On 11 May, the European Commission published its proposal for a regulation to combat child sexual abuse material (CSAM). The Commission managed to squeeze a host of controversial digital rights issues into one package: the blocking of websites, the obligatory monitoring of online content, and, the most novel one, a measure which opens the door to undermining encryption. Because encryption technologies protect communications confidentiality, one crucial question in the upcoming policy debate will be whether this latter measure, or its implementation, is compatible with the rights of privacy and data protection under the EU Charter of Fundamental Rights (the Charter). In this contribution, I explore one aspect of that question: is it possible to argue that this measure does not respect the essence of these rights? On the basis of a preliminary analysis, I conclude that this is certainly defensible and suggest further routes for exploration.
The proposal obliges chat providers to detect illegal material and illegal behaviour
But first – what is the measure exactly? The entire Commission proposal is extensive, with 89 Articles, spanning over 130 pages. But the measure in question can be summarised in one sentence: under the proposal, a national authority would be granted the power to request an independent body (such as a court) to issue a “detection order” against a provider of “interpersonal communications services” to take measures to detect “online sexual child abuse”, which includes both distribution of CSAM and soliciting of children (Art. 2(p).) To give effect to the order, providers must install and operate technologies which perform such detection, and must report matches to a designated authority. These “interpersonal communications services” are services which enable online, “direct interpersonal and interactive exchange of information” (see Art. 2(b) proposal jo. Art. 2(5) Electronic Communications Code). Importantly, this includes popular chat services in the EU, such as WhatsApp, iMessenger, Telegram and Signal, all of which are end-to-end encrypted (something I’ll get to later).
The proposal affects confidentiality of communications
Still, the proposal merely creates the possibility of issuing a detection order – it does not constitute a a detection order itself. Thus, an assessment of the compatibility with the Charter necessarily involves mapping the possible kinds of detection orders which can be issued. To get a sense of these potential kinds of orders, it’s useful to discuss how we got here, because European institutions and technology companies have been laying the groundwork for this for quite some time already.
This proposal is the second part of a two-step approach announced by the Commission in 2020. At that time, the Commission said that it would first adopt legislation under which providers could voluntarily scan communications for CSAM. Providers would then later be obliged to detect known CSAM. And so it went: on July 2021, the European Parliament and the Council adopted a temporary exception to the protection of communications confidentiality under the ePrivacy rules – enabling technology firms to voluntarily detect child sexual abuse material in communications. Then, less than a year later, the Commission launched this proposal, which provides for the option to order mandatory scanning.
The reason why the European Commission was keen on allowing firms to voluntarily scan material, is that technology firms have already been working on ways to detect CSAM and solicitation for quite some time. For instance, it was already reported in 2012 that Facebook was scanning unusual message traffic on its platform to identify older people who were soliciting minors. Microsoft has developed technology to scan for CSAM on its servers, even offering this as a service. More recently, in August 2021, Apple announced an initiative in new versions of iOS, which was intended to check unique fingerprints (hashes) of known CSAM against images on your phone, before they would be sent to iCloud Photos (Apple received a lot of pushback and ultimately delayed the plan).
So, with this in mind, there are roughly four ways in which such a detection order could work. A provider can either try to perform detection on the device; or it can try to perform detection on the communications being routed through its servers (if any). And it can either try to do detection on the basis of the content of communications; or it can try to do detection on the basis of metadata (such as, who called who, when, how often). That’s four combinations:
|Metadata||Device traffic analysis||Server traffic analysis|
|Content||Device content scanning||Server content scanning|
Important to note: for the detection of CSAM, the regulation does not exclude an analysis of all communications of all users of an app, and this is also likely the preferred scope of a detection order, because in many cases you do not know in advance who will be sending CSAM. By contrast, solicitation detection will probably be more targeted; it may initially involve analysing the metadata of certain communications where the risk of solicitation is higher – for instance, an old man chatting with a young girl he does not appear to know might raise a red flag. But even this will eventually require reviewing the texts of chats themselves – the old man might be talking to a long-lost niece.
This leads me to the final kind of potential order: let’s call it an “encryption altering order”. As noted above, all popular chat apps apply end-to-end encryption. This is a form of encryption where messages are encrypted on the device of the sender, and then decrypted at the device of the recipient. For this kind of encryption, only the sender and the recipient have the decryption key. Thus, end-to-end encryption stands in the way of detecting CSAM in communications flowing through the server. A detection order could thus in theory also oblige a provider to change their encryption, so that the content of information can be intercepted and analysed when it flows through the servers of the provider.
In theory, because the proposal is not clear on whether this is a real option – it is merely noted in the recitals that orders “should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation. That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children” (rec. 26). Given this vague language, I’m assuming that encryption altering orders are also on the table.
Considerations when assessing the compatibility under the Charter
The question is whether these orders are compatible with the Charter. These orders affect a number of fundamental rights under the Charter, including the right to privacy and the right to data protection. I will touch on only aspect: whether these measures respect the essence of these rights. Because if they don’t, that would mean that a proportionality assessment would not be required, sidestepping complex questions around necessity, effectiveness, proportionality and balancing (see here for background on this requirement). For a discussion on some of these other aspects, I refer to the 2021-opinion of Prof. Dr. Ninon Colneric and analyses of the EDPS, MEP Patrick Breyer, EDRi and a group of security experts.
Let’s start with a content scanning order on the server. At first sight, a case can be made that such an order should be considered to compromise the essence of the right to privacy under the Charter. The ECJ in Schrems I considered that legislation permitting the public authorities access on a generalised basis to the content of communications compromises the essence of the right to privacy under the Charter (par. 94). Content scanning on the server arguably is a form of “access on a generalised basis”, where it involves an analysis of all communications going through the server connected to a certain app, and forwarding any matches to a designated center. At the same time, the ECHR in Big Brother Watch was more forgiving when it comes to powers of bulk interception of communications, as long as these powers are surrounded with sufficient safeguards (par. 350). Thus, one important point to be explored further, is whether this signals a rift between the two bodies, or that the ECJ will chart its own route when it comes to bulk surveillance.
Next, scanning for content on the device. Here, the above-mentioned consideration in Schrems I applies as well. In fact, detection on the device is arguably more privacy invasive than detection on the server, if only because a device is owned and controlled by the user. What’s more, although scanning takes place on the device (which you could call a form of only “indirect” access), the moment that a match is detected, it is immediately forwarded to the designated authority, which could trigger an investigation. So functionally, this does not differ much from gaining direct access to communications flowing through a server, similar to what was assessed in Schrems I. Here, an important point to be explored further, is whether the right to confidentiality and integrity of IT systems as recognised under the German constitution, is also lying dormant in the Charter – and whether this would further support the claim that a content scanning order on the device does not respect the essence of the right to privacy under the Charter.
By contrast, it is not so clear that a traffic analysis order on the server would compromise the essence of these rights. This is because it can be inferred from the ECJ-decision in La Quadrature that automated analysis of traffic and location data of all users of electronic communications systems for a strictly limited period, is a particularly serious interference, but should not be considered to affect this essence (par. 178). Compared to that, traffic analysis to detect solicitation may even be somewhat targeted, as you could imagine that only interactions between certain age groups would be subject to analysis. On the other hand, the ECJ only allowed monitoring for a “strictly limited” period, whereas the period in this case would imaginably be far less limited – and perhaps even indefinite. The assessment will thus depend on the kind of order which is being issued.
Conversely, an order for traffic analysis on the device, is a more serious candidate for not respecting the essence. As noted, the ECJ has underlined in La Quadrature that this kind of indiscriminate, automated traffic analysis is already a particularly serious interference, if done on the server. But when ordered to be done on the device, such analysis arguably crosses the threshold, compromising the essence. This, again, has to do with the intimate nature of a phone. Monitoring communications flowing through the network is already problematic, but monitoring communications on a device you’re carrying with you continously, is even more invasive. Again, a promising avenue for further exploration is the existence of a right to confidentiality and integrity of IT-systems under the Charter mentioned above.
Finally, as to an encryption altering order, an argument can be made that this affects the essence of another fundamental right – the right to data protection under the Charter. In the past, the ECJ has connected this right to the existence of information security measures. For instance, in Digital Rights Ireland, the ECJ reasons that the essence of this right was not affected because in the challenged legislation “certain principles of data protection and data security must be respected”, according to which member states “are to ensure that appropriate technical and organisational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data” (par. 40). And in Opinion 1/15, the ECJ considered that an envisaged agreement on the exchange of EU flight passenger data with Canada lays down “rules intended to ensure, inter alia, the security, confidentiality and integrity of that data, and to protect it against unlawful access and processing” (par. 150), implicitly concluding that the essence of Article 8 of the Charter is not affected because of this. So, conversely, when an order prohibits the taking of appropriate security measures to protect personal data, the order arguably does not respect the essence of the right to data protection.
So, what then would “appropriate” security measures in this case be? A fundamental starting point is that the internet should be considered an untrusted communications channel – it consists of various parts operated by companies, countries and individuals, and communications traverse around a host of untrusted nodes. So if you send communications on the internet, there is a serious risk that they will be intercepted, analysed or even tampered with. The only way to protect against this, is by encrypting the communications in transit – thus ensuring the confidentiality and integrity of the data.
Still, does that mean you have to use end-to-end encryption, that is, encryption which can not be read except by the sender and the recipient? Quite likely, yes, simply because the alternative – encryption which can also be decrypted by law enforcement agencies – exposes users to an unacceptably large risk of unlawful access by other governments and criminal organisations. In fact, renowned security experts have in the past decades pointed out repeatedly that these kinds of weaker encryption technologies will always be at risk of being exploited by others, including foreign intelligence agencies and criminal organisations.
When the EU adopted the Data Retention Directive, obliging the storage of traffic and location data of all European communications users, it was being warned that the rules violated the Charter, and the ECJ ultimately agreed. I expect this new proposal to be heavily contested as well, and I expect fundamental rights to constitute a significant part of that debate – as is already evidenced by the comments from the EDPS, MEP Patrick Breyer, EDRi and the group of security experts mentioned above.
One way to shortcut that debate, is by investigating whether the potential orders to be issued on the basis of the proposal cannot respect the essence of the rights to privacy and data protection. In this contribution, I have sketched an outline of this argument. To make a convincing case, it will be important to firstly determine on the basis of recent case law that the ECJ still considers bulk surveillance of content to compromise the essence of the right to privacy. Secondly, it will be important to develop a right to confidentiality and integrity of IT systems under the Charter, as this will enable a better assessment of detection orders directed to user devices. And thirdly, it must be further investigated whether only end-to-end encryption is the only appropriate measure for safeguarding online communications, because if this is the case, than any encryption altering order does not respect the essence of the right to data protection. Hopefully, the Council and the European Parliament will take notice.