A few days after EU citizens were called to vote on their next parliamentary representatives, we just have a rough idea of what the upcoming political squad will look like. What is certain, however, is that anti-encryption sentiments are still thriving across the Union.
We already reported the revised proposal to halt the spread of online child ****** abuse material (CSAM) that wants your permission to scan your WhatsApp messages. Now, a leaked 42-point plan puts forward new recommendations on how companies must handle peopleâs online activities, including data retention, access, and interception of all digital services.
The goal is simple: make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.
According to Jan Jonsson, CEO at Mullvadâone of the best VPNs around with a privacy-first mandateâall encrypted traffic will no longer be private and secure if the legislation passes. âA VPN wonât help either,â he told me. âIt would mean total surveillance and that Europeâs inhabitants carry state spyware in their pockets.â
The process seems to be rolling at a fast speed, too. With the ashes of EU elections still smouldering in the background, lawmakers got together on Tuesday, June 11 to discuss the plan and the way forward.
Itâs getting serious: Today, as part of the #EuGoingDark surveillance plan, the âWorking Party on Cooperation in Criminal Mattersâ (#COPEN) in the Council of the ??? officially discusses the reintroduction of #DataRetention! https://data.consilium.europa.eu/doc/document/CM-3137-2024-INIT/en/pdf @GreensEFAJune 11, 2024
See more
[HEADING=1]Data access by design[/HEADING]
The intention to implement a so-called âsecurity by designâ framework was first shared last year by the High-Level Group (HLG). Created by the European Commission, the group is taking the first steps in whatâs nicknamed the Going Dark initiative to ensure âthe availability of effective law enforcement tools to fight crime and enhance security in the digital age.â The process has developed largely behind closed doors so far, with civil society denied a chance to take part.
As mentioned earlier, the aim is to find a way to provide law enforcement bodies with full surveillance capabilities, both from a legal and technical point of view. It isnât surprising that encryption, the scrambling of data into an unreadable form to prevent unauthorized access, was flagged as the most urgent area of work at that time. Stored data and localization access, data retention practices, and anonymization offered by virtual private networks were the main targets.
Now, about 12 months later, it looks like the HLG group came up with some concrete solutions on how to do this in practice.
The âconfidentialâ 42-point plan suggests forcing encrypted messaging apps to allow for interception. Data retention should also be reintroducedâthe EU Court of Justice previously overturned the directiveâand expand to all over-the-top (OTT) communications, meaning all the instant messaging and online chats not provided by your mobile network operator. IP connection tracking should be guaranteed âat the very least,â encrypting metadata prohibited, and GPS tracking activated by the provider upon police request. Tech companies who refuse to cooperate should be threatened with prison sentences.
It looks like authorities want access to a great deal of our data: information stored on our devices, in the servicesâ systems, and those traveling on the internet. As Jonsson put it: âAll data, in other words.â
âThey prioritize solutions for legal access to data on devices, and it sounds like they want to try to introduce client-side scanning of entire devices. In other words, a scanning of operating systems. Apple is constantly being urged to do this, to scan their usersâ phones,â he added.
[HEADING=1]Is a monitored society the right answer?[/HEADING]
As the name suggests, the EU anti-encryption crusade is based on whatâs known in policing as the âgoing darkâ assumptionâwith online anonymity, crime will go undetected in the digital world. Experts have long rejected this stance, though, arguing that breaking this protection would be detrimental to everyoneâs security.
Encryption is vital to ensure the enjoyment of fundamental rights, like privacy and free speech, but also to allow both citizens and businesses to defend themselves against abuses of information technologies. This was exactly the conclusion of Februaryâs judgment published by the European Court of Human Rights which made it illegal to break encryption.
Did you know?
[IMG alt=âmobile securityâ]https://cdn.mos.cms.futurecdn.net/HK...Uk8LKM5tpA.jpg
(Image credit: Shutterstock / Patdanai)
Cryptographers, privacy advocates, and tech companies raised similar concerns when the UK Online Safety Bill (now law) and EU Chat Control proposal considered creating a backdoor in the encryption to scan peopleâs encrypted and private messages for illegal content. In the UK, so-called client scanning has been postponed until it is âtechnically feasibleâ to do so in a secure way.
This means that weak encryption protections donât just allow authorities to snoop on our online activities, but also provide an easy backdoor for cyber attackers to exploit.
Moreover, as Jonsson suggests, criminals will turn to alternative and illegal online services to carry on their malicious activities online undisturbed.
He told me: âIt means that the EU mass surveillance will not catch criminals. Only ordinary people, who donât want to make an effort, will be left totally surveilled.â
At the same time, German digital activist and MEP for the Pirate Party, Patrick Breyer, also highlights the vital role encryption covers in criminal investigations.
He said: âThe planned internet data retention threatens to destroy our right to anonymity online, which enables crime prevention through anonymous counseling and pastoral care, victim support through anonymous self-help forums, and also investigative journalism, which often relies on anonymous whistleblowers.â
[HEADING=1]Whatâs next?[/HEADING]
While a reshaped Parliament is set to elect the new EU Commission by 2025 as the first task, the Going Dark group seems to be already busy laying the foundation of future legislation against encryption and online anonymity.
Jonsson from Mullvad is worried that these efforts may end up having more legislative legs than the Chat Control proposal, which he believes became too polluted to gain the necessary support in a final stage. âThis time, they are not just using the argument âthink of the children,â but also using other serious crimes and terrorism as excuses to mass monitor the entire EU population,â he told me.
Such a surveillance push from the EU, and ultimately worldwide, authorities is even more worrying when you pair it with the direction Big Tech is headed. Greater data collection is prioritized, which is in stark contrast to GDPRâs main concept of data minimization.
Take the ongoing backlash investing Adobe, for instance, over new invasive and vague policy on how data may be used to train AI models. Or Microsoftâs new Recall feature that regularly takes snapshots of your active screen, resembling more of a privacy nightmare than a useful tool. After harsh criticism, the big Tech firm turned to updating Recallâs privacy policy in an effort to please users.
Jonsson now hopes that external pressure from citizens, tech companies, and media could encourage the EU Commission to kill Going Dark plans. âThe Chat control opposition eventually became massive but it came late. This time, we hope that the opposition is there from the start,â he told me.
âAnd of course, we hope that the new Commission is better than the old one and they invite experts to be involved from the beginningâso they donât spend years on absurd legislative proposals that end up in the trash.â
Continue readingâŚ
We already reported the revised proposal to halt the spread of online child ****** abuse material (CSAM) that wants your permission to scan your WhatsApp messages. Now, a leaked 42-point plan puts forward new recommendations on how companies must handle peopleâs online activities, including data retention, access, and interception of all digital services.
The goal is simple: make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.
According to Jan Jonsson, CEO at Mullvadâone of the best VPNs around with a privacy-first mandateâall encrypted traffic will no longer be private and secure if the legislation passes. âA VPN wonât help either,â he told me. âIt would mean total surveillance and that Europeâs inhabitants carry state spyware in their pockets.â
The process seems to be rolling at a fast speed, too. With the ashes of EU elections still smouldering in the background, lawmakers got together on Tuesday, June 11 to discuss the plan and the way forward.
Itâs getting serious: Today, as part of the #EuGoingDark surveillance plan, the âWorking Party on Cooperation in Criminal Mattersâ (#COPEN) in the Council of the ??? officially discusses the reintroduction of #DataRetention! https://data.consilium.europa.eu/doc/document/CM-3137-2024-INIT/en/pdf @GreensEFAJune 11, 2024
See more
[HEADING=1]Data access by design[/HEADING]
The intention to implement a so-called âsecurity by designâ framework was first shared last year by the High-Level Group (HLG). Created by the European Commission, the group is taking the first steps in whatâs nicknamed the Going Dark initiative to ensure âthe availability of effective law enforcement tools to fight crime and enhance security in the digital age.â The process has developed largely behind closed doors so far, with civil society denied a chance to take part.
As mentioned earlier, the aim is to find a way to provide law enforcement bodies with full surveillance capabilities, both from a legal and technical point of view. It isnât surprising that encryption, the scrambling of data into an unreadable form to prevent unauthorized access, was flagged as the most urgent area of work at that time. Stored data and localization access, data retention practices, and anonymization offered by virtual private networks were the main targets.
Now, about 12 months later, it looks like the HLG group came up with some concrete solutions on how to do this in practice.
The âconfidentialâ 42-point plan suggests forcing encrypted messaging apps to allow for interception. Data retention should also be reintroducedâthe EU Court of Justice previously overturned the directiveâand expand to all over-the-top (OTT) communications, meaning all the instant messaging and online chats not provided by your mobile network operator. IP connection tracking should be guaranteed âat the very least,â encrypting metadata prohibited, and GPS tracking activated by the provider upon police request. Tech companies who refuse to cooperate should be threatened with prison sentences.
It looks like authorities want access to a great deal of our data: information stored on our devices, in the servicesâ systems, and those traveling on the internet. As Jonsson put it: âAll data, in other words.â
âThey prioritize solutions for legal access to data on devices, and it sounds like they want to try to introduce client-side scanning of entire devices. In other words, a scanning of operating systems. Apple is constantly being urged to do this, to scan their usersâ phones,â he added.
[HEADING=1]Is a monitored society the right answer?[/HEADING]
As the name suggests, the EU anti-encryption crusade is based on whatâs known in policing as the âgoing darkâ assumptionâwith online anonymity, crime will go undetected in the digital world. Experts have long rejected this stance, though, arguing that breaking this protection would be detrimental to everyoneâs security.
Encryption is vital to ensure the enjoyment of fundamental rights, like privacy and free speech, but also to allow both citizens and businesses to defend themselves against abuses of information technologies. This was exactly the conclusion of Februaryâs judgment published by the European Court of Human Rights which made it illegal to break encryption.
Did you know?
[IMG alt=âmobile securityâ]https://cdn.mos.cms.futurecdn.net/HK...Uk8LKM5tpA.jpg
(Image credit: Shutterstock / Patdanai)
Cryptographers, privacy advocates, and tech companies raised similar concerns when the UK Online Safety Bill (now law) and EU Chat Control proposal considered creating a backdoor in the encryption to scan peopleâs encrypted and private messages for illegal content. In the UK, so-called client scanning has been postponed until it is âtechnically feasibleâ to do so in a secure way.
This means that weak encryption protections donât just allow authorities to snoop on our online activities, but also provide an easy backdoor for cyber attackers to exploit.
Moreover, as Jonsson suggests, criminals will turn to alternative and illegal online services to carry on their malicious activities online undisturbed.
He told me: âIt means that the EU mass surveillance will not catch criminals. Only ordinary people, who donât want to make an effort, will be left totally surveilled.â
At the same time, German digital activist and MEP for the Pirate Party, Patrick Breyer, also highlights the vital role encryption covers in criminal investigations.
He said: âThe planned internet data retention threatens to destroy our right to anonymity online, which enables crime prevention through anonymous counseling and pastoral care, victim support through anonymous self-help forums, and also investigative journalism, which often relies on anonymous whistleblowers.â
[HEADING=1]Whatâs next?[/HEADING]
While a reshaped Parliament is set to elect the new EU Commission by 2025 as the first task, the Going Dark group seems to be already busy laying the foundation of future legislation against encryption and online anonymity.
Jonsson from Mullvad is worried that these efforts may end up having more legislative legs than the Chat Control proposal, which he believes became too polluted to gain the necessary support in a final stage. âThis time, they are not just using the argument âthink of the children,â but also using other serious crimes and terrorism as excuses to mass monitor the entire EU population,â he told me.
Such a surveillance push from the EU, and ultimately worldwide, authorities is even more worrying when you pair it with the direction Big Tech is headed. Greater data collection is prioritized, which is in stark contrast to GDPRâs main concept of data minimization.
Take the ongoing backlash investing Adobe, for instance, over new invasive and vague policy on how data may be used to train AI models. Or Microsoftâs new Recall feature that regularly takes snapshots of your active screen, resembling more of a privacy nightmare than a useful tool. After harsh criticism, the big Tech firm turned to updating Recallâs privacy policy in an effort to please users.
Jonsson now hopes that external pressure from citizens, tech companies, and media could encourage the EU Commission to kill Going Dark plans. âThe Chat control opposition eventually became massive but it came late. This time, we hope that the opposition is there from the start,â he told me.
âAnd of course, we hope that the new Commission is better than the old one and they invite experts to be involved from the beginningâso they donât spend years on absurd legislative proposals that end up in the trash.â
Continue readingâŚ