EU ‘Chat Control’ Laws Are Unenforceable, Ineffective and Dangerous

• EU ‘Chat Control’ law makes encryption useless.
• The motives of legislators are exemplary, yet wrong.

As part of its six-month tenure at the head of the Council of the European Union, Hungary has reiterated its support for the introduction of so-called ‘Chat Control’ into European law. The law, officially known as the Regulation laying down rules on preventing and combating child sexual abuse, is intended to ensure that messaging technology providers operating in the EU take measures to flag CSAM (child sexual abuse material).

The rolling governance of the Council of the European Union (more informally known as the Council of Ministers) allows for a degree of policy leadership by each EU member in turn, with each term lasting six months. Hungary is using its term to revive progress on ‘Chat Control’ legislation, a full vote on which was postponed in June this year. The legislation is thought to be backed by 19 of the EU’s 27 countries.

A series of amendments to the existing proposed legislation were leaked (PDF) to POLITICO, a news organization owned by German media group Axel Springer SE. In them, EU lawmakers detail how the recently slightly revised laws would work, but gaping holes in the proposals remain. They make the measures unwieldy to implement and show that the law will not achieve its intended purpose, plus they create an unsafe environment for private data exchanges in Europe.

Practical aspects of chat control

The “Chat Control” legislation would require companies that offer messaging apps and providers of secure email services to decrypt messages and examine them for signs of CSAM. In layman’s terms, any company with an end-to-end encrypted messaging facility would have to install a “backdoor” into its users’ private conversations.

The problem with backdoors is that they break the basic principles of encryption, rendering it useless to all users. Encryption is supposed to be unbreakable – if it’s breakable, it’s not encryption; it’s obfuscation at best, and obfuscation is a different beast altogether.

The proposed laws place responsibility for implementing this feature on the individual provider, a detail that “enables innovation and ensures proportionality and technological neutrality.” Messaging service providers “should be given a degree of flexibility to design and implement measures tailored to the identified risk and the characteristics of the services they provide.”

The wording means that regardless of the encryption method, the provider must break its own technology. Any insurmountable encryption that may be deployed cannot be used in the EU, so not only is technological innovation discouraged, it is also illegal to code into a platform without rendering the code meaningless.

Pros and cons of the EU chat control law

The content of the ‘Chat Control’ legislation is promising and well thought out in parts. It states: ‘The measures taken must be targeted, carefully balanced and proportionate, so as to avoid unnecessary negative impacts on those who use the services for legitimate purposes.’

Unfortunately, the biggest negative consequence of introducing a backdoor is that any solution becomes infeasible for any user, including those with legitimate purposes. If there is a way to decrypt traffic to check for CASM, then all data is effectively decryptable and therefore at great risk: open to exploitation by malicious actors, nation states, malicious homeland security services, and, eventually, anyone able to download and execute publicly available software.

The ‘Chat Control’ legislation partly reveals weaknesses that were probably introduced as concessions to opposing EU member states or lobbyists. For example, communications used for ‘national security purposes’ are exempt from investigation, as are ‘interpersonal communication services that are not available to the general public and the use of which (…) is restricted to persons involved in the activities of a particular company, organisation, body or authority.’

These terms create a broad definition of any organization, including those consisting of more than one individual citizen. For example, two people engaged in illegal activities could create an encrypted network and, since the network is not open to others, they could be immune from surveillance.

There are two common tropes surrounding government involvement in anything technological. The first is the profound lack of understanding of the subject matter in question. This explains the expectation that encryption systems can somehow be partially dismantled on demand without destroying the edifice that creates the encryption.

Secondly, when a data breach is mentioned, it is often done under the guise of child protection. While the goals of those determined to put an end to CASM’s online presence are undoubtedly laudable, it is unfortunately physically impossible to impose an emotionally derived edict on the immutable laws of mathematics (encryption) and expect effective results.

As Chief Engineer “Scotty” famously said in the original Star Trek TV series, “You can’t change the laws of physics!” Legislators at all levels of government need to pay attention to this.

Unified Communication is a two-day event taking place in California, London and Amsterdam that delves into the future of workplace collaboration in a digital world. The expanded event will run concurrently with Digital Transformation Week, IoT Tech Expo, Edge Computing Expo, Intelligent Automation, AI & Big Data Expo and Cyber ​​Security & Cloud Expo.

Discover other upcoming enterprise technology events and webinars from TechForge here.