CSA Regulation: EU Council about to vote on "voluntary" chat control
Chat control in the European Union has been discussed for a long time. This Wednesday, the EU Council could come to a decision.
(Image: Yohanes Herman Nggebu/Shutterstock.com)
In the long dispute over new obligations for internet service providers to take more effective action against depictions of child sexual abuse, criticism is growing louder ahead of an important vote in the Council of EU Member States. In the vote in the Justice and Home Affairs Council (JHA) on Wednesday, the member states of the European Union could adopt a controversial proposal by the Belgian Council Presidency, even against Germany's vote. If it were to become reality, users would have to decide: Agree to automatic searches of chat messages - or no longer be able to send pictures and videos. There are loud protests against this - and companies are threatening to stop offering their products in the EU.
It is one of the dossiers left over from the last legislative period of the European Parliament and the previous EU Commission: the regulation on combating depictions of sexual abuse. The proposal by EU Commissioner for Home Affairs, Ylva Johansson, has been on the table for over two years. However, the previous European Parliament largely rejected the measures it proposed. The member states of the European Union now want to reach an agreement on Wednesday - at the insistence of the Belgian Council Presidency, whose mandate is due to expire at the end of June. The French government, which has so far been on the side of the rejecting states, is now expected to support the new proposal. As the EU, unlike Germany, does not have a discontinuity principle, meaning that a legislative procedure continues even after the elections, the controversial procedure will simply continue after the European elections.
What the Commission originally wanted
There is probably no other EU Commission dossier in the expiring EU legislature that caused as much incomprehension among civil rights activists as the so-called CSA Regulation: massive intrusions into telecommunications secrecy were on the agenda of EU Commissioner for Home Affairs Ylva Johansson from the outset. On the one hand, platform operators were to be obliged to automatically look for the content of their users. On the other hand, the encryption of chat messages on messengers was to be circumvented, and user content was to be scanned on the end device for potentially criminal depictions of child sexual abuse, known as "client-side scanning". Both were to be accompanied by reports to a central European collection point.
The outcry that followed the original plan, with its massive encroachment on fundamental rights, was loud: According to the critics, the EU Commission wanted to screen users' communications and gain access not only to content stored on servers, but even to content not yet sent by end users on their end devices. The EU Commission argued, among other things, that a large part of the planned measures are already being taken by the major providers - for example by Google or Meta, which also make content available to European authorities via the US reporting office NCMEC. In this respect, Europe is a kind of "free rider": benefiting from measures in the USA, while being better off itself in terms of the protection of fundamental rights. The reports from NCMEC constitute a large proportion of the reports that are pursued by European police authorities as investigative approaches. However, the EU Commission sometimes used unreliable figures to push through its concerns politically.
The core of the Commission's proposal was a multi-stage procedure: Either the providers do as much as possible on their own initiative, i.e. voluntarily - or they should be able to be obliged to take measures within the framework of so-called "discovery orders" using the means provided by the law.
What the Belgian EU Council Presidency is now proposing
The proposal for a compromise among the Member States that has now been put forward by the Belgian Council Presidency follows precisely this logic: Providers can take voluntary measures – such as matching against databases of known abusive depictions or AI-assisted searches of images, videos, Powerpoints, gifs or other user content in cloud backups, in folders of online storage services, "including diagrams, infographics, logos, animations, icons, gifs and stickers", according to the Council proposal. The Belgian Council Presidency wants this to be understood as protecting fundamental rights, as audio files or text messages, for example, should not be rummaged through.
To improve accuracy, the Council Presidency would like to see scanning against already known material, i.e. usually a comparison of hashes. Only content reported by users or repeated depictions of child sexual abuse in a service are to be reported to the authorities as new material. Reports to the "EU Center" should initially be made pseudonymously – until the suspicion has been confirmed after manual verification.
However, the security authorities were obviously allowed to run riot when it came to the proposed regulations for messenger services. While the draft for the meeting emphasizes the importance of encryption for society, business and authorities, this commitment comes with strong restrictions: "It is crucial that services with end-to-end encryption do not inadvertently become safe zones where depictions of child sexual abuse are shared or distributed without consequence," it says. The idea of the Belgian Council Presidency and the Council working group: only those who consent to their content being searched may share visual content or internet addresses. The proposal argues that this would not weaken encryption.
Where the European Parliament stands
The previous European Parliament had clearly positioned itself against such proposals, from left to center-right. However, three of the most vocal opponents of the Commission's proposal are no longer represented in the newly elected European Parliament: Patrick Breyer (Pirates), Cornelia Ernst (Left) and Paul Tang (PvDA, Socialist Group) left in the election on June 9. However, the EP's previous rapporteur, the Spanish conservative Javier Zarzalejos, will remain in Parliament. He had also taken an obvious stance against such plans in the Parliament's positioning, and other critics such as the liberal Moritz Körner (FDP) are also still represented in the Parliament. The EP had largely rejected the Commission's proposal and instead proposed a different approach: providers of hosting services and number-independent, interpersonal communication services - as messengers are known in legal terms - should be obliged to take measures to better protect children. However, providers who attach particular importance to privacy protection and data protection should not be penalized for this.
Sharp criticism of the Belgian proposal
Many critics are not at all convinced by the text, which is described as a compromise proposal among the Member States and which the outgoing Belgian Council Presidency wants to get over the provisional finishing line before Hungary takes over the Council Presidency for six months from the beginning of July. The Council has already made few friends with its proposals in the past.
Meredith Whittaker, President of the US foundation behind the popular messenger app Signal, speaks of a fraudulent label: "The obligation to scan private communications en masse undermines encryption. Period." Whether you call it backdoor, frontdoor or upload moderation is irrelevant. This would create gateways. Signal wants to withdraw from the EU in the event of such an obligation.
There has also been criticism from civil society: "There can be no question of voluntariness here," says Linus Neumann, spokesperson for the Chaos Computer Club, on the idea that users would either have to agree to a live comparison or would no longer be allowed to send visual media and URLs. The Internet industry association Eco also clearly criticized the plan - in addition to the false consent for content scanning and the associated circumvention of encryption, there is "still a flawed risk categorization model that particularly disadvantages services that prioritize data protection and privacy", according to the association.
Open letter from MPs calls for rejection
Earlier this week, 36 politicians wrote an open letter to the Member States calling for the Belgian proposal to be rejected. The Greens and Liberals in particular called on the Member States not to approve the proposal under any circumstances. In the letter, the Belgian Council Presidency is accused of only superficially addressing the concerns: "In fact, the proposal of the Belgian Council Presidency represents the original plans of the EU Commission from December 2021," it says, among other things. The population would be placed under general suspicion, and the EU's image as a guarantor of freedom would be irreparably damaged. Instead, the signatories demand more resources for the actual prosecution of criminal offenses.
Green MP Tobias Bacherle fears: "If the regulation is implemented in line with the Council's loud surveillance dreams, this will mean a de facto end to private and secure communication on the internet." He assumes that the newly elected European Parliament will also stick to its rejection – nevertheless, the rejection of the proposal by the Council of EU Member States is important. FDP member of parliament Maximilian Funke-Kaiser demands: "If the EU countries are serious about European civil rights, then they can only reject the compromise proposal." This is because it would mean giving up digital privacy of correspondence and open the door to misuse of the technology.
(olb)
