The EU has proposed a bill, known as ‘chat control’, to scan all digital communications for potential illegal content. Chat control would violate fundamental rights, and turn the EU into a surveillance supra-state. If that doesn’t sound ideal, there’s still a short window of time to take action ✊
Suspicious material found. Your conversation has been reported.
Most likely you haven’t received such a notification in your private messages … yet. But it could soon become a reality for people living in the European Union.
Errrm … sorry, what? Yes, that was my response as well. But okay, no stress. You’re about to find out all you need to know.
Hello and welcome to Vulnerable By Design with me, Chris Onrust. In today’s episode, we’ll talk all about the curious (and also a bit naughty!) plans that the European Union has for your digital communications, including private messages and including conversations that are end-to-end encrypted. So what’s the deal?
Scan all digital communications
This coming September, your representatives in the European Parliament will decide on whether to pass bill COM (2022) 209, better known as ‘chat control’.
Chat what? Chat Control. Chat control refers to a bill from the offices of EU commissioner Ylva Johansson of Home Affairs. If implemented, the proposal would make it possible for the EU to force providers of digital communication services to scan the contents of all communications from all users of their services, to see if it might, quite possibly, contain anything illegal.
In concrete terms, this would mean that the contents of every message you send through a messaging service—from WhatsApp, Instagram and TikTok to Minecraft and Zoom—will get scanned.
That message to your child, your sister, or your nanna? High quality banter with a colleague? That cute selfie to your babe? Snaps of that strange skin rash sent to your GP? Communications between a lawyer and their client? Between a journalist and her source? All of them would have to get scanned. Generally. Arbitrarily. Without there being any suspicion that you would have done anything wrong. And without a court order.
Plus, if the (quite possibly proprietary, closed-source) automatic scanning systems decide to do so, your message will get passed on to some random person doing EU admin, who’ll be able to forward it directly to the European law enforcement agency body in The Hague, Europol.
It’s like having a friendly observer from the EU at your side 24 hours a day, seven days a week, scrutinising every bloody single thing you say and do—in your living room, in your kitchen, on the loo, at work, in the gym, on the tube, at the doctor’s. Sounds fun? Yeah, me neither.
So what’s behind this kerfuffle? Why would EU administrators want to do any of this to their fellow inhabitants? The official motivation for the proposal is that it could help combat certain types of crime.
In the case of chat control, they’re currently pitching the proposal as absolutely, unavoidably required to address crimes of child abuse. That being said, leaked documents do seem to suggest that the proposers also considered throwing in that good-old catch-all for bad things of terrorism as a justification.
Terrorism and child abuse are two categories of crime that can reliably be counted on to affront pretty much anyone. And it is not a coincidence that since the 1990s, terrorism and child abuse have been regurgitated every couple of years as arguments for why we have to undermine secure encrypted communication between people.
Without secure, encrypted communication available to the public, it would be so much easier for governments and intelligence agencies to monitor who is saying what to whom, when, and what any dissidents might be up to. Oops, did I say that out loud?
The Council of Europe is not the only body currently trying to curtail digital freedoms. In the United Kingdom, there is the Online Safety Bill still floating around, which would undermine end-to-end encryption, in addition to a bunch of other nasty things. And the United States is considering the Eliminating the Abuse and Rampant Neglect of Interactive Technologies bill (abbreviated ‘EARN IT’), which would, among other things, include putting backdoors into encrypted communication.
Just for context, having a backdoor in end-to-end encrypted communication is the equivalent of carefully locking up your entire house to prevent burglary, but leaving one window wide open.
Predictable as the EU’s and others’ attempts to undermine secure communications may be, chat control is nonetheless still a terrible idea. Here’s why.
Violating fundamental rights
Scanning all digital communication indiscriminately and without any suspicion of wrongdoing would be a gross violation of the fundamental rights of the people of Europe.
This includes the right to respect for private and family life, including the confidentiality of communications; the right to protection of personal data; and the right to freedom of expression and information—which are formulated respectively, in articles I.7, I.8 and I.11 of the Charter of Fundamental Rights of the European Union.
That chat control would violate these fundamental rights is not my opinion. Or at least it’s not just my opinion. This is the conclusion reached by the European Data Protection Supervisor and the European Data Protection Board. And it is also the official conclusion of the EU’s own Legal Service, whose professional advice was sought when it turned out that there were quite a lot of objections to the chat control proposal.
In stating its case. The EU’s legal service, moreover, noted that the proposal most likely doesn’t even comply with the principle of proportionality—which is the principle that any infringement of a fundamental right must be proportionate to the objective that the infringement is trying to achieve.
In other words, even the EU’s own Legal Service says that legally, this proposal is eminently shaky. And if it were to be implemented, it would most likely be struck down by the courts at the first possible legal challenge.
Also, I would say that it would not go too far to conclude that chat control would, quite openly, turn the European Union into a surveillance supra-state.
Now, in Europe, where have we seen something like this before? Think, think, think.
At its peak in the late 1980s, the former East German Ministry of State Security, better known as the ‘Stasi’, had compiled files on approximately 5.6 million people. In the late 1980s, 5.6 million people would equate to roughly a third of the entire East-German population.
The Stasi might steam open your letters, tap your telephone, and go into your house when you’d be out, to install microphones to listen to your every conversation. Or you might be compromised, and be forced to do those things to the people around you.
Today, the 111-kilometre-long row of documents of the Stasi archives have been opened to the public. Its presentday archivists now refer to these dossiers as ‘victim files’. Everyday citizens like you and I were victims of these large scale, sweeping surveillance practises.
And upon hearing all that, what does the EU think? ‘Amateurs! We can do better!’? Instead of surveilling ‘only’ a third of the population, the EU wants to extend this eavesdropping to anyone and everyone who sends digital messages.
If we assume that all owners of a personal tracking device also known as a ‘smart phone’ are senders of digital messages, then this would amount to surveillance of more than 77.64% of the population in the EU. Every day. Every night. Arbitrarily. Without you having done anything wrong.
Surveilling 5.6 million people was bad and created victims. But surveilling 348 million people would somehow be fine, just because this time the initiative comes from Brussels, rather than from Berlin?
Secrecy of correspondence
In 1844/45, the Dutch statesperson J.R. Thorbecke and fellow MPs submitted a proposal to enscribe the secrecy of correspondence into law. In this proposal they already cautioned:
‘To open, or cause to be opened, a person’s letters against their will, is no lesser, nay, rather more dangerous an assault on their liberty, than when informers are sent into their house to eavesdrop on their confidential conversations…’
Yes, that sounds fair. But do EU countries today still realize that that’s the case?
The picture seems murky at best. The Netherlands only last year amended article 13 of its constitution to make it clear that the secrecy of correspondence applies not only to telephones and telegraphs, but also to all telecommunication, such as email, WhatsApp, or Tinder.
Poland, a country in which memories of Soviet times are still fresh, has already said it will not support the chat control bill. The German federal government has indicated that it will not support the proposal in its current form. And in Finland and Estonia, even law enforcement agencies have made it clear that they think secure digital communication supported by end-to-end encryption is essential.
But … we also have a whole lot of EU countries in which representatives either don’t seem to understand how secure, end-to-end encrypted communication works, or just want to ban it outright. For example, they say contradictory things such as ‘We don’t encryption weakened, but we do want all messages to be scanned’. Part of the ‘let’s ban secure, encrypted communications outright’-crowd are countries including Spain, Cyprus, Slovenia, Lithuania, Croatia, and Hungary. To which I say: good luck my friends, doing your online banking over http next time :D
All of this means that right now, people in the European Union are still faced with the threat that chat control could soon be pushed through under the misleading guise of ‘Stop terrorism!!’ Uuh … no sorry it was the other one, ‘Save the children!!’ With all the fundamental rights violations and surveillance that would entail.
If you’re based in the EU, and if that sounds not so optimal to you, then there’s right now just a very short window of time left to rally your friends and acquaintances, make some noise, call or write to the negotiators who are working on this bill to tell them this is … errr… not a bright idea.
Chat control? No thank you.
Thank you for tuning in to Vulnerable By Design this time around. If you feel so inclined, do share this episode with a friend or an enemy. Also also also! If you’d like to hear more or get in touch, you will find all of our episodes and contact information on vulnerablebydesign.net. I am Chris Onrust. Thank you for listening, and bye for now.
- EU’s chat control proposal - bill COM (2022) 209 final
- UK’s Online Safety Bill
- Charter of fundamental rights of the European Union
- EU Commission Asks EU Council Lawyers If Compelled Client-Side Scanning Is Legal, Gets Told It Isn’t, on Techdirt, 15 May 2023.
- Joint Opinion of the European Data Protection Supervisor and the European Data Protection Board on chat control
- Lessons from the Stasi, by Amnesty International.
- About the Stasi Records Archive
- Smartphones in Europe - Statistics & Facts, on Statista, 23 May 2023.
- Poland isn’t happy with the chat control proposal, in Euractiv, 4 July 2023.
- Germany Insists in Major Revision of the EU Chat Control Proposal to Protect Fundamental Rights, by Patrick Breyer, 18 April 2023.
- Chatcontrole (in Dutch)
- Chat Control: Your Private Messages Will Be Scanned!’ (also available in Danish)
- Chat Control 2.0 (in Swedish)
- Traduction du dossier Chat Control 2.0 de Patrick Breyer (in French)
- Chatkontrolle (in German)
- Stop Scanning Me! petition to protect the privacy and security of digital communications.