European proposals to require technology companies to scan the contents of communications sent through encrypted email and messaging services pose an “existential catastrophic risk”, it was claimed last night.
Encrypted messaging service Signal, which is widely used by governments, businesses and the public to send secure messaging services, warned that passing new legislation “negates the very purpose of encryption”.
The European Council is due to vote on Danish proposals on 14 October to mandate emailing and messaging services to install machine learning and scanning technology on mobile phones and computers to identify and report suspected child abuse images.
European Union (EU) member states are divided on the scheme, dubbed Chat Control, which has been widely criticised by cryptographers and security researchers who claim that mandatory scanning would create security vulnerabilities that could be exploited by hackers and hostile nation states.
Signal’s vice-president for global affairs, Udbhav Tiwari, said that if the proposals became law they would introduce “massive glaring vulnerabilities” into operating systems used on phones and computers.
“Malicious actors will start using this capability to gain access that would simply be unthinkable for them under the current security paradigms of how operating systems have been implemented,” he said.
Under the Danish proposals, technology companies would be required to introduce client-side scanning technologies that will use hash functions to identify known abuse images and machine learning algorithms to identify unknown images. One way to enforce it would be to require software companies to introduce scanning capabilities in widely used operating systems, such as Windows, Apple’s MacOS and iOS, and Google’s Android.
Security vulnerabilities
Tiwari, speaking in an online-discussion, said that law enforcement and intelligence agencies in Europe have pressed for government devices to be exempt from mandatory scanning to protect the security of government data from security vulnerabilities.
“You can imagine, if an intelligence agency wants to make sure that its servers and services don’t have this technology, the CEO of a multibillion-dollar company probably doesn’t want its C suite to be susceptible to the same risks,” he added.
Critics say that Chat Control would be expensive to implement, as it would require EU countries to deploy thousands of law enforcement officers to manually review images that had been identified as suspect by scanning algorithms that are prone to produce false positives or false negatives.
The proposals are likely to face legal challenges if they are enacted, said Asha Allen, secretary general for the Centre for Democracy and Technology Europe.
She said the European Council’s own lawyers had raised reservations about the lawfulness of the proposals.
The European Court of Human Rights, for example, found that in the case of Podchasov v Russia that attempts to weaken encryption or create “backdoors” are in breach of privacy rights.
The Chat Control proposals are “inherently disproportionate” as they would “require scanning private messages and content of users who have no allegations or suspicions or wrongdoing against them”, said Allen.
They are also likely to breach General Data Protection Regulation data protection regulations, which require people to give their “informed consent” before their private messages are scanned.
Those that refuse will not have full access to encrypted messaging or email services, in what Allen said amounts to “coercive consent” and a breach of data protection law.
Critics say that Europe may ultimately need to make it unlawful for people to use techniques that could bypass client-side scanning if the measures become law, by, for example, making it illegal to modify operating systems that contain client-side scanning software, and banning the use of virtual private networks.
Tiwari said that criminals and bad actors would find ways to circumvent Chat Control, but that people who want to use encryption for legitimate purposes would lose their privacy.
Top computer and security experts warned in a scientific paper that now-abandoned plans by Apple to introduce client-side scanning in 2021 were unworkable, prone to abuse by criminals, and a threat to safety and security.
EU member states are divided on the Chat Control proposals, with 12 in favour, including France, Denmark and Spain. The Netherlands, Finland and Poland are among six countries opposing. The eight undecided states include Belgium, Germany, Sweden and Greece.
