Translated Article: US ‘Chat Control’ Now with Exception for E2E Encryption
US-„Chatkontrolle“ nun mit Ausnahme für E2E-Verschlüsselung by Erich Moechel for fm4.ORF.at
[This is the second summary article describing the concerted attack on IT security around the globe. Erich has researched the current state of affairs. It is of interest that the US lawmakers have understood the importance of ent-to-end-encryption, while their UK and EU counterparts have not.]
The US regulation on child protection provides for a right of refusal in search warrants for E2E providers, as they do not have access to the requested data. The regulations planned in the EU and UK, on the other hand, require WhatsApp and others to install backdoors.
In the British House of Commons, the surveillance bill “Online Safety Bill” is getting out of hand. After incorporating the amendments from the beginning of the week, the British “chat control” with 255 pages is now completely confusing. In addition, MPs from both major parties have recently been making absurd demands for surveillance.
The US law on child protection on the Internet is different. The bill has only 30 pages and now contains two new provisions that exempt at least end-to-end encrypted communications from the rigid monitoring obligation. Since this law affects all US internet companies, it will also have a significant impact on EU regulation.
Right of refusal for E2E providers
A platform’s objection to a search warrant is to be granted if the platform itself does not have access to the data records, it says. This is more than a mere right of objection, but a right of refusal and corresponds to the usual practices in dealing with law enforcement for years, since E2E encryption has been available. The next passage, however, goes even further, because platform operators can also invoke the right of refusal “if access to the data sets would cause significant gaps in the security of that platform service”.
This also relates directly to E2E encryption, whose strength is in the establishment of an encrypted connection negotiated directly between the browsers or apps involved in the end devices. Since the transport platform is not involved in this, the communications cannot be accessed from there. In the original version as the EARN IT Act, such a right of refusal was decidedly not envisaged. On the contrary, in the title “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act”, E2E providers were accused of notoriously abusing interactive technologies.
Dirty work outsourced to civilians
Why this passage is tailored to “independent researchers” of all people and not to law enforcement officers is explained by the approach of the law. As in the EU regulation and in the UK, the data sets with the “hits” spat out by the Big Data machines will not end up directly with the police authorities, but first with civilian bodies. In the European case, it is the “EU Centre” that is to be established on the Europol premises, i.e. a new bureaucratic body. The USA, on the other hand, relies on associations and child protection organisations to do the actual dirty work. This comprises having to sort out photos of beach holidays, sporting events, scout camps or intimate pictures of (young) adults from the mass of pictures or videos.
AI algorithms inevitably produce false hits when the AIs are asked to calculate probabilities in data from human behaviour, such as whether images or videos meet the offence of “child pornography”, then the false hits go through the roof. On both sides of the Atlantic, police authorities currently cannot sift through the material that is already being supplied voluntarily by the AI applications of internet companies. The rates of false hits are in the order of magnitude of over 80 percent, even if the EU officials responsible for the text of the EU regulation deny this so often. If the internet companies are now obliged to scan all interactions on their platforms around the clock, then there will be ten times more hits – false and real – that have to be checked.
Anarchy in the UK
In the House of Commons on Monday, MPs from both major parties literally outdid each other in strong words and threats to Internet companies. Culture Minister Michelle Donelan (Conservative) had threatened internet companies with billions in fines if unauthorised content was made available to children. This means blocking access to ordinary porn websites, which is also such a concern for Labour that it called for VPN providers (“Virtual Private Networks”) to be held accountable. After all, children could use them to circumvent the age restrictions. Labour MP Margaret Hodge, on the other hand, tabled an amendment calling for the CEOs of internet companies to be held personally liable: “We know that directors personally make the decisions to amplify and distribute illegal content”.
This is the level at which the debate on child protection is taking place in the UK, with the law slowly growing into the monstrous. Parliamentarians are apparently so driven by sections of the British tabloid that it has even become too much for the editorial writer of the national conservative Daily Telegraph. Britain is about to sleepwalk into a system much more rigid than the planned European or American one, warned the paper called “Torygraph” because of its closeness to the Conservatives. The kingdom would then end up with the most draconian system in the free world.
The impact on EU regulation
Since almost all internet companies covered by the planned EU regulations are US companies, the US laws naturally interact with EU law. At the current stage of proceedings, WhatsApp, SnapChat or Signal, for example, could continue to offer their messaging services in the US unchanged. For the EU area and the UK, however, these and several other US providers would have to rebuild their entire E2E security architectures and build in backdoors in order to comply with the European search obligation. Given the course of Joe Biden’s presidency, this will inevitably be interpreted as a protectionist measure and result in countermeasures.