With its legislative proposal known as “Chat Control,” the EU Commission is trying to establish an unprecedented mass-surveillance apparatus of Orwellian proportions in the European Union. If EU citizens don’t stand up for privacy now, it may be too late.
This Wednesday, June 19, 2024, the EU Council could be voting on the controversial Chat Control bill. Should it pass, the consequences would be devastating: Under the pretext of child protection, EU citizens would no longer be able to communicate in a safe and private manner on the Internet. The European market’s location advantage would suffer a massive hit due to a substantial decrease in data security. And EU professionals like lawyers, journalists, and physicians could no longer uphold their duty to confidentiality online. All while children wouldn’t be better protected in the least bit. On the contrary, Chat Control could have a negative impact on minors in particular.
It doesn’t matter how the EU Commission is trying to sell it – as “client-side scanning,” “upload moderation,” or “AI detection” –, Chat Control is still mass surveillance. And regardless of its technical implementation, mass surveillance is always an incredibly bad idea, for a whole plethora of reasons. Here are just three:
One distinguishing factor between totalitarian states and democracies is that only in the former can the government invade citizens’ privacy for no apparent reason. Modern democracies recognize privacy as a basic human right. The EU itself acknowledges it in the Charter of Fundamental Rights (article 7):
Everyone has the right to respect for his or her private and family life, home and communications.
Imagine, for example, the police could randomly enter your home without having any reason to believe you’re involved in illegal activities, simply to snoop around and see whether they can find something suspicious by sheer chance.
In a healthy democracy, it should be the citizens who oversee the government – mass surveillance is the inversion of this democratic principle. With a measure like Chat Control, the EU would violate one of its own basic rights and put its citizens under general suspicion, thereby profoundly disrupting the trust between citizens and the government.
Mass surveillance of standard communication channels like instant messengers only affects law-abiding citizens. Given their involvement in illegal activities, criminals will go to any length to avoid surveillance. After all, why would any criminal continue to use a communication channel that’s known to be under government surveillance?
However, flying under Chat Control’s radar wouldn’t even require resorting to some other, obscure means of communication that can’t be (or isn’t yet) surveilled. Criminals could, for example, simply manually encrypt illegal content before sharing it.
Ordinary, unsuspecting Internet users, for whom it wouldn’t be practical to handle day-to-day communication with friends and family members in this manner, would therefore be the only ones really affected by mass surveillance. And besides inevitable false positives (think family photos of a beach vacation), minors (i.e., the ones who should be protected) engaging in consensual “sexting” would probably amount for the vast majority of CSAM reports.
It’s not just citizens’ privacy that would suffer from the proposed mass surveillance. Because Chat Control essentially requires communication services to install a backdoor, it’s also citizens’ security that would take a massive hit.
The reason secure communication services like Threema employ end-to-end encryption is to make sure no one except the intended recipient is able to read a message, not even the service provider. Introducing a backdoor into such a system is like adding a weak link to a strong chain lock. Sure, the government can now open the lock without a key, but so can any burglar.
The negative impact a backdoor has on security can hardly be overstated. It’s not just the first place anyone would try to penetrate a system that’s otherwise secure, it’s like an API for hackers. And EU interior ministers seem to be well aware of this: why else would they themselves want to be exempt from Chat Control’s surveillance?
Of course, sharing CSAM is an absolutely intolerable, horrific crime that has to be punished. Before CSAM can be shared online, however, a child must have suffered abuse in real life, which is what effective child protection should be trying to prevent (and what Chat Control does not focus on). For this and many other reasons, child protection organizations such as Germany’s Federal Child Protection Association are against Chat Control, arguing that it’s “neither proportionate nor effective.”
Besides, there’s no way of really knowing whether Chat Control would actually be (or remain) limited to CSAM. Once the mass-surveillance apparatus is installed, it could easily be extended to detect content other than CSAM without anyone noticing it. From a service provider’s point of view, the detection mechanism, which is created and maintained by third parties, essentially behaves like a black box.
What can you do?
Since the matter may be decided this Wednesday, June 19, 2024, time is a critical factor. If you’re a EU citizen, please consider contacting your government’s representative today, asking them to vote against Chat Control.
It may also help to take to the digital streets, spread the word online, and raise awareness for the EU’s dubious plan to establish an unprecedented mass-surveillance apparatus that would essentially nullify the right to data privacy and set a highly dangerous precedent in doing so.
What would Chat Control mean for Threema users in the EU?
While Threema would be subject to Chat Control, the business solution Threema Work would be out of scope according to our current knowledge. It’s still not entirely clear how Chat Control would have to be implemented by service providers, and it’s questionable whether such a blatant violation of the right to privacy would hold up in European courts.
What is crystal clear, however, is that there will never be a Threema version that’s spying on its users in any way, shape, or form. The reason Threema was created is to provide a highly secure, completely private, and anonymous means of communication. Once it’s no longer possible to offer such a service in the European Union, we will be forced to take consequences.
We will carefully consider all options (including legal actions, technical workarounds, etc.) first, and if we come to the conclusion that there’s no other way, we’ll call on fellow communication services to join us in leaving the EU.