What is the current status of secure messaging in Europe?

A European project plans to force messaging applications to scan private conversations to detect signs of child pornography. However, strong controversy is emerging, since privacy and IT security could be collateral victims of this legitimate objective.

In the name of the fight against child crime, should we accept a decline in computer security and privacy? This, in short, is the issue hidden behind a European text currently being discussed in community bodies. In recent days, this prospect has caused particular excitement on social networks, but what exactly is happening?

Advertisement

What is Bill Chat Control, which wants to scan your private conversations?

Those responsible for large secure messaging systems have come up against the European text, one of the particularities of which is to force the providers of these tools to inspect the content of messages and files that Internet users send, in order to detect child pornography content. This is why we talk about upload moderation. The text has even earned the nickname “Chat Control”.

The risk posed by legislation like this is a weakening, or even a calling into question, of certain technological fundamentals. One of the main fears is a weakening of end-to-end encryption, a principle found in particular in the Signal application and Proton's webmail to secure exchanges.

More generally, it is a mechanism that is also used by other programs, some of which are very popular, with millions or even billions of members. WhatsApp, Facebook Messenger, Google Messages, Instagram, Line, Olvid, Skype, Telegram, Viber, Wickr, Wire, iMessage… All offer end-to-end encryption. Sometimes by default, sometimes as an option, under conditions or not.

PC computer
Chat Control's proposal is considered catastrophic by many observers. // Source : Thom — Photo modified

In the European Parliament, one of the loudest and most critical voices of Chat Control is Patrick Breyermember of the Pirate Party and MEP since 2019. The parliamentarian has long opposed Chat Control, but his mobilization has increased further in recent days, due to the imminent holding of a vote, on June 20, 2024, which will allow the text to take a step forward in its legislative journey.

Advertisement

The vote in question aims to approve a partial negotiating mandate that the Council (which represents the 27 EU member states) can discuss with the European Parliament. This is not a vote to validate the text. However, a possible failure in the Council could cause the Chat Contro to go off course, hence the insistence with which Patrick Breyer and others call for influence on the government. “ It's up to all of us now. Write an email to your government. Share the call to action. Call your government today. Together we are the resistance. Stop Chat Control! “, he said again on June 19.

Encrypted messaging is pissed

The European proposal “ to monitor and scan mass chats is the same old surveillance, with a new face. Whether you call it a backdoor, a gateway, or upload moderation, it undermines encryption and creates significant vulnerabilities “, denounces Meredith Whittaker, president of the Signal Foundation.

Meredith WhittakerMeredith Whittaker
Meredith Whittaker. // Source : POZ_1464

Let's be clear. Upload moderation is a mass surveillance program. We urge EU governments to reject mass scanning of their citizens' communications by voting against this proposal » reacts the Proton company, quoting Meredith Whittaker's message.

As for Mullvad, this Swedish company has indicated that ” Chat control is a corrupt proposition put forward by undemocratic methods. (…) The European Council should follow the example of the European Parliament and reject it. » Mullvad also signed a more detailed text, like Signal.

What do Signal, Proton and Mullvad have in common? Offer products with a very high degree of confidentiality and security. Signal is an instant messaging application, rival to WhatsApp. Proton provides a suite of software and services (webmail, VPN, storage, password manager, calendar). Finally, Mullvad is a VPN provider, which Mozilla uses for its own.

A negotiating mandate discussed on June 20

In the workings of the European Union for several months, the subject has lost media attention. Nothing says the European Union is going to kill encryption, as has been said, but it is an important discussion nonetheless. The European Parliament is officially unfavorable to a measure of this kind. A failure in Parliament could sign the death of the text, and it there will be several opportunities during which parliamentarians could vote against.

At the level of the European Council, nothing is decided either. States are moving forward in dispersed order: in 2023, it was noted that the majority of EU countries were in favor of scanning private messages, even encrypted ones.

The Signal logo on a Cyberguerre background // Source: Numerama/CyberguerreThe Signal logo on a Cyberguerre background // Source: Numerama/Cyberguerre
The Signal logo on a Cyberguerre background // Source: Numerama/Cyberguerre

According to a step point by Patrick Breyer, made on June 15, Germany, Luxembourg, the Netherlands, Austria and Poland are against the text. Others have not yet really taken a position: Italy, Finland, the Czech Republic, Sweden, Slovenia, Estonia, Greece and Portugal. Concerning France, its position is considered uncertain. The possibility of a breakdown in the European Council cannot therefore be ruled out.

A departure from messaging services?

It is perhaps also the European destiny of certain applications that will be at stake. In the past, messaging services like WhatsApp and Signal have indicated that they could leave a market that calls into question the principle of end-to-end encryption. At the time, the warning was aimed at England, which has since watered its wine.

This warning could now be renewed for the EU. It is what Threema does besides, another app of the same kind. But before that, it promises that it will use other levers, such as legal action or the implementation of new technical solutions. Proton, last year, made the same commitment to go to court if necessary. In short, encryption is still far from being banned.


Advertisement