Old wine in new bottles: Denmark strong-arms the EU on Chat Control

Despite the criticism of privacy advocates (and European Parliament members), this week, at the meeting of the European Council’s Coreper II (composed of the EU member states' permanent representatives and chaired by the Danish representative), an agreement was reached on Chat Control.

The Danish Presidency likely wants to soften the debate surrounding the proposal and frame the proposal as a compromise that no side is fully happy about. Yet, the proposal essentially still holds many elements that privacy advocates are worried about: from obligations that de facto push online service providers to scan private messaging, to harsh age restrictions for children, to digital ID’ing of every user.

Aside from the cosmetic change from mandatory to voluntary scanning of messages, the text still contains obligations for online service providers to, first, assess the risk that their services could be misused and, second, after the assessment, to implement the measures to counter that risk. Unsurprisingly, logic dictates that this will all lead to the mass scanning of encrypted messages.

Why is chat control dangerous?

A common argument that is present in any country with overreaching policies is that “if you don’t have anything to hide, you shouldn’t be worried.” In the same manner – if you’re a good citizen and you’re not doing anything wrong online, the proposal shouldn’t concern you. This is not the case with chat control.

First of all, if policymakers in Europe are unhappy with how online service providers are mitigating risks now, what makes them think the algorithms and risk mitigation will be efficient in the future? As Patrick Breyer correctly notes: “algorithms are notoriously unreliable. The German Federal Police (BKA) has warned that 50% of all reports generated under the current voluntary scheme are criminally irrelevant.” A possible scenario in the future is that online service providers will be flooded with irrelevant/wrongly assessed information and, in turn, flood the law enforcement agencies with it. In the meantime, truly bad actors will adapt (they always do), and their actions will get lost in the mass of reports.

Second, the text of chat control states that the regulation “should not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption.” How that is possible when online service providers are flooded with many obligations that, technically, will lead to scanning all messages remains a mystery.

Digital ID’ing risks: the end of whistleblowing

Moreover, as Patrick Breyer correctly identifies in his latest article, the obligations to “reliably identify minors” will result in digital ID’ing of every user of online services – minor or not.

While everyone is aware that the European policymakers are tired of fake accounts and bad actors influencing their respective societies, and no verification system is ideal yet, this will certainly have unintended consequences.

First, whistleblowers and journalists will have their work impacted. Until now, anonymous whistleblowing was possible and was a huge part of European media work. A person who wants to share information about their respective country, company, or institution will have to think twice when sharing important information with the media in the future.

Second, what happens if even the digital identity is stolen or a person is tricked into somehow sharing their identity with bad actors that, in turn, use it as a disguise for various online crimes? Let’s look at the physical example in the world: in Europe, there is a black market for stolen vehicle numbers and cars that criminals use to commit crimes. Speaking in simple terms, if one’s modest car is stolen, it’s likely to be used to commit crimes, thus concealing the criminals’ true identity. Wouldn’t it be technically possible to do the same with digital identity through various forms of scams? 

Country positions that are particularly upsetting

Euronews wrote that only the Czech Republic, Poland, and the Netherlands voted against the text, while Italy abstained.

What happened with Austria, Estonia, Finland, Germany, Luxembourg, and Slovenia? What changes were proposed for these countries to change their minds? We’d love to hear more, especially given that many of these countries are digitally advanced.

We need the European Parliament to show spine 

Now that the trilogue negotiations between the Council, the EU Commission, and the European Parliament begins, we can only hope the European Parliament is able to show spine.

Previously, MEPs like Finnish Aura Salla (EPP), Moritz Körner (Renew), VOLT party members of the Green-EFA group, and many other representatives of the European People’s Party and European Conservatives and Reformists have spoken against Chat Control. The criticism of Chat Control is now a big tent – with many different political streams identifying the same problem, therefore it cannot and should not be framed as “right wing” or “left wing” issue. 

Now it’s very important for privacy advocates to keep informing the MEPs they trust about the “old wine in new bottles” and how the proposal can snowball into a big privacy, media, and security problem for Europeans in the future.