Brief Summary
This YouTube video, titled "Chat Control is Back (Again)," discusses the EU's proposed chat control legislation, also known as client-side scanning, which mandates chat applications to scan all private messages for illegal content, even with end-to-end encryption. The discussion covers the basics of chat control, its potential impact, and ways to stop it. The video features experts Bart Pernell and Alex Linton, who provide insights into the technical and political aspects of the proposal.
- Chat control is a regulation proposed by the European Commission that would mandate chat applications to scan all private messages for illegal content, even with end-to-end encryption.
- The proposal has been met with widespread criticism due to its potential impact on individual privacy and security.
- There are several ways to stop chat control, including contacting politicians, supporting privacy-focused organizations, and using privacy-enhancing technologies.
Introduction
The video introduces "Noise to Signal Radio," a new series focusing on privacy, freedom, and human rights. The first episode addresses the re-emergence of chat control legislation in the EU, which requires chat applications to scan private messages, even those with end-to-end encryption, for illegal content. The discussion aims to explain chat control, its history, impact, and ways to combat it, emphasizing its significance for both EU residents and the global community. Guests Bart Pernell and Alex Linton are introduced as experts who will contribute to the conversation.
What is Chat Control?
Bart explains that "chat control" refers to a regulation proposed by the European Commission in May 2022, designed to grant access to communications, including those with end-to-end encryption. This initiative is part of a broader conflict, as governments have historically sought access to encrypted communications with a warrant, expressing concerns that increased encryption hinders law enforcement and intelligence services. The debates intensified after the Snowden documents revealed large-scale eavesdropping, leading to increased encryption usage. Bart notes that the EU's e-privacy directive generally protects the privacy of communications, but law enforcement desires the ability to tap conversations, similar to traditional phone calls.
History of Chat Control
Bart continues by explaining that there have been attempts to create a new e-privacy regulation to accommodate law enforcement needs, with regulations being immediately enforceable in all member states, unlike directives. A derogation was voted by the European Parliament, allowing access to communications for detecting child sexual abuse material (CSAM), where service providers scan messages with pictures against known CSAM databases. This derogation applies only to non-end-to-end encrypted communications and is valid until April 2026. In May 2022, the European Commission proposed the "chat control proposal," officially named the Cesar regulation, mandating service providers to detect and report the distribution of CSAM, including both known and AI-generated content, as well as grooming conversations.
European Parliament's Response
The proposal went to the European Parliament, which had intense debates and commissioned a new impact assessment. The Parliament agreed on a much weaker version of the regulation, removing the requirement to comply with detection orders in cases of end-to-end encryption and new content detection. This decision was influenced by an open letter from scientists complaining about the original proposal. The initial provision by the commission included detection orders, necessitating client-side scanning, where applications compare sent pictures or videos to a database of illegal content before sending, reporting users to law enforcement if a match is found.
Council Discussions and Future Prospects
The next step involves member states working together in the council, with rotating presidencies attempting to find consensus on a new version. Since the Parliament's negative vote, numerous proposals have been leaked, prompting academics to write open letters and engage with representatives to highlight the issues. There is pressure from ministries of interior affairs, Europol, and DG Home to reach a consensus and enter the trialogue. Discussions in the council are not public, with leaked documents providing the only insight. The Danish presidency proposed a new version in July, leading to a new open letter and an informal vote on September 12. Germany, Belgium, Netherlands, Luxembourg, Poland, Slovakia, Austria, and Finland voted against it, blocking the proposal for now. Denmark will attempt to weaken the text to change the no votes into yes votes, with the next big vote scheduled for October 14.
Likelihood of Passage and UK Example
Bart expresses concern that member states may agree on some form of scanning, potentially removing the detection of new CSAM with AI as a negotiation strategy. Alex adds that even if an agreement is reached, the story doesn't end, citing the UK's online safety act as an example where naive tech policy led to disastrous practicalities and public backlash. In the UK, age verification requirements have caused widespread calls to roll back the regulation, with people easily circumventing it using VPNs. Alex emphasizes the need for holistic and thoughtful tech policy, heeding the warnings of academics and experts.
Circumvention and Technical Challenges
Bart discusses potential circumvention methods, such as super encryption, but notes the risk of VPNs and similar technologies being made illegal. He also raises concerns that service providers may stop offering services or remove end-to-end encryption. One of the main objections is that the proposal will not work, as reliably detecting images with the current state-of-the-art is impossible. The database of known images is rapidly growing, making it infeasible to store on every device. While hashing images is a potential solution, changing even one pixel can alter the hash value. Perceptual hash functions, which are insensitive to such changes, have been researched for 20 years but are not foolproof.
Technical Issues and False Positives
Bart continues by saying that most perceptual hash functions are secret, leading to security by obscurity. However, leaked functions have shown that images can be modified to evade detection. A more serious problem is the potential for false positives, where innocent images have the same hash as CSAM. Research indicates that depending on the threshold, between 5 million and 300 million Europeans could be falsely reported per year. This shows that the technology is not feasible, and as soon as such a function is implemented, it will be easily hacked. The state-of-the-art is not there, and it is unlikely to be in the next five to ten years.
Text-Based Detection and Session's Stance
The discussion shifts to the challenges of text-based detection, highlighting the potential for false positives due to context-dependent issues. Alex states that Session would never undermine its encryption or user privacy. Due to Session's decentralized design, server-side scanning is impossible, and the open-source nature of the code makes implementing opaque scanning technologies very challenging. Even if client-side scanning were implemented, it would be trivial to distribute a version of the client without it. Alex concludes that it would likely not be possible for Session to comply with the regulation.
Privacy Concerns and Potential for Abuse
Bart adds that even if illegal content could be reliably detected, building such a tool into every phone could lead to abuse by authoritarian regimes, who could add content critical of the government to the database. Europol has expressed interest in extending the usage of this technology to detect organized crime and terrorism, but the most dangerous use is for political purposes. Bart emphasizes that such a system should never exist, as it is very hard to guarantee it will not be used to detect other content.
National Security and Backdoor Concerns
Alex points out that creating a hole in end-to-end encrypted communication poses a huge issue for national security, as sophisticated state actors will exploit those weaknesses. Bart notes that the Danish proposal now includes exceptions for national security conversations, highlighting the inherent contradiction. The discussion then moves to whether privacy and security can coexist with a backdoor, with Alex stating that it is a complete fantasy. The use of softened language like "chat control" and "online safety" is a tactic to make the undermining of privacy more palatable.
Backdoor Incidents and Juniper Case
Bart explains that the question is who has access to the backdoor, noting that there are nearly 200 nations and territories with numerous police services. He highlights several incidents where backdoors were compromised, such as the Soul Typhoon case, where a Chinese threat actor gained access to phone systems, and the Juniper incident, where the NSA produced a backdoored random number generator. In the Juniper case, the backdoor was taken over by someone else and then restored by Juniper, demonstrating the risks of backdoors.
Apple vs. FBI and Nuance Debate
Bart brings up the Apple versus FBI incident, where confiscated phones were difficult to access, suggesting that vendors could potentially help police access specific phones. However, this also means that citizens crossing borders risk having their phones confiscated and accessed. He emphasizes that it is important to carefully dissect the specific case and need, noting that client-side scanning can lead to massive surveillance.
Language Games and Semantic Arguments
The discussion turns to the language used to promote such legislation, with Alex noting the use of sterile and harmless-sounding terms. He emphasizes the importance of speaking in simple and plain terms, cutting through the nonsense and stating clearly that such proposals undermine encryption. Bart adds that the term "chat control" itself is effective in capturing people's attention. He notes that even the regulation that breaks end-to-end encryption includes a page claiming that it does not, highlighting the sophisticated war of words.
Online Safety and Think of the Children
Alex points out the semantic battle lines being drawn around "online safety," with increased surveillance and verification being presented as safety measures, despite research showing that encryption and privacy protections are important for online safety. The conversation touches on the "think of the children" aspect, where appeals to emotion are used to promote policies. Alex suggests that the way to debunk this is to educate ourselves and others that these proposals will not make children more safe.
CSAM Detection and Service Provider Responsibility
Bart notes that CSAM detection is often too late, as the abuse has already happened. He suggests putting more pressure on service providers to respond faster to reports of CSAM or abuse. He also points out that teenagers develop by sexting, and such legislation could lead to them being reported to the police. Alex adds that there is a rise of authoritarian thinking, with money being funneled towards tech solutionism vendors instead of frontline services.
EU's Two Faces and Shift to the Right
The discussion shifts to the EU's two faces when it comes to privacy, with GDPR on one hand and chat control on the other. Bart expresses concern about a shift to the right, noting that a working group called "going dark" was formed to address the police's perceived lack of access to data. He also mentions a European Commission communication called "protect EU," which aims to give law enforcement more access to data. Bart is concerned that the CSAM case is just the first step, and if the regulation is accepted, it will go much further.
Solutions and Alternative Approaches
Alex challenges the premise of chat control, arguing that law enforcement already has access to a huge amount of data. He suggests that the issue is being scapegoated onto technology, when it is actually a societal and institutional problem. Bart suggests focusing on social services and structures to prevent abuse, and holding service providers responsible for taking action when abuse is reported. He also suggests that Europol should focus on infiltration rather than mass surveillance.
Actions for European Citizens
Bart advises European citizens to write to their politicians, get involved with NGOs, and talk to people about the issue. He suggests reaching out to ministers of interior or justice, as well as national MEPs. Resources such as a summary by Patrick Breer and the website fightcontrol.eu are shared in the chat.
Cryptographic Methods and Privacy Washing
In response to an audience question, Bart explains that while techniques like private set intersection (PSI) exist, the main challenge is the hashing part. He warns that even if a solution could be built, it could be abused by dictators. He cautions against "privacy washing," where clever cryptography is used to advocate for systems that should never be built.
Session's Support for Perfect Forward Security
In response to another question, Alex states that Session does not currently support perfect forward security (PFS) due to the way the decentralized network works. While PFS was unreliable when implemented, the team is monitoring whether it could be reimplemented in the future.
Positive Privacy News and Final Thoughts
When asked about positive privacy news, Alex suggests that there is still a community of people who believe in privacy as an essential human right and are building technology to protect it. Bart adds that the fact that chat control proposals exist is a sign that privacy efforts are having an impact. He notes the increasing traction of tools like Tor and Nim, and expresses hope that society will eventually reject surveillance capitalism and build open, secure systems.
