Et tu, EU? (War on end-to-end encryption)

Kinda surprised to see the EU jumping on this particular bandwagon.

EDIT: EFF’s response:


Interesting. Worrying, but still, there is a way to look at this that is kind of positive: if the EU is targeting Big Tech with this, and basing that on the fact that Big Tech already control their users, then that does not mean freedom becomes impossible, it just further underlines that you cannot be free and be a Big Tech user at the same time.

I imagine a conversation between EU and Big Tech going like this:

EU says: “You have control over your users’ information, correct?”

Google/Apple/Microsoft answer: “Well, technically we can control them completely and we can see everything they do but we like to keep up a facade of ‘privacy’ which we think is good for our business…”

EU says: “We don’t care about your facade. You have control over your users’ information, correct?”

Google/Apple/Microsoft answer: “Yes, but…”

EU says: “No buts! Since you have control over your users’ information, we can require you by law to scan all messages. Now go and implement that.”

The above is not really a war on end-to-end encryption, because Big Tech users cannot really use end-to-end encryption since the users do not control the operating system.

In contrast, if the EU has a conversation with a truly free person that uses completely free/libre software including a free/libre operating system, then I imagine that conversation like this:

EU says: “Hello there, we are worried that you may have suspicious content inside your encrypted messages”

Free person answers: “These are my messages, none of your business”

EU says: “Note that we have made laws that require companies who control their users information to scan all messages of those users”

Free person answers: “That does not apply to me because I am not a customer of any of those companies, they do not control me.”

EU says: "Hm, well how about you let us look inside your messages anyway? We really want to."

Free person answers: “No, I don’t want to. These messages are none of your business.”

EU says: “OK”

That’s how it plays out in my fantasy world. :slight_smile:

Basically I think there is a fundamental difference between the following two kinds of laws:

  • This is feasible: law forcing companies to do certain things regarding information those companies already control.
  • This is not feasible: law making it illegal for an individual to apply encryption algorithms to some data and send the result to another individual.

Free person to EU/government official: “Show me yours first!”


I think the use of “Big Tech” in this context is unhelpful, since it obscures which type of service providers are actually being targeted here.

I had a fast look at the actual proposal. It is typical bureaucratic mumbo-jumbo, 134 pages of it i.e. difficult to know what it is really saying and what it is really not saying.

The best case scenario for a messaging service would seem to be: they are obliged to scan all unencrypted messages. So a messaging service that required all users to use E2EE would not be obliged to scan any messages. On the other hand the EU proposal says

Therefore, this Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation. That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children.

So maybe what we are really back to is the dreaded mandatory backdoor.

It’s good to see that their consultation process got pwned by German activists:

Despite efforts to ensure a balanced distribution of responses, a significant proportion of contributions were received from private individuals in Germany solely addressing questions relating to the subject of encryption.


1 Like

Translation: “Use any technology you want…as long as we can see it and read it” …?

1 Like

Or as the article says

Do the impossible, you get to decide how

1 Like

These geniuses of EU can not protect the price of a pound of bread; and they will protect our children with these nonsense?

I am in EU, I wanted to be in EU. No more. This is an oppression system. We pay all these guys in the European parliament and they have no right to pass half a law…

Given that mandatory metadata retention for all innocent EU citizens was found to be indiscriminate, unjustified, inconsistent with human rights … and hence ultimately invalid law, I would be surprised if mandatory scanning of private content for all innocent EU citizens is valid law.

Governments tried to argue that metadata is less sensitive than content but even that was not accepted by the court.

So I expect this proposal, if it becomes law in member states, to end up in the ECJ.

1 Like

EU is not a uniform thing. Also, the jump was started at least one year ago. Watching it has been a front seat to a train wreck spectacle. Except I’m sitting inside.

We need to take this stance more often. Not only to big companies, but to all gratuitous data requests.

Not only you:


Naomi Brockwell talks about this in her Privacy Beat show.

As a EU citizen I am really relaxed on this. Every country in the EU has Data Protection offices. The German one has already officially written that they are against it (1) and will try to stop this from becoming legislation. And if that’s not calming me enough I remember how many times Governements in Europe tried to establish a data retention law where all traffic had to be stored and that every time courts from federal to European have voided these laws.



Has anybody pointed out to these people that we’re already at a heightened risk of cyber attack thanks to a little war going on? Weakening our cyber security now is not a good plan.

I’m already hearing people argue that Russia’s behind this and other events but aside from one hollywood nobody chiming in on it after an extended stay a few years ago I don’t see anything.

1 Like

So recognisable! :joy:

Not aware of what happens on EU level most of the time, except for “big news” items such as this one, but on the other hand: when has EU regulation of the Internet ever resulted in anything useful?

Their first attempt at controlling tracking: sites must disclose the use of cookies.
Literally every website: “We use cookies. There, we informed you.”

Their second attempt, somewhat broader in scope, the GDPR: sites must disclose all forms of user data collection and processing, and except for data required to offer the services the user needs (e.g. the billing address for a paid service), the user must be able to decline without loss of functionality. Hefty fees apply to those who do not comply.

  • Lots of sites: “We still use cookies to track you. You can accept with one click, or go through this long and tedious process in order to refuse, with no guarantee that it’ll actually have any effect”.
  • Some sites: “We still use cookies. Don’t want them? Disable cookies, including legitimate and wanted ones, for literally every site, degrading your browsing experience. Because we have decreed that pointing out they can be disabled in the browser is sufficient effort on our part”.
  • A handful of sites: “We use cookies. There, we informed you”, which is in violation.
  • And a couple of sites: “We use cookies. You can accept, or sod off”, or sometimes “You can accept, or you can browse this one single page (or handful of pages) on our website tracking-free”, both of which are in violation.
  • Fewer still: “Hi, European! We don’t want you on our site!” Which is actually perfectly legal: use of the service depends on region, and not acceptance of cookies, technically speaking. I mean, it is the same thing, but it also isn’t, isn’t it?

The problem with the EU is twofold:

  1. Our laws are too broad and not well thought out. That first cookie law was a prime example: they tried to do something about online tracking, and instead made it so that every website that uses cookies for legitimate reasons, such as handling your session, preferences, … is now forced to throw up a useless banner that does not inform the user in any way, shape or form. And every user now has to dismiss said banner on every website they visit.
  2. Our laws have less teeth than a baby snail. Sure, GDPR violations carry hefty fees, but if you visit a website that’s in violation, where do you report it? Heard from a guy who apparently went through the trouble of figuring out where, only to get a response that they weren’t even gonna look into it. Forgot the exact reason why. Hell, I know of various European websites that are in direct violation, have been for years, and never got in trouble for it.

Arguably, GDPR. Blaming GDPR for misbehaving websites it like blaming law for forbidding predatory loans. “Please sign here to let us rob you, or alternatively jump through those hoops to get a fair loan”, “Your law prevents us from robbing you easily, so sod off”.

Sorry, but sources or didn’t happen. I threatened a couple businesses on GDPR grounds and got nothing but compliance in return.

For more high-profile cases, , while not instant, shows that the wheels of law are turning.

I also value the net neutrality attempts here for putting some (imperfect) obstacles to corporate-captured internet access.


I’m not blaming the law for the people who ignore it. I blame the lawmakers for not following through on the laws they pass. A law is worth little more than the piece of paper on which it is jotted down if nobody actually bothers to implement it.

Fair enough. Unfortunately, I don’t have perfect memory, so I don’t recall the specifics, nor who my source was.

Glad that worked out for you. A friend of mine contacted two years ago about their cookie wall. They were gonna look into it. As of today, your only options are:

  1. Accept the cookies.
  2. Create an account so you can disable them, which also involves allowing them to store your personal data.

Source: (Dutch; they don’t seem to have an English version)

And yeah, the site is still completely unusable without accepting cookies or creating an account. Or disabling the JS that blurs the content and prevents you from scrolling, I guess, if you can be bothered.

And that’s how they just can do what they want. The German Data Protection office can’t do anything against it. He can tell “I don’t like what you are doing”, but he also can be completely ignored.

With ePrivicy we have a 3rd chance to bring “do not track” into law. But until this time I blame all websites that need a cookie-banner. For essentials they don’t need to inform you since these are information you actively give them by registration etc. Or why I don’t have any banner on Wikipedia - doesn’t care if I am logged in or not? I even know more without banner (no difference between JS enabled or disabled).

It’s totally up to pages if they want your data or if they don’t want to use cookie banner.

That’s why Google changed his cookie banner to something where you can reject cookies with one click instead of 5 clicks with loading 2 more pages and a failed redirection, because GDPR is a “baby snail”. No it’s not, but if nearly every company breaks the laws, what do you think how fast they will be until every company had to pay? 1 or 2 Years? Nope, it needs a lot of time.

Do you remember the time when every 2nd page had cookie banner where you had to click 100 times and more to reject data collection? In last 2 years I only found 1 page - all others got “killed by GDPR” and the little rest will follow.

Interestingly, Pale Moon browser just implemented “Global Privacy Control” (i.e. Do Not Sell My Data) to replace “Do Not Track.” It allegedly has sharper legal teeth:

Why has it a sharper legal? They can track me without selling data. They can gift it to a subsidiary company which can make money. They can track me to do some math with my data. But if you are not allowed to track me, how could you do anything of these?

To me “Do Not Sell My Data” sounds much weaker. And in additional, if EU decides to write down “Do Not Track” into ePrivacy, what would be the point of “Do Not Sell My Data”?

Good points. A lot of sites, though, explicitly state in their privacy policies that they don’t honor the Do Not Track setting due to there being no standard.

Personally, I don’t worry about it much because of my other privacy/anti-tracking measures, and I only use Pale Moon for general browsing, with off-line storage disabled, and wipe cookies automatically when closing.

I’m sure I have a somewhat interesting browser fingerprint, but the alternative is to have less or no protection in place.

I have read that enabling do not track is uncommon enough that it actually serves as a fingerprint metric.

1 Like