An upcoming proposal from the European Union Commission could make government scanning of user messages and photos mandatory throughout the E.U. If that happens, it would be inconsistent with providing true end-to-end encryption in Europe. That would be a disaster, not just for the privacy and security of citizens in the E.U., but worldwide.
The excuse for this attack on basic human rights is the same one we have seen used repeatedly in the U.S. over the last few years: crimes against children. This is the same excuse that sponsors of the anti-encryption EARN IT Act used in 2020, and again earlier this year. It’s the same excuse that was used to put overwhelming pressure on Apple to develop a phone-scanning plan that disrespected user rights. Neither of these plans have advanced, because the public is overwhelmingly opposed to such surveillance.
The plan in both the U.S. and E.U. is similar: coerce private companies to scan all user data, check what they find against government databases, and report their findings to the authorities. It’s unacceptable, and no matter what they say, it’s completely incompatible with end-to-end encryption.
Today, EFF has joined European Digital Rights (EDRi) and dozens of other civil liberties and human rights organizations, sending a letter to tell the Commissioners we can’t accept this attack on our privacy. Child abuse can be, and is, investigated and prosecuted without blanketing people with surveillance systems.
The need for the protections of encryption don’t change during a time of conflict. As we state in the letter:
As the shocking events of the past three weeks have emphasized, privacy and safety are mutually reinforcing rights. People under attack depend on privacy-preserving technologies to communicate with journalists, to coordinate protection for their families, and to fight for their safety and rights.
Experts agree that there is no way to give law enforcement access to communications that are encrypted end-to-end without creating vulnerabilities that criminals and repressive governments can exploit.
The letter makes clear we can’t accept mass surveillance, indiscriminate spying on peoples’ private communications, or any measures that would break or bypass encryption, including client-side scanning.
We hope the European Commission takes up the offer to work together with EDRi to craft legislation that is respective of peoples’ privacy and security.