Two weeks ago, we gave an update on the proposition of the European Regulation on anti-terrorism censorship. As a reminder, this text will impose on all actors of the Internet unrealistic censorship obligations: removal within one hour of content reported by the police, surveillance of all content leading to automatic censorship…
Today, we focus on another danger of this text: as it targets not only content disseminated to the public, but also those which are exchanged privately (such as emails and instant messaging), this text could bring an end to the possibility of protecting our exchanges through end-to-end encryption.
A careful reading of the Regulation reveals that this text is indeed not limited to content disseminated to the public.
Article 2 states that the actors subject to these censorship obligations are the “providers of information society services consisting in the storage of information provided by and at the request of the content provider and in making the information stored available to third parties“. Recital 10 of the same text gives, as an example, besides social media, “video, image and audio sharing services, file sharing and other cloud services to the extent they make the information available to third parties (…)”.
This notion of “available to third parties” is very different from the more usual notion of “available to the public“. Furthermore, the content stored in “cloud-based services” (which we understand to refer to services such as Nextcloud or Dropbox) are not generally made “available to the public” but accessible uniquely through a restricted number of users. However, they are included in this new European Regulation.
If the Regulation is not limited to content disseminated to the public, but includes those which are made available to any third party, that means that it can be applied to services for electronic messaging, including emails and instant messaging (WhatsApp, Signal, Telegram…). These services, at least up until the message is read, store content supplied by a user in order to make it available to a third partySee for example the terms of service of Signal, which indicates that it stores messages in its servers for delivery to devices that are temporarily offline..
They will, then, like any other actors of the Internet (forums, social networks, blogs…) be subject to the obligations of automatic removal and censorship imposed by the Regulation.
Obligations incompatible with end-to-end encryption
However, some of these services are protecting our private exchanges through end-to-end encryption technologies, “where only the communicating users can read the messages”, the objective being to prevent ” potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation”.
As we had explained in our common position with the Observatoire des Libertés et du Numérique (Freedoms and Digital Observatory), “the capability of encrypting digital communication and data is mandatory in order to preserve fundamental rights and liberties. Encryption remains one of the last barrier against arbitrary and illegal intrusions, either from States, the private sector or criminals”.
How emails and instant messaging services that provide this type of protection (Signal, ProtonMail…) will be able to comply with the obligations of surveillance and censorship if stored content is encrypted and thus unavailable to them?
The silence of the Regulation make us fear the worst: end-to-end encryption, that is to say the protection of our private exchanges, could be contrary to the obligations provided in the text and would have no other choice but to disappear.
Indeed, it is difficult to imagine how these services, as every other actors of the Internet, will be able to survive to these new obligations: it is unlikely that they accept to abandon end-to-end encryption and to outsource the surveillance of their service to a Web giant – which is the solution that the French government seems to hope for, at least, content made available to the public.
About Facebook, it is surprising that they overlooked this text without seeing or understanding its danger for its messaging service Whatsapp, which is also protected by encryption. The worst case scenario would be that Facebook is slowly renouncing to this technology to team up with governments for mass surveillance of our exchanges, private or public. A few weeks ago, Mark Zuckeberg explained that encryption was making automated censorship more complicated.
With this text, the government may have found a way to win a fight he’s been leading for a long time and that particularly frustrates him: the fight against the encryption of our conversations.
The Regulation, as it is being examinated by the European Parliament, would endanger an essential right to guarantee our liberties against arbitrary State powers and private mass surveillance.
Again, we ask for its rejection.
Let’s remind that deadlines are extremely short: the European governments (particularly, France) want this text adopted as soon as possible, at the expense of a democratic debate. The Council of EU has a meeting in Brussels the 6th of December to have a common position.