EU at loggerheads over chat control
- Author: Monica Horten
- Published: 08 October 2024
Speculation is rife about the controversial Child Sexual Abuse Regulation as the EU Council puts it on the table for a Ministerial meeting this Thursday. Several Member States oppose it on privacy and security grounds. Finding a consensus will be difficult. The concern is that it would give the green light for privately-operated mass surveillance of WhatsApp, and other instant messaging on public or private platforms (dubbed chat control).
Hungary, which currently holds the Presidency of the EU Council of Ministers, is pushing for a conclusion of the legislation within its six month tenure, which ends in December this year. The barrier is a blocking minority of Member States who are opposed to the Regulation. If this blocking minority holds up, the Council cannot achieve a common position and would not be able to progress the legislation further.
The appallingly-named Child Sexual Abuse Regulation (CSAR) requires messaging services and social media platforms to monitor users communications for child sexual abuse material. The Regulation embodies a highly controversial and divisive issue. Stakeholders such as law enforcement and child rights groups tend to argue for it, and the technical community, notably cyber-security experts, are vocally opposed. The overriding concern is that these measures will impose an intrusive form of mass surveillance on all users by monitoring uploaded images and text communications. The most contentious measures are those requiring platforms to scan end-to-end encrypted (e2ee) communications.
The Hungarian Presidency has published what is described as a partial general approach (common position), released on 24 September. Member States are being asked to agree to new measures including search-engine delisting, and cross-border delisting orders. It has also proposed a compromise to limit the monitoring to high risk services and known images only, but they do little or nothing to address concerns about the intrusive nature of the technologies that will deploy the measures.
The proposal is on the agenda for a preparatory meeting of Permanent Representatives [COREPER ] this Wednesday 9 October, and is scheduled for public discussion at the Justice and Home Affairs Ministerial meeting on Thursday 10 October. [Background here]
Hungary had hoped to get the proposal adopted by the end of this year. It has been trying to progress the Regulation against a backdrop of opposition and stalling, including a strong compromise position taken by the European Parliament last year [see EU law set for new course on child online safety ] and the failure of both the Belgian and Spanish Presidencies to move things forward. It faces a blocking minority of Member States which has so far meant that that no agreement could be reached. Hence, there will be a discussion but no vote at the EU Council meeting. The opposing Member States are understood to be Germany, Poland, Slovenia, Austria and Czech Republic, Estonia.
In the past week, they have been joined by the Netherlands. An announcement on Tuesday this week from the Dutch government said that it does not support the proposal and would abstain if there was a vote, as reported by the German news website, Netzpolitik. Procedurally, it is understood that an abstention has the effect of blocking a vote, if one is proposed, as there are not enough Member States in favour.
In a public statement, the Dutch government said that there is insufficient clarity about the impact of the proposed measures. It expressed concerns about privacy and confidentiality.
A specific concern relates to the security risks of client-side scanning, an emerging technology to scan for child sex abuse material on devices and smartphones. The Dutch government received advice from its Intelligence and Security Service [AIVD] which said in a statement that: "Introducing a scanning application on every mobile phone, with its associated infrastructure and management solutions, leads to an extensive and very complex system. Such a complex system grants access to a large number of mobile devices & the personal data thereon. The resulting situation is regarded by AIVD as too large a risk for our digital resilience.” [Translation from the original Dutch by former intelligence officer Bert Hubert]
The Hungarian Presidency’s “partial general approach” seeks to address concerns by limiting scanning to high risk services only. It has ruled out requiring providers to monitor for new CSAM or grooming content and seeks to limit scanning to known images [Article 23a]. However, as highlighted by the former MEP and long-term anti-surveillance campaigner, Dr Patrick Breyer, these measures do nothing to address the fundamental risks of the proposed technology.
Moreover, the inclusion of search engine delisting orders [Article 33a] is a very dangerous measure that has had very little airing in the policy discourse and hence its effects are untried and untested. It will affect websites as well as messaging and social media. Cross—border delisting and removal orders are also included in the new proposal.
Cybersecurity experts and academics have been critical of chat control proposals, especially the deployment of client-side scanning on end-to-end encrypted services. Client-side scanning is a form of AI-based content moderation technology designed to work on smartphones and devices. A recent paper issued by the German research institute Forschungszentrum Informatik [FZI] argues that client-side scanning would entail the integration of surveillance software into all co-operating messenger apps. The paper concludes that chat control threatens trust in digital communication.
And a paper just released by Dr Jessica Shurson of Sussex University issues a siren warning against: “ a statutory obligation on ‘internet communications organisers’ to provide information to state authorities that allowed for the decryption of encrypted communications” which is a disproportionate interference with privacy rights.
The discussion at Thursday's meeting in Brussels could become quite tense.
---
I provide independent advice on policy issues related to online content. Please get in touch via the Contact page.
If you cite this article, kindly acknowledge Dr Monica Horten as the author and provide a link back.
If you like this article you may like to read my earlier work on chat control, such as Online Safety Bill: does government want to snoop on your WhatsApps? It still broadly holds true.
- Article Views: 268
IPtegrity politics
- Shadow bans: EU law says users may not be left in the dark
- EU at loggerheads over chat control
- Why the Online Safety Act is not fit for purpose
- Fixing the human rights failings in the Online Safety Act
- Whatever happened to the AI Bill?
- Hidden effects of the UK Online Safety Act
- EU puts chat control on back burner
- Why did X lock my account for not providing my birthday?
- Creation of deep fakes to be criminal offence under new law
- AI and tech: Asks for the new government
- How WhatsApp holds structural power
- Meta rolls out encryption as political headwinds ease
- EU law set for new course on child online safety
- Online Safety Act: Ofcom’s 1700-pages of tech platform rules
- MEPs reach political agreement to protect children and privacy
- Online Safety - a non-consensual Act
- Not a blank cheque: European Parliament consents to EU-UK Agreement
About Iptegrity
Iptegrity.com is the website of Dr Monica Horten, independent policy advisor: online safety, technology and human rights. Advocating to protect the rights of the majority of law abiding citizens online. Independent expert on the Council of Europe Committee of Experts on online safety and empowerment of content creators and users. Published author, and post-doctoral scholar, with a PhD from the University of Westminster, and a DipM from the Chartered Institute of Marketing. Former telecoms journalist, experienced panelist and Chair, cited in the media eg BBC, iNews, Times, Guardian and Politico.
Online Safety
- Shadow bans: EU law says users may not be left in the dark
- Why the Online Safety Act is not fit for purpose
- Fixing the human rights failings in the Online Safety Act
- Hidden effects of the UK Online Safety Act
- Why did X lock my account for not providing my birthday?
- Online Safety Act: Ofcom’s 1700-pages of tech platform rules
- Online Safety - a non-consensual Act
- Online Safety Bill passes as US court blocks age-checks law
- Online Safety Bill: ray of hope for free speech
- National Crime Agency to run new small boats social media centre
- Online Safety Bill: does government want to snoop on your WhatsApps?
- What is content of democratic importance?
- Online Safety Bill: One rule for them and another for us
- Online Safety Bill - Freedom to interfere?
- Copyright-style website blocking orders slipped into Online Safety Bill