A group of 250 scientists, researchers and security experts warns against European plans to weaken encryption in apps. The group says that encryption cannot simply be weakened and criticizes that politicians have not entered into discussions with experts.
The letter has been signed by more than 250 professors, scientists, researchers and security companies. Fourteen Dutch academics, including Frederik Zuiderveen Borgesius, Herbert Bos and Jaap-Henk Hoepman, have also signed the letter, in addition to nineteen Belgian scientists from KU Leuven, among others. The letter is a response to a recent bill from the European Commission to combat child abuse material and protect children in other ways online. The plan was previously rejected by the European Parliament, but since last year there have been new plans to table a watered-down bill. This bill could force large tech companies to detect and remove child abuse material, even if it is distributed via encrypted services.
In the open letter, the scientists write that the proposal 'completely undermines communication and system security' from a technical point of view. The scientists criticize, among other things, that policymakers 'have not entered into a dialogue with academic experts'. Instead, they say, the proposal creates “unprecedented opportunities for surveillance and control of internet users.” The scientists also wrote a letter with warnings and recommendations at the time.
One of the most important new changes to the new proposal, compared to the old one, is that it allows investigative services to search for perpetrators in a more targeted manner. For example, the intention is that investigative services only look at 'users of interest'. These are users who have been caught watching child abuse material multiple times. “This proposal does not solve the problems we raised at the time,” the letter writers said.
This is partly due to 'the poor performance of automated detection technologies' to find such material. That means there may be false positive results, which are unlikely to be “significantly reduced until the number of repeats is so high that detection ceases to be effective.” The scientists point out that billions of messages are sent every day via WhatsApp or Facebook Messenger, for example, and that the number of false positives can therefore run into the millions.
The scientists also state that image recognition in an encrypted community “by definition undermines encryption security.” The new bill states that companies must continue to protect cybersecurity and encrypted data through end-to-end encryption that is also within the scope of criminal investigation orders. The scientists call that an oxymoron. “The protection of end-to-end encryption means that no one but the recipient can read such communications. Adding detection technology, both for encrypted data and before it is encrypted, violates the definition of confidentiality that end-to-end encryption promises.”
There are several other examples in the bill that scientists have difficulty with. For example, there is an obligation to carry out age verification of young people. The scientists also point out that there is currently 'no good, proven technical solution' to regulate this that also protects the privacy of users.