This level of privacy is crucial not just for individual security, but for the broader fabric of a free and democratic society. It empowers individuals to express themselves freely without fear of surveillance or reprisal. It safeguards activists and journalists, providing them a shield against authoritarian attempts to silence or punish them for their political views.

However, it is important to acknowledge that E2EE can also be exploited by criminal organizations to conceal their activities. This poses a significant challenge for law enforcement agencies tasked with maintaining public safety while respecting privacy rights.

In a democratic society, there's a delicate balance between two essential needs: the need for security engineering to safeguard democratic freedoms and the need for law enforcement to actively prosecute criminal activities.

The recent landmark ruling by the European Court of Human Rights (ECHR) in the "Podchasov v. Russia" case has rekindled the debate over encryption backdoors. This case underscored the tension between privacy rights and state surveillance needs, ruling against the forced implementation of encryption backdoors.

Despite the clear privacy benefits of E2EE, EU authorities are pressing forward with plans to address the challenges posed by encrypted communications with the so-called "Chat Control" proposal. This approach raises concerns about their commitment to upholding landmark rulings by the ECHR. It appears that EU officials might regard these rulings as pertinent only in cases involving other nations, like Russia, rather than applying the same standards to their own policies.

This inconsistency suggests a troubling double standard where the privacy rights upheld in ECHR decisions are acknowledged selectively, potentially undermining the principles of privacy and freedom within the EU itself.

This is a dangerous development.

A recently published scoping paper by the High-Level Expert Group on access to data for effective law enforcement underscores the increasing desire among EU officials to weaken E2EE. Their clear intention is to find ways to counter the so-called "going dark" problem, where robust encryption prevents law enforcement from accessing digital communications.

The Belgian Federal Police has taken a particularly assertive stance. In a presentation they outlined a proposal for real-time access to communications involving Over-the-Top (OTT) platforms which would be legally compelled to allow government agencies to intercept communications.

The Belgian approach suggests that rather than investing in costly and potentially unreliable hacking tools, it would be more efficient to mandate OTT platforms to offer a built-in interception capability. This approach, they argue, would avoid the pitfalls associated with state-developed malware (often referred to as "legal interception tools" rather than "hacking tools" to avoid negative connotations).

Yet, this concept faces a significant hurdle: service providers themselves do not have access to the encrypted content under E2EE. Messages are encrypted on the sender's device and only decrypted on the recipient's device, leaving the provider with no means to access the plain text. Consequently, authorities would need some form of "master key" to decrypt communications, effectively dismantling E2EE.

The EU's Technical Committee Cyber of the Telecommunications Standards Institute (ETSI) is actively exploring methods to bypass this encryption. One proposed solution involves the creation of a "trusted authenticated party" that would hold a universal decryption key. This entity could theoretically decrypt any communication, circumventing the secure design of E2EE.

I would like to underscore several major concerns with this approach:

Don’t get me wrong - the points discussed highlight the implications of weakening E2EE. This perspective does not oppose efforts to combat crimes like terrorism, cybercrime, child abuse or threats against national security, which often involve the digital space. On the contrary, significant efforts should be made to address these issues.

However, I believe that weakening protective encryption mechanisms is not the right approach. Instead, we should support alternative solutions that uphold strong encryption while effectively addressing criminal activities.

The right to privacy is a fundamental distinction between free democratic societies and authoritarian regimes.

While it is essential to investigate and combat criminal activities, weakening privacy on a mass scale could lead us down a perilous path.

Upholding privacy rights, even amidst these challenges, is crucial because freedom has never come without a cost. We must strive to protect privacy while finding ways to ensure security.

I advocate for a multifaceted approach to crime fighting that emphasizes collaboration, technological innovation and targeted strategies while maintaining a firm commitment to privacy and civil liberties. This stance aligns with the ECHR's decision in the "Podchasov vs. Russia" case, which endorsed alternative solutions that do not undermine encryption.

These alternatives include traditional policing methods, undercover operations, and metadata analysis (following ECHR). To outline potential alternatives:

In cryptography, several advanced techniques can be leveraged without compromising E2EE. These innovations can provide robust solutions in specific scenarios:

My intention here is not to assess the effectiveness or moral implications of these alternative methods. Instead, I aim to provide a general overview of potential strategies that could be employed without compromising encryption. Ultimately, deciding on their implementation should be a transparent democratic process, involving the input and consent of the people who will be affected. This inclusive approach ensures that any adopted measures align with the values and needs of society.

Beyond these targeted cryptographic methods, our general approach should focus on bolstering the digital defenses of both the public and organizational level in a democratic society.

This includes improving, not weakening, cryptographic standards to reduce vulnerabilities that criminals might exploit. For example, we should promote awareness campaigns on phishing, secure password practices and invest in advanced security engineering. These measures collectively reinforce our digital resilience without compromising the privacy and security that underpin a free society.

In IT, there is a concept known as a "single point of failure" (SPOF), a non-redundant component that, if it fails, can bring down the entire system.

This principle also applies to democratic systems: if a critical element of democracy, such as the right to privacy or free expression, is compromised, the stability and integrity of the entire democratic structure is at risk.

A democracy must protect its core values and rights to ensure its resilience and continued function.

Comments

No comment on this post yet... Initiate the dialogue - be the first to illuminate this page with your thoughts!

Leave a Comment

Please preserve the rules of respect and avoid any shadow that might fall upon the realm. Keep your discourse pure and use simple characters. Your scroll shall contain no more than a thousand characters.

Only the worthy may share their wisdom beneath the sacred tree of insight. To prove yourself a true hero and not a shadowy automation, solve this puzzle:

captcha