Translated Article: Regulation on “Chat Control” Launched in EU Parliament
[We have translated the article from Erich’s column, because end-to-end encryption is a fundamental part of IT security. Erich has researched a lot regarding the concerted attack on secure communication. He provides important background information to understand why the attack on encryption is presented in different countries at the same time.]
At the same time as the EU regulation, the British “Online Safety Bill” and a US law on the safety of children online are on their way through the parliaments. A comparison shows astonishing parallels in terms of content and method.
On Wednesday, work on the regulation on warrantless searches of social network users’ smartphones and PCs started in the EU Parliament’s Civil Liberties Committee (LIBE). In this first meeting, the timetable for this regulation against child abuse on the net, known as “chat control”, was set.
In the British House of Commons, a very similar bill is again on the agenda from Monday on with the “Online Safety Bill”. This bill also shows that these related bills are primarily about making secure encryption illegal. In the USA, too, such a bill to “protect children” is on its way through Congress.
The UK Online Safety Bill
The British version of the same bill, which covers practically all western legislatures, has already had two readings in the House of Commons and now presents itself slightly changed. Originally, it even included a blank authorisation for the regulatory authority OFCOM to issue search warrants to platforms such as WhatsApp, Signal etc. that did not concern “child pornography”. Rather, the distribution of legal but unspecified “harmful content” by the platforms was also to be made punishable. Namely, if these services do not provide the communications requested by OFCOM, or cannot do so at all for technical reasons.
According to Article 93 (4) of the Online Safety Bill, if a provider cannot provide the requested content of the communication or can only do so in encrypted form, this makes up a criminal offence. This makes it clear what not only the British law is aiming at. Under such a threat of punishment, no platform can afford to offer end-to-end encryption, which serves to protect private communication not only from surveillance by third parties but also from the platform operator and its employees. Exactly as in the draft EU regulation, this core statement is hidden twice somewhere in the law’s text; the term “encryption” is only mentioned at all in these passages. So it is not only the contents that are confusingly similar but also the methods. This procedure is, in fact, coordinated.
The US Child Protection Act on the Net
In the text of the US edition, the “Child Online Safety Protection Act”, one looks in vain for the term “encryption”. The comparatively slim text of the law, just thirty pages long, contains a list of mandatory measures for platforms called “best practices” to “identify, categorise and report child abuse”. So far, this all sounds very much like normal cooperation with the authorities in criminal matters. However, the entire draft text does not refer to requests from law enforcement. Rather, providers should routinely and preventively apply these “best practices” to all users of a service. So again, the content and the methods are confusingly similar on both sides of the Atlantic.
This US law is a pure new edition of the so-called “EARN IT Act” of 2020, which got stuck in the Senate shortly afterwards because it did not find a majority. Many of the passages are completely identical to today’s text, but the martial wording of the original bill has been changed. There is, however, one significant change that is only noticeable on close reading. In the second third of the legal text, a right of appeal and redress for the platforms has been inserted, namely for the case that the platform operators “do not have access to the data sets in question”. This clearly has to be the case for E2E-encrypted chats, and the next passage underneath underlines this statement.
Exemptions for E2E chats in the USA
It states that platform operators can also invoke the right of withdrawal “if access to the data sets would cause significant gaps in the security of this platform service”. This also refers directly to E2E encryption, whose high level of security consists because the establishment of an encrypted connection is negotiated directly between the participating browsers or apps on the end devices. Since the platform itself is not involved, the communication cannot be accessed from there.
This would only be possible if the service provider automatically penetrates every key exchange of end devices to establish the E2E communication and manipulates the process by covertly foisting its master key on the participating browsers or apps. The mere existence of such a master key would compromise the security of the entire platform. And that is precisely what all three legislative proposals amount to. As soon as the platform operator has such a master key, he is not only forced to decrypt individual communications for law enforcement purposes. In the UK, all communications on social networks will then be open to the military intelligence service GCHQ without encryption, in the USA to the NSA.
Two simple explanations in conclusion
What is called the “EU Centre against Child Abuse” in Europe is called “Independent Research” in the USA, both of which are not police but civilian authorities. These civilians are supposed to receive the raw data records that are classified as suspicious by the AI algorithms and first have to be “cleaned up”. In practice, such highly complex AI applications produce far more false hits that have to be sorted out: Family photos from holidays at the beach, scenes from youth sporting events, holiday camps, etc.
It is easy to explain why exemptions for E2E-encrypted services have been included in the US law. This blanket illegalisation of services with the most secure form of communication on the net went apparently too far for a majority in the Senate in 2020, which is why the EARN IT Act did not even make it onto the agenda.