Et tu, EU? (War on end-to-end encryption)

This has been discussed in several threads (like here) in the forum over the years but it seems appropriate to append this this here due to the source, which kinda book-ends the saga (well, technically it’s not over, but still): After Years of Controversy, the EU’s Chat Control Nears Its Final Hurdle: What to Know | Electronic Frontier Foundation. From the text:

After a years-long battle, the European Commission’s “Chat Control” plan, which would mandate mass scanning and other encryption-breaking measures, at last codifies agreement on a position within the Council of the EU, representing EU States. The good news is that the most controversial part, the forced requirement to scan encrypted messages, is out. The bad news is there’s more to it than that.

Another report on it is: "A disaster waiting to happen" – The privacy tech world reacts to the new Chat Control bill | TechRadar and from there:

“By cementing ‘voluntary’ mass scanning, they are legitimizing the warrantless, error-prone mass surveillance of millions of Europeans by US corporations,” he said. “This is not a victory for privacy; it is a disaster waiting to happen.”

Despite the privacy backlash, the November 26 agreement means that the Danish proposal will continue to the final step of the legislative process. The EU Council, Parliament, and Commission are set to begin the trialogue negotiations to confirm the final text, with adoption expected by April 2026.

It is a disaster that would already be happening as soon as this is actually implemented.

Warrantless mass surveillance is a disaster.

So ‘children’ still sell to the EU public while ‘war’ doesn’t sell. All about the framing, as usual.

I wonder if it all could be circumvented by making your chat servers reside in another country? There is UK and there are a couple of non-EU states in Europe. I wonder how that may work out. I mean, the EU could outright ban a certain service, but given their bureaucracy and slowness, doubt that’s going to happen unless that chat service is really causing (willfully or not) moral panic waves in the public space. They do have this text, however, just not sure how they’re supposed to enforce it? :

Online child sexual abuse frequently involves the misuse of information society services
offered in the Union by providers established in third countries. In order to ensure the
effectiveness of the rules laid down in this Regulation and a level playing field within the
internal market, those rules should apply to all providers, irrespective of their place of
establishment or residence, that offer services in the Union, as evidenced by a substantial
connection to the Union.

And what about one-to-one chats? I didn’t see that bit in the text. Suppose if your chat isn’t providing groups but exists solely to facilitate one-to-one communication, just between you and me. Will that also fall under that surveillance bill?

They even go as far as targeting email, and the wording is strange…

As they are increasingly used for that purpose, those services should include publicly available interpersonal communications services, such as messaging services and web-based e-mail services, in so far as those services as are publicly available. As services which enable direct interpersonal and interactive exchange of information merely as a minor ancillary feature that is intrinsically linked to another service, such as chat and similar functions as part of gaming, image-sharing and video-hosting are equally at risk of misuse, they should also be covered by this Regulation … the obligations imposed on the providers of those services should be differentiated in an appropriate manner.

Appropriate manners, my ass. So certainly the personal email server I run is publicly available as in available for the entire internet to send me mail? Or does that only cover services where an account could be created by a third party?

They’re also shielding companies specifically

In the light of the more limited risk of their use for the purpose of child sexual abuse and
the need to preserve confidential information, including classified information, information covered by professional secrecy and trade secrets, electronic communications services that are not publicly available, such as those used for national security purposes, should be excluded from the scope of this Regulation. Accordingly, this Regulation should not apply to interpersonal communications services that are not available to the general public and the use of which is instead restricted to persons involved in the activities of a particular company, organisation, body or authority.

But not “a particular citizen” however.

Can someone link to child exploitation statistics that ruffled their feathers so much? There are probably hundreds of thousands of children who are practically begging for this to be implemented, but I haven’t really seen any non-biased research or stats. For example, breaking the US monopoly/stranglehold on technology/communication is somehow very low on their agenda, meaning they think that giving Meta the eye actually solves any kind of problem, yet your own citizens are just an unruly bunch, but that particular angle’s been covered in those articles.

I think that is what the text intends to say, in fact, even slightly more specific: the third party has to be an arbitrary member of the public. In other words, if you offer the service to the public, you could be subject to the requirements.

1. use Librem 5

2. VPN and services in a Democratic nation (eg: Proton in Switzerland)

3. move to live in a Democratic nation (eg: I’m moving to live in Switzerland for this reason! I hate dictatorship!)

Might not be such a good idea to move to Switzerland anymore: a new ordinance is being discussed by the Swiss Federal Council which would introduce a mandatory backdoor to all encrypted communications and data retention.

As a matter of fact, Proton AG is moving out of Switzerland right now, they are in the process of relocating all their infrastructure in the EU (and this may not be a very good idea either…)

They plan to keep only headquarters in Switzerland, but they won’t be able to do business from there anymore because of their very business model, which is based on end-to-end encryption with zero knowledge and utmost privacy.

In a blog post, they explain that:

Because of legal uncertainty around Swiss government proposals(new window) to introduce mass surveillance — proposals that have been outlawed in the EU — Proton is moving most of its physical infrastructure out of Switzerland. Lumo will be the first product to move.

This shift represents an investment of over €100 million into the EU proper. While we do not give up the fight for privacy in Switzerland (and will continue to fight proposals that we believe will be extremely damaging to the Swiss economy), Proton is also embracing Europe and helping to develop a sovereign EuroStack(new window) for the future of our home continent.

Here is a good article on the topic and what it means for businesses like Proton:

And another article details how Proton is fighting back (at the United Nations Forum):

Yes, the grip is tightening everywhere on privacy - even in former haven like Switzerland!

Thank you for your post, TiX0! The huge difference between Switzerland and eu and other nations around the world is the power the population have using Referendums (Direct Democracy)! They can literally block/stop every law, this one included, using referendum! For example in 2021 they rejected a law from Federal Parliament that allowed private Company to manage digital Id! So I’m pretty sure this law will never be allowed by population!

There are different lobbies for this. One try to protect the youth. And the other to protect humans from possible dictators or data exploitation, by changing behavior to manipulate work, politic, consuming, or money spending, or training neural networks. Everything has its right to exist and its hard to weigh them out for the best of individuals or families.

But if you collect the mainstream and have some privacy too, i think its fine. For me privacy is broken if i can not have a encrypted connection between two computers owned both by myself. Which enable me to share information and have privacy. Mainstream Apps are a privacy pandemic, which have to be regulated!

How right you were, Veleno! The power of the people and civil society.

Because for once, I have good news to report on the frontline of the fight for privacy: there was such a rebuff among the population, civil society, privacy advocates and even the Swiss parliament; that the Federal Council had to back off! It was just announced that they are dropping the ordinance’s revised proposal, so the ordinance will stay as it was before and there will not be a mass surveillance instituted in the name of security, child protection and all such pretexts put forward in order to end privacy and control “the ignorant populace” who of course does not know what apocalyptic threats and dangers they will face otherwise…

Unfortunately, Proton has already moved to Germany and Norway; and Andy Yen - CEO and founder member - said in an interview that Proton does not plan any investments in Switzerland.

So in the end, Switzerland lost a gem and a flagship because of stupid shortsighted politicians!

Thank you for your great news, TiX0! Bad for Proton! I written them I’m happy to pay subscription if they develop/extend they services (email, VPN, Pass,..) to Librem 5 too (I’m using free versions for now)… I never received answer from them! I’ll wait Purism reactivate Librem One (they said 2026) so to have top of privacy and security service perfectly integrated with Librem 5
Have a nice day, TiX0