Leaked Document Shows Spain Is Fully On Board With The EU Commission’s Plan To Criminalize Encryption

from the if-it-ain’t-broke,-let’s-break-it dept

For a few years now, the EU Commission has been pushing legislation that would undermine, if not actually criminalize, end-to-end encryption. It’s “for the children,” as they say. To prevent the distribution of CSAM (child sexual abuse material), the EU wants to mandate client-side scanning by tech companies — a move that would necessitate the removal of one end of the end-to-end encryption these companies offer to their users.

The proposal has received push back, mainly from security experts who have repeatedly pointed out how this would make everyone’s communications less secure, not just the criminals the EU wants to target. It has also received push back from the companies offering encrypted communications, all of which have informed the EU they will take their business elsewhere, rather than break their encryption.

The most significant push back (at least as far as the EU’s governing body is concerned) has come from one EU member: Germany. Germany’s government flat out told the EU government that it would not be enforcing this law mandating broken encryption, if and when it goes into force.

But that’s just Germany. Most EU nations seem fine with breaking encryption for everyone, just to target a very small percentage of the population. A document [PDF] leaked to Wired shows widespread support for the proposed mandate, with one country in particular suggesting the encryption-criminalizing proposal doesn’t go far enough.

Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain’s position emerging as the most extreme. “Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” Spanish representatives said in the document.


“It is shocking to me to see Spain state outright that there should be legislation prohibiting EU-based service providers from implementing end-to-end encryption,” says Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory in California who reviewed the document at WIRED’s request. “This document has many of the hallmarks of the eternal debate over encryption.”

The document dates back to April of this year. The 20 countries offering at least partial support for undermining encryption were unwilling to explain to Wired why they felt this way. Only one country supplied a comment, and that comment — along with its comments in the leaked document — suggest it, too, at some point may be providing significant push back of its own.

WIRED asked all 20 member states whose views are included in the document for comment. None denied its veracity, and Estonia confirmed that its position was compiled by experts working within related fields and at various ministries.

Estonia’s responses to the EU’s questions make it clear it thinks the proposal is, at best, half-baked. This answer in particular shows Estonia’s government calling out the EU for creating a proposal that mandates companies break other existing EU data privacy laws:

[EU]: Are you in favour of including audio communications in the scope of the CSA proposal, or would you rather exclude it as in Regulation (EU) 2021/1232?

We are a bit reserved and concerned with the potential inclusion of “audio communication”. For us the question is about what communication are we discussing – FB voice messages or direct special services or applications offering only voice communication service, including encrypted ones? Secondly the initial proposal and assessment (Interinstitutional File: 2022101 55(COD) ) focused mainly on visual material and sites and web links – indeed, this is the most pressing issue here. Audio communication was not included in that with a big attention scope.

This does not mean that Estonia doesn’t think grooming etc. criminal activities are not important. They are and we support any action fighting against this issue! We also want to remind, that EUCJ has forbidden the state regulation retention obligation of metadata by service providers. Now, we create a regulation which forces service providers to carry out mass interception of content data, which, as we want to emphasise, was the counter-argument regarding the metadata retention in the court. This is something we don’t want to do in Europe. This may also create more friction with the EU Parliament.

More directly, the Estonian Ministry of Economic Affairs and Communications says this:

Estonia does not support the possibility of creating backdoors for end-to-end encryption solutions.

That’s what happens when you actually talk to “experts working within related fields,” rather than just legislators who believe any sacrifice “for the children” is acceptable, as long as they are not expected to sacrifice anything themselves.

But the rest of the document is a mixed bag, with more countries showing support for some sort of direct regulation of E2EE. This is disappointing, but it’s too be expected when loaded language is used to create the proposal and held over the heads of EU member countries — language that suggests that if they’re for protecting encryption, they’re also for the continued sexual exploitation of children. That’s the kind of peer pressure that’s difficult to shrug off. But even if some countries (looking at you, Spain) are just looking for excuses to start breaking encryption, others are publicly demonstrating they won’t be shamed into passing a bad law that makes millions of residents’ communications less secure.

Filed Under: csam, encryption, end-to-end encryption, estonia, eu, eu commission, for the children, germany, protect the children, spain

Source : https://www.techdirt.com/2023/05/26/leaked-document-shows-spain-is-fully-on-board-with-the-eu-commissions-plan-to-criminalize-encryption/

Leave a Comment

SMM Panel PDF Kitap indir