EU plans for chat control: farewell to civil rights

The red-yellow-green coalition is currently arguing about a planned EU law that would undermine civil rights like hardly any regulation in the IT sector before. It is about the “Ordinance for the Prevention and Combating of Sexual Abuse of Children” (Child-Sexual-Abuse-Ordinance, CSA-VO).

On the one hand there are the hardliners from the Federal Ministry of the Interior, led by Minister Nancy Faeser (SPD). On the other hand, the civil rights faction in the FDP is up in arms. And in between is Federal Digital Minister Volker Wissing (FDP), who, as with the combustion engine off, could be preparing to drive the EU Commission into the parade.

In May 2022, the EU Commission proposed the controversial CSA regulation, which civil rights activists led by Patrick Breyer (Pirate Party), aptly dubbed “chat control”. According to the draft, national authorities should be allowed to force Internet services to screen the content of their users. This includes text as well as images and videos. The stated goal is to track down depictions of sexual violence against children and the search for contacts with children (grooming) by pedophiles.

All digital communication by EU citizens would be targeted by criminal investigators regardless of suspicion, both e-mail and messenger chats as well as files in cloud storage. If there is an order from the yet to be named national authority, according to the draft, a provider should in future, for example, check user images for criminal hits using existing hash databases. But not only that: AI-supported systems should proactively find depictions of naked children and grooming attempts in text messages.

Doubts about scanning technology

The bill even explicitly includes end-to-end encrypted messages. However, the Commission left open how providers should scan encrypted communication. According to the draft justification, it relies on “the latest technology” that “impairs the user’s right to privacy as little as possible”.

In practice, however, there would be no choice but to either break end-to-end encryption or use so-called client-side scanning – i.e. to examine the content on the end device before it is encrypted and sent. Both variants force the providers to intervene fundamentally in the fundamental right to private communication of their users.

Both the member states and the EU Parliament are currently struggling for their positions on the Commission’s proposal. In Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) is responsible for the project. On April 19th, its rapporteur Javier Zarzalejos (EPP) presented a first draft resolution. Accordingly, although he does not want to weaken encryption, he does not explicitly rule out client-side scanning. In principle, the draft hardly raises any relevant objections to the draft regulation.

Rapporteur Zarzalejos apparently ignored the findings of the European Parliament’s Research Service. Just a week earlier, he had published a study in which he attested to several inadmissible encroachments on civil rights in the Commission’s proposal. The service confirmed that more perpetrators could be convicted. However, he expressed doubts that the scanning technology was so mature that thousands of innocent people would not be falsely suspected.

Many parliamentarians were disappointed with the first serve of the LIBE rapporteur. The FDP MP Moritz Körner, for example, recognized “changes of a primarily cosmetic nature” and announced to the portal netzpolitik.org: “The FDP in the European Parliament will vote against the line of the rapporteur.” Until then, there is still plenty of time for changes, because the LIBE committee does not intend to present its position to Parliament until September, which is then due to vote on it in October.

No but …

Once the EU Parliament has decided on its position on the CSA Regulation, the so-called trilogue negotiations begin with the Commission and the Council of Ministers, which in turn includes and introduces the position of all governments of the member states. But even here no line can be seen so far. Countries like France and the Netherlands have so far not wanted to commit themselves. Austria is the only EU country to have announced that it intends to vote against the draft regulation in the Council.

If four states, which together represent more than 35 percent of the population in the EU, vote against a decision in the Council, it is overturned. Abstentions count as dissenting votes. Germany, with its 83 million inhabitants, is of considerable importance in such council votes.

After a look at the contract of the traffic light coalition, it seems clear that the federal government must vote against the proposed regulation. Literally it says: “We reject general monitoring obligations, measures to scan private communication and an identification obligation.” But Federal Minister of the Interior Nancy Faeser repeatedly stated last year that she did not want to abide by this when the Council of Ministers voted on the CSA regulation. Although she partially gave in in February and spoke out against client-side scanning and the scrounging of encrypted chats, she still believes that communication control in general is necessary.

In doing so, she opposes the analyzes of almost all experts and the Federal Council. In September 2022, he already expressed “serious fundamental rights concerns” about the draft CSA regulation. At the beginning of March, a hearing in the Digital Committee of the Bundestag confirmed this view. The nine invited experts all sharply criticized the draft.

Surprising: Even the head of the central and contact point for cybercrime North Rhine-Westphalia, senior public prosecutor Markus Hartmann, pointed out that such a far-reaching intervention as provided for in the regulation is not necessary. Rather, the law enforcement authorities, which are currently inadequately set up, should be strengthened.

Finally, on April 17, the federal government sent its agreed position on the draft regulation to the EU Council. The portal netzpolitik.org got hold of the document and published it immediately. Accordingly, the government calls for the “exclusion of measures that lead to the scanning of private encrypted communication”. In addition, procedures should be ruled out that “are used as so-called client-side scanning on the end device of the user to uncover child sexual abuse on the Internet and grooming”. This position roughly corresponds to Faeser’s new line, according to which the unprovoked scanning of unencrypted data continues to be welcomed. In the official government line, it has largely prevailed against the liberal stance of the FDP.

FDP minister against general duty to scan

However, Digital Minister Volker Wissing continues to reject the scanning of unencrypted content: “The federal government has sent a clear signal at European level that Germany will not approve the proposed regulation unless fundamental changes are made. That applies to me with regard to the scanning of private communication even if it is unencrypted,” he said at the request of c’t through a spokesman.

For him, the protection of privacy and private communication is “a basic requirement for the functioning of our democracy, trust in the state and its institutions”. But the government is apparently giving up this protection with its position because it does not fundamentally reject the planned chat control. Although the Federal Ministry of the Interior conducts the negotiations in the Council, Wissing could still demand that the Federal Government abstain.

The exciting question is whether the digital minister wants to start a big row. In any case, the EU Commission will probably still painfully remember how Wissing, as Federal Minister of Transport, forced last-minute changes to the law in the e-fuels debate.

(hob)