Chat Control: EU lawmakers finally agree on the voluntary scanning of your private chats
40 points by mseri
40 points by mseri
I hate it when headlines are wildly inaccurate. EU Lawmakers in the EU Council have agreed on a proposal for chat control they will send to parliament for further modifications and final agreement. I doubt this flies far in parliament, because Denmark had to soften up their dystopian proposal so much that it's near useless and what remains has very little supervision.
I generally agree with this sentiment, but I’m afraid in this case nuance leads to compromise, which leads (slowly) to a totalitarian tech regime like China/Russia.
There are a lot of extremely concerning things even in the watered-down version of this proposed law (age verification) and the timing is awfully suspicious (UK/Australia passing similar laws and it being close to Christmas where people are more focused on their family and holidays). Everything under the guise of “protect the children” or “fight terrorism”, the classic playbook. Oh and the politicians themselves are exempt.
The "voluntary" aspect of this is unclear to me. Who opts in to it and why would they?
It doesn't matter, it's the excuse to legally set up all the infrastructure. Then it's only a matter of time.
You can read it all here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_9068_2022_INIT. It's a bit annoying to look up.
Apparently, they would delete Articles 7 to 11, but keep Articles 4 and 5, which still mandate various measures.
The voluntary activities of providers under Regulation (EU) 2021/1232 would be included as a possible mitigation measure (in Article 4) and thus serve as an element for the risk categorisation of services. Providers of high-risk services, in cooperation with the EU Centre, may still be required to take measures to develop relevant technologies to mitigate the risk of child sexual abuse identified on their services (Article 5).
I fully agree with you, they are just expanding the law piecemeal because this time, too many people stood up for their right to privacy. It's a ratchet that goes one way only. Ultimately, an entity that drafts and partially passes laws like this should be rejected in its entirety.
What were the legal barriers to tech companies scanning user messages? afaik companies that wanted to scan messages on their platforms could already do that.
Article 8 of the European Convention on Human Rights
- Everyone has the right to respect for his private and family life, his home and his correspondence.
Reading my messages (or reporting them to someone else) is clearly not respecting my right to private correspondence.
I agree, but I'm very doubtful that this is an actual legal barrier. Do we really think that chat providers operating in the EU (let's assume we're talking about companies that don't implement e2e encryption) are refraining from running analytics on their users' private messages? On the basis that someone might try to sue them under the ECHR?
I am interested in the specifics around how the "voluntary scanning" details can be shared with government agencies, though. That might have the potential to create loopholes for bypassing GDPR protections.
Czechia has constitution that includes a bill of rights. Among those is this one (translated for your convenience):
Article 13: No one shall violate the secrecy of correspondence or the secrecy of other documents and records, whether kept privately or sent by mail or other means, except in cases and in the manner prescribed by law. The secrecy of messages transmitted by telephone, telegraph, or other similar devices is likewise guaranteed.
I am not a lawyer, but snooping on messages as e.g. a mail service provider, or a chat provider, is kinda unconstitutional. And criminal code has something to say about that as well:
§ 182 Breach of confidentiality of transported messages
(1) Whoever intentionally breaches the confidentiality
- a) of a sealed letter or other document while providing postal services or transported by another transport service or transport facility,
- b) of data, text, voice, audio, or video messages sent via an electronic communications network and attributable to an identified participant or user receiving the message, or
- c) of non-public data transmission to, from, or within a computer system, including electromagnetic emissions from a computer system transmitting such data, shall be punished by imprisonment for up to two years or a ban on activity.
Again, not a lawyer, but I believe that when constitution says something is guaranteed, that means that there must be a corresponding law in place. And if it's not effective, citizens can sue the state to rectify the issue and ECHR establishes a supranational court that rules on the issue, effectively providing a check on national governments so that they stay within the constitutional limits.
Do we really think that chat providers operating in the EU (let's assume we're talking about companies that don't implement e2e encryption) are refraining from running analytics on their users' private messages?
I would certainly assume nobody is reading my digital correspondence besides me and other participants. They might be processing it in other ways, but I think leaking the contents in any form would likely qualify as a criminal offense. It would be extremely hard to convince a judge that telling their business partners that you specifically prefer vanilla over chocolate, as per your correspondence, did not involve reading it.
I am interested in the specifics around how the "voluntary scanning" details can be shared with government agencies, though. That might have the potential to create loopholes for bypassing GDPR protections.
Patrick Breyer says that:
These algorithms are notoriously unreliable. The German Federal Police (BKA) has warned that 50% of all reports generated under the current voluntary scheme are criminally irrelevant. -- link
So I guess they just forward it to the police?
Do we really think that chat providers operating in the EU (let's assume we're talking about companies that don't implement e2e encryption) are refraining from running analytics on their users' private messages?
What the private sector does is often irrelevant. Usually such protections are in relation to the government — freedom of speech, for example, is another protection from the government that in many jurisdictions doesn't hold for private entities (e.g., if I don't like how you speak in my house, I can throw you off my property).
In this case, the private sector is also providing solutions that are e2e encrypted, so privacy-conscious users such as myself can choose Signal. If a law mandating the analysis of private communications passes, apps like Signal will either cave, or be banned from the EU. The difference between government and the private sector is that the government, having a monopoly on violence, can eliminate your freedom to choose.
There’s never been a better time to self-host an XMPP server for your chat—it’s federated, decentralized, self-hostable, & light on storage/system resources, with clients supporting E2EE. As an optimist, I would hope these action would convince others it’s time for their comrades ditch the trust in the system & fire up their own alternatives the control, but the pessimism settles in that most will consider this the cost of doing business/I have nothing to hide/I love my friends/family more than privacy (not realizing you can eat your cake too).
This is something I'm wondering about - how does Chat Control affect XMPP? You have different people working on the clients, hosting the servers - and I think in some cases the encryption is a plugin separate from the main client too. Does Chat Control account for this split of responsibilities somehow?