Crypto Wars: Episode I

The European Union has joined the fight against strong encryption, but it's more subtle than other countries.

A war against strong encryption is coming.

It’s not the first one, and it probably won’t be the last one. This time, the European Union has joined as well, and it doesn’t look pretty.

Let’s see what has happened so far, and what we might expect in the coming months.

The fight against child sexual abuse

It all begins with a noble intent. The fight against child sexual abuse online.

Last year, the European Commission set out its strategy for 2020-2025 against child sexual abuse (CSA), which aims to

“Put in place a strong legal framework for the protection of children and facilitate a coordinated approach across the many actors involved in protecting and supporting children.”

The strategy will ensure that the European Union will have the right legal framework to fight child sexual abuse, and it’s also aimed to clarify the role of online service providers.

However, to better understand what’s going on, and why this is important to the Crypto Wars, we need to take a step back and look at the bigger picture.

A snapshot of the legal framework in the EU

1) The 2011/92/EU Directive

Currently, this Directive is the main european legal framework against sexual abuse and sexual exploitation of children and child pornography. The Directive basically sets out the rules of engagement to fight and prevent child sexual abuse.

The article 15 describes how Member States should investigate and prosecute CSA perpetrators:

“Member States shall take the necessary measures to enable investigative units or services to attempt to identify the victims of the offences referred to in Articles 3 to 7, in particular by analysing child pornography material, such as photographs and audiovisual recordings transmitted or made available by means of information and communication technology”.

Since most of the CSA material today travels online, the necessary measures to enable investigative units necessarily have to take into account the role of online services providers, and above all, the electronic communication providers.

2) The European Electronic Communications Code (EECC)

The EECC is a european regulatory framework for the telecommunications sector. The Directive establishing the EECC has entered into force in december 2018 and it’s been full applicable since december 2020.

The European Union made sure that the Code would apply to modern communication services, which were excluded by previous legal frameworks. These communication services are called Number-independent interpersonal communications service (NI-ICS).

Basically, communication services that do not need a mobile number to work, such as Whatsapp, Facebook Messenger, Instagram Direct, webmails, and any other communication service that works on top of the internet.

Why do we care about the EECC? Because since the EECC applies to NI-ICS providers as well, they also fall under the scope of the ePrivacy Directive.

Some of these NI-ICS, such as Facebook, have already been using specific technologies to scan communications and detect child sexual abuse material on their services, in order to remove and report it to law enforcement authorities for criminal prosecution.

Yes, Facebook scanned all your messages for a long time. However, this would be forbidden under the ePrivacy Directive legal framework.

3) The ePrivacy Directive

The ePrivacy Directive is the cornerstone of electronic communications privacy in the European Union.

It is a bit old now (it came into force in 2002), but we still love it. It will eventually be replaced by the ePrivacy Regulation, but it will probably take a few more years for that.

Anyway, one of the most important principles of the ePrivacy Directive is that of the confidentiality of communications:

“Member States […] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1).”

Basically, unless legally authorised, communication services providers cannot intercept, listen, or surveil private communications.

As mentioned above, with the full applicability of the EECC, NI-ICS providers such as webmail providers or instant messaging providers now fall under the ePrivacy Directive, making it illegal to voluntarily scan communications to find child sexual abuse material and report it to authorities.

The privacy stalemate

The European Union basically self-inflicted a stalemate. The ePrivacy Directive forbids the surveillance of communications unless legally authorised, and these service providers are certainly not legally authorised.

But we need not worry.

They quickly fixed the issue by proposing an interim derogation to the ePrivacy Directive, to ensure that online communications service providers can continue their voluntary practices to scan messages and detect and report child sexual abuse online. If approved, the derogation will remain into force until 2025.


The encryption dilemma

Now that all the pieces are together, we can go back to child sexual abuse and encryption and see how the pieces fit together.

On the 24th of July 2020 the EU Commission published their communication regarding the 2020-2025 strategy to fight child sexual abuse.

The communication, 7 pages long, is strongly focused on the online dimension of child sexual abuse and the role of end-to-end encryption.

It should fairly easy to understand: if end-to-end encryption spreads as the default communication protocol, it won’t be possible to scan private communications looking for CSA material.

The communication is pretty clear regarding this:

“An investigation into child sexual abuse in Germany resulted in the discovery of potentially more than 30000 suspects using group chats and messenger services to share materials, incite each other to create new materials, and exchange tips and tricks on how to groom victims and hide their actions. The use of end-to-end encryption makes identifying perpetrators more difficult, if not impossible.”

This shouldn’t come as a surprise. Technology is meant to make our lives easier, and this means that sometimes criminals can take advantage of that too.

Strong encryption ensures privacy and security to people, and that means that criminals can take advantage of that as well.

Of course, encryption isn’t the only technology exploited by criminals. What about locked doors, pen and paper, cash money, and any other technology which makes it harder to track and trace criminals? Should we ban all that as well?

However, the Commision doesn’t really seem to care:

“The use of encryption technology for criminal purposes therefore needs to be immediately addressed through possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications.”

The main fault of this reasoning is that they cannot really distinguish good citizens from criminals. Communication services are the same for everyone.

It would be awesome if law abiding citizens could use strong encryption to protect their privacy and security, while criminals were only left with wire-tapped communication devices. But this is just a dream.

Once you break encryption, it stays broken for everyone. Or better yet: it stays broken for good citizens. Criminals usually don’t care about rules.

Sure, by breaking encryption and scanning every communication on mainstream services they might catch some fools, but it wouldn’t take long for organised criminal networks to reroute CSA materials to encrypted “rogue” communication services.

There are many open source protocols that grant end-to-end encryption, such as the Matrix protocol (also used by the military).

The role of communication service providers

The role of communication service providers is this holy crusade is paramount.

Facebook alone sent 16 million reports for CSA in 2019. Of course, this also means that Facebook actively scanned all private communications looking for CSA.

Private messages, pictures, videos. They scanned them all.

Those naked selfies you sent to your lover? Yep, they’ve scanned that too. And if Facebook can access your messages, trust me - anyone can.

However, Facebook is planning to implement end-to-end encryption by default in its services. This is great news for everyone, except for the Commission.

It would mean that Facebook and other NI-ICS that will follow Facebook example will not be able to access and scan messages anymore, reducing the number of total reports by a lot.

Knowing this, the EU Commission has begun an effort to “support” the industry in the fight against child sexual abuse online. They cannot outright ban strong encryption, because it is basically regarded as a fundamental right in the EU at this point, but they can find ways around it.

The effort is indeed aimed at finding technical solutions around it, which could allow companies to detect and report child sexual abuse in end-to-end encrypted communications, without creating vulnerabilities that could be exploited.

“Technical experts from academia, industry, public authorities and civil society organisations will examine possible solutions focused on the device, the server and the encryption protocol that could ensure the privacy and security of electronic communications and the protection of children from sexual abuse and sexual exploitation.”

For a number of reasons, this isn’t possible.

Governments everywhere have been trying for decades to find “safe ways” to access end-to-end encrypted communications. It never works.

Encryption is a mathematical marvel, and you cannot tamper with its algorithms without introducing serious vulnerabilities, making it useless.

I’ve read some leaked documentation from these “technical experts”, and it’s the stuff of nightmares. To pursue any of the proposed technical solutions to bypass encryption would enable a mass surveillance regime.

In the next episode of Crypto Wars I’ll show you some of these proposed technical solutions.

I’m absolutely not against persecuting criminals, and child sexual abuse is an awful crime.

However, the freedom of speech and thought of billions of people around the world is far too important. The risks are simply too high and it’s not worth it. There are other ways to persecute criminals - ways that do not subjugate good people. Ways that do not deprive us of the privacy of our communications.