Big news on the privacy front: An EU bill that would threaten online privacy in the name of child protection is unlikely to pass in its proposed form.
Back in May last year, the European Commission proposed what security maven Matthew Green described as “the most terrifying thing I’ve ever seen”—a law that would force everyone from Facebook to Signal to scan everyone's messages not only for known child sexual abuse material (CSAM), but also for previously-unknown CSAM images, and also signs of someone apparently “grooming” a child for abuse. Other potentially privacy-threatening things were in there, like widespread mandatory age verification.
The implications for encrypted messaging providers and the privacy of their users were dire. And, given the fact that privacy is a fundamental right in the EU, with untargeted mass surveillance being banned, the proposed law seemed to be downright illegal.
Now, in the EU, the Commission’s proposals typically spend a couple years in the legislative process, first being scrutinized by the European Parliament (which unlike the Commission is directly elected) and then being thrashed out in secretive “trilogue” negotiations between Commission, Parliament and the Council of the EU, which represents national governments.
Yesterday, the European Parliament’s civil liberties committee grilled Commissioner Ylva Johansson on reports that her proposal resulted from improper lobbying by American and British pressure groups. And today, the committee announced its very negative verdict on the Commission’s proposal, which has been dubbed “Chat Control” by digital rights campaigners.
It all needs to be formally confirmed in a Nov. 13 civil liberties committee vote but, as there is broad cross-party consensus, we now know the Parliament will propose a version of the law that removes all the stuff about bulk-scanning entire services, mandatory age verification, and excluding under-16s from common social apps. Any surveillance would have to be targeted and involve a warrant.
At the same time, Parliament’s proposal adds several child-protecting measures that were missing from the original. Kids’ profiles would be non-public by default, and they would have to give permission before someone can send them contact details or pictures. Authorities would do proactive scanning on publicly accessible internet content, which would also allow the scanning of the darknet. Providers would have to remove obviously illegal material once notified.
“The winners are the children,” said Patrick Breyer, a German Pirate Party parliamentarian who is one of Europe’s toughest privacy advocates, at a press conference today. “They deserve an effective response and a rights-respecting response that will uphold in court.” (Breyer subsequently posted details of Parliament’s position.)
Also from the press conference, here’s Javier Zarzalejos, a Spanish conservative: “Mass surveillance…isn’t just a red line for us, it’s a red line in the law for the European Union.” And from the other side, the German leftist Cornelia Ernst: “This is a slap in the face of the Commission, what we’ve tabled. The Commission wasn’t focusing on protecting children but wanted mass surveillance.”
Ernst went on to predict “a very, very hard fight with Council in trilogue.” This certainly isn’t over, but, with Parliament putting on a united front, it’s hard to see how advocates of bulk online surveillance can prevail here.
More news below. Oh, and do read TechCrunch’s Natasha Lomas on Johansson’s grilling yesterday. The commissioner had to admit that her team is being investigated for potentially breaking the Commission’s new Digital Services Act by running a microtargeted political ad campaign on X, in an attempt to drum up support for her CSAM proposal. Lomas: “If EU officials have used X’s ad-targeting tools to break the bloc’s own digital rulebook, it’s the very definition of an awkward situation.”
(P.S. The U.K.'s Online Safety Bill, which also threatens encryption, just became law.)
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer
