EU Parliament Moves to Protect Privacy

EU Parliament building
Sharon Polsky MAPP |

European Parliament's negotiators reached a broad majority agreement this week on a common position concerning the controversial EU chat control bill, which threatened to undermine privacy and encryption across the internet. 

The European Parliament’s position, agreed upon by all parties, removes indiscriminate bulk scanning and automated reporting of private messages for allegedly suspicious content by using error-prone algorithms and artificial intelligence. 

The agreed language instead allows only for a targeted surveillance of specific individuals and groups reasonably suspected of being linked to child sexual abuse material, with a judicial warrant. End-to-end encrypted messengers such as Signal are exempted. Instead, internet services will have to design their services more securely, and thus effectively prevent the sexual exploitation of children.

EU lawmaker Patrick Breyer of the Pirate Party, a digital freedom fighter who negotiated the parliamentary position on behalf of his group Greens/EFA, credits public engagement — including civil society, NGOs, academics, child abuse survivors, and the broader public — as a critical factor that resulted in the lawmakers eliminating the requirement for mass scanning of communications.

"Under the impression of massive protests against the looming indiscriminate chat control mass scanning of private messages," Breyer explains, "we managed to win a broad majority for a different, new approach to protecting young people from abuse and exploitation online. As a pirate and digital freedom fighter, I am proud of this breakthrough. The winners of this agreement are on the one hand our children, who will be protected much more effectively and in a court-proof manner, and on the other hand all citizens, whose digital privacy of correspondence and communication security will be guaranteed."

MEP Breyer notes that, "Even if this compromise, which is supported from the progressive to the conservative camp, is not perfect on all points, it is a historic success that removing chat control and rescuing secure encryption is the common aim of the entire Parliament."

With this change, however, the EU Parliament is doing the exact opposite of most EU governments, and those of Canada and other countries, which are moving to destroy digital privacy of correspondence and secure encryption. As MEP Breyer says, “the fight against authoritarian chat control must be pursued with all determination!”

Key features of the negotiated agreement, which will protect young people and victims of abuse much more effectively than the EU Commission's extreme proposal, include:

1) Security by design: In order to protect young people from grooming, internet services and apps shall be secure by design and default. It must be possible to block and report other users. Only at the request of the user should he or she be publicly addressable and see messages or pictures of other users. Users should be asked for confirmation before sending contact details or nude pictures. Potential perpetrators and victims should be warned where appropriate, for example if they try to search for abuse material using certain search words. Public chats at high risk of grooming are to be moderated.

2) In order to clean the net of child sexual abuse material, the new EU Child Protection Centre is to proactively search publicly accessible internet content automatically for known CSAM. This crawling can also be used in the darknet and is thus more effective than private surveillance measures by providers. To ensure the Center is and is seen to be truly independent, provisions for sharing administrative functions with Europol has been removed.

3) Providers that become aware of clearly illegal material will be obliged to remove it — unlike in the EU Commission's proposal.

4) Law enforcement agencies that become aware of illegal material will now be required to report it to the provider for removal. The need for this provision was clear in the case of the darknet platform Boystown, in which the worst abuse material was further disseminated for months — with Europol's knowledge.

The agreed-upon regulation safeguards trust in secure end-to-end encryption and, unlike the initial proposal, will not require client-side scanning or the installation of surveillance functionalities and security vulnerabilities in smartphones or other devices. Those blanket chat control violates fundamental rights and would likely have not been able to withstand a court challenge.

The final text also guarantees the right to anonymous communication and removes mandatory age verification for users of communication services. Whistleblowers will thus continue to be able to leak wrong-doings anonymously without having to reveal their identity. In addition, app stores will not be obliged to prevent young people under 16 from installing messenger apps, social networking, and gaming apps 'for their own protection' as initially proposed.

The EU Parliament’s civil liberties committee is due to confirm the agreement on 13 November.

Topic tags:
surveillance privacy Encryption government Legislation