Skip to main content

EU at loggerheads over chat control

Speculation is rife about the controversial Child Sexual Abuse Regulation as the EU Council puts it on the table for a Ministerial meeting this Thursday. Several Member States oppose it on privacy and security grounds. Finding a consensus will be difficult. The concern is that it would give the green light for privately-operated mass surveillance of WhatsApp, and other instant messaging on public or private platforms (dubbed chat control).  

Hungary, which currently holds the  Presidency  of the EU Council of Ministers, is pushing for a conclusion of the legislation within its six month tenure, which ends in December this year.  The barrier is a blocking minority of Member States who are opposed to the Regulation. If this blocking minority holds up, the Council cannot achieve a common position and would not be able to progress the legislation further.  

The appallingly-named Child Sexual Abuse Regulation (CSAR) requires  messaging services  and social media platforms to monitor users communications for child sexual abuse material. The Regulation embodies a  highly controversial and divisive issue. Stakeholders such as law enforcement and child rights groups tend to argue for it, and the technical community, notably cyber-security experts, are vocally opposed. The overriding concern is that these measures will impose an  intrusive form of mass surveillance on all users by monitoring uploaded images and text communications. The most contentious measures are those requiring platforms to scan end-to-end encrypted (e2ee) communications. 

The Hungarian Presidency has published what is described as a partial general approach (common position), released on 24 September.  Member States are being asked to agree to new measures including search-engine delisting, and cross-border delisting orders. It has also proposed a  compromise to limit the monitoring to high risk services and known images only, but they do little or nothing to address concerns about the intrusive nature of the technologies that will deploy the measures. 

The proposal  is on the agenda for a preparatory meeting of Permanent Representatives [COREPER ] this Wednesday 9  October, and is scheduled for public discussion at the Justice and Home Affairs Ministerial meeting on Thursday 10  October. [Background here

Hungary had hoped to get the proposal adopted by the end of this year. It has been  trying to progress the Regulation  against a backdrop of  opposition and stalling, including a strong compromise position taken  by the European Parliament last year  [see  EU law set for new course on child online safety ] and the failure of both the Belgian and Spanish Presidencies to move things forward. It faces a blocking minority of Member States which has so far meant that that no agreement  could be reached. Hence, there will be a discussion but no vote at the EU Council meeting.  The opposing Member States  are understood to be Germany, Poland,  Slovenia, Austria and Czech Republic,  Estonia.

In the past week, they have  been joined by the Netherlands.  An  announcement  on Tuesday  this week from the Dutch government said that it does not support  the proposal and would abstain if there was a vote, as reported by the German news website, Netzpolitik.  Procedurally, it is understood that  an abstention has the effect of blocking a vote, if one is proposed, as there are not enough Member States in favour.

In a public statement, the Dutch government  said that there is insufficient clarity about the impact of the proposed measures. It expressed concerns about privacy and confidentiality.

 A specific concern relates to the security risks of client-side scanning, an emerging technology to scan for child sex abuse material on devices and smartphones.  The Dutch government received advice from its  Intelligence and Security Service [AIVD] which said in a statement that: "Introducing a scanning application on every mobile phone, with its associated infrastructure and management solutions, leads to an extensive and very complex system. Such a complex system grants access to a large number of mobile devices & the personal data thereon. The resulting situation is regarded by AIVD as too large a risk for our digital resilience.”  [Translation from the original Dutch by former intelligence officer Bert Hubert]

The Hungarian Presidency’s  “partial general approach” seeks to address concerns by limiting scanning to high risk services only. It has ruled out requiring providers to monitor for new CSAM or grooming content and seeks to  limit scanning  to known images [Article 23a].   However, as highlighted by  the former MEP and long-term anti-surveillance campaigner, Dr Patrick Breyer,  these measures do nothing to address the fundamental risks of the proposed technology. 

Moreover, the inclusion of  search engine delisting orders [Article 33a] is  a very dangerous measure that has had very little airing in the policy discourse and hence its effects are untried and untested. It will affect websites as well as messaging and social media. Cross—border delisting and removal orders are also included in the new proposal. 

Cybersecurity experts and academics have been critical of chat control proposals, especially the deployment of  client-side scanning on end-to-end encrypted services. Client-side scanning  is a form of AI-based content moderation technology designed to work on smartphones and devices.  A recent paper issued by the German research  institute  Forschungszentrum Informatik [FZI]  argues that client-side scanning would entail the integration of surveillance software into all co-operating messenger apps. The paper concludes that chat control threatens trust in digital communication.      

And a paper just released by  Dr Jessica Shurson of Sussex University issues a siren warning against: “ a statutory obligation on ‘internet communications organisers’ to provide information to state authorities that allowed for the decryption of encrypted communications”  which is a disproportionate interference with privacy rights. 

The discussion at Thursday's meeting in Brussels could become quite tense. 

---

I provide independent advice on policy issues related to online content. Please get in touch via the Contact page.

If you cite this article, kindly acknowledge Dr Monica Horten as the author and provide a link back.

If you like this article you may like to read my earlier work on chat control, such as Online Safety Bill: does government want to snoop on your WhatsApps? It still broadly holds true. 

  

  • Article Views: 268

About Iptegrity

Iptegrity.com is the website of Dr Monica Horten, independent policy advisor: online safety, technology and human rights. Advocating to protect the rights of the majority of law abiding citizens online. Independent expert on the Council of Europe Committee of Experts on online safety and empowerment of content creators and users.  Published author, and post-doctoral scholar, with a PhD from the University of Westminster, and a DipM from the Chartered Institute of Marketing.  Former telecoms journalist,  experienced panelist and Chair, cited in the media eg  BBC, iNews, Times, Guardian and Politico.