Press play to listen to this article
Markéta Gregorová is a member of the European Parliament from the European Pirate Party.
Strong end-to-end encryption is an essential part of a secure and trustworthy Internet. It protects us every time we make an online transaction, when we share medical information or when we interact with friends and family.
Strong encryption also protects children — it allows them to communicate with trusted friends and family members in confidence, and allows others to report online abuse and harassment confidentially. It keeps our personal data personal, and our private conversations private.
But now that fundamental technology is being threatened by the European Commission.
The European Union’s new regulation intending to fight child sexual abuse online will require Internet platforms — including end-to-end encrypted messaging apps like Signal and WhatsApp — to “detect, report and remove” images of child sexual abuse shared on their platforms. In order to do this, however, platforms would have to automatically scan every single message — a process known as “client-side scanning.”
But not only is this a gross violation of privacy, there’s no evidence that the technology exists to do this effectively and safely, without undermining the security provided by end-to-end encryption. And while the proposed regulation is well-intentioned, it will result in weakening encryption and making the Internet less secure.
Only two months ago, the New York Times reported that Google had flagged medical images that a man in San Francisco had taken of his son’s groin as child sexual abuse material. He had sent the images to his doctor seeking medical advice for his child, only to have his account shut down and become the subject of a police investigation.
The current regulations would create such mandatory measures for platforms, enforcing them with significant fines of up to 6 percent of an offender’s global turnover — meaning tech companies would be forced to be overzealous for fear of falling foul of the rules. This greatly increases the possibility of such false-positives being flagged, and the potential consequences could be devastating to the lives of innocent people.
The EU also relies on encryption to protect the security of its member countries and the bloc as a whole.
Immediately following Russian President Vladimir Putin’s invasion, secure messaging apps dominated the download charts, as people in Ukraine began downloading end-to-end encrypted messaging services to communicate with friends and family in private. Similarly, the European Commission itself has called on its staff to use Signal to protect their communications. And with an increasingly aggressive and unpredictable Russian government on our doorstep, weakening encryption could be catastrophic for EU security.
The European Pirate Party agrees that more needs to be done to tackle the sexual abuse of children online, but this regulation is not the answer. The EU’s proposals have already been criticized by privacy watchdogs — the European Data Protection Board and the European Data Protection Supervisor — which issued a joint statement calling for the regulations to be amended.
The bodies described the proposals as “highly intrusive and disproportionate,” arguing that by requiring platforms to weaken encryption, the regulations violate Articles 7 and 8 of the Charter of Fundamental Rights of the European Union — namely, the right to respect for private and family life, as well as the right to protection of personal data.
And these regulations are just the latest in a string of efforts by governments to weaken end-to-end encryption. We’ve already seen calls for platforms to create “backdoors” for law enforcement, which would allow them to access private communications. Now, they’re asking platforms to spy on users.
The EU has fallen for the myth that it’s possible to keep us safer by weakening the very thing that protects us. But if you create backdoors for law enforcement, you create weaknesses in the system for everyone. Criminal gangs or other malicious actors can exploit these weaknesses to access private data that could threaten national security or undermine financial institutions. They could commit fraud and access personal information that could be used to blackmail and harass innocent people around the world.
Meanwhile, it’s also impossible for platforms to weaken encryption only for users within the EU — any reduction in security would affect users of those platforms around the world. In the U.K., for example, where similar legislation has been proposed, WhatsApp has already indicated its willingness to withdraw from that market if they’re required to weaken encryption. The same could happen across Europe — we could become a digital desert, with no major platforms willing to follow the bloc’s rules, creating a new hurdle for European companies trying to compete in foreign markets.
Just a few days ago, on October 21, a coalition of civil society organizations, business leaders, security experts and Internet advocates came together to mark the second annual Global Encryption Day, standing up for encryption in places where it is under threat — from Brazil and India to the U.K. and right at home in the EU. And we must do the same.
We all want the Internet to be a safe place for everyone. But weakening encryption won’t make us safer, and it won’t protect children from abuse. It will, however, make us all more vulnerable.