Mass snooping in the EU

An upcoming EU law has been leaked that requires big tech companies to scan the private messages of all their users regardless of any end to end encryption technolgy being used. Of course the EU cites child porn and grooming as the nominal justification but when messages have been scanned I am sure that governments will demand that the tech companies hand over the messages for a much wider range of reasons than that claimed.

Under the plans, tech companies -- ranging from web hosting services to messaging platforms - can be ordered to detect both new and previously discovered child sexual abuse material (CSAM) as well as potential instances of grooming. The detection could take place in chat messages, files uploaded to online services, or on websites that host abusive material. The plans echo an effort by Apple last year to scan photos on people's iPhones for abusive content before it was uploaded to iCloud. Apple paused its efforts after a widespread backlash.

If passed, the European legislation would require tech companies to conduct risk assessments for their services to assess the levels of CSAM on their platforms and their existing prevention measures. If necessary, regulators or courts may then issue detection orders that say tech companies must start installing and operating technologies to detect CSAM. The draft legislation doesn't specify what technologies must be installed or how they will operate -- these will be vetted by the new EU Centre -- but says they should be used even when end-to-end encryption is in place.

Read the full details in article from wired.com

The EU Commission has welcomed a political agreement between the European Parliament and the Council on the proposed interim legislation regarding the detection of child sexual abuse online by communications services. This legal adjustment was urgently needed to give certain online communications services such as webmail and messaging services legal certainty in their voluntary measures to detect and report child sexual abuse online and to remove child sexual abuse material, as such services fell under the e-Privacy Directive as of 21 December 2020. The new Regulation will provide guarantees to safeguard privacy and protection of personal data. The voluntary measures play an important role in enabling the identification and rescue of victims and reducing the further dissemination of child sexual abuse material, and contribute to the identification and investigation of offenders as well as the prevention of offences.

The rules agreed today have a narrow scope: they will create a temporary and strictly limited derogation concerning the voluntary detection activities of the online communication services. The main elements of today's agreement include:

• A definition of child sexual abuse online in line with the existing EU rules on child sexual abuse , including content constituting child sexual abuse material and solicitation of children.

• Complaint mechanisms so that content that has been removed erroneously can be reinstated as soon as possible.

• Human oversight for any processing of personal data including, where necessary, human confirmation before reporting to law enforcement authorities or organisations acting in the public interest.

• Guarantees to protect privacy : Service providers will have to ensure that the technologies they use to detect child sexual abuse online are the least privacy-intrusive.

• Data protection safeguards: Service providers will have to consult with data protection authorities on their processing to detect and report child sexual abuse online and remove child sexual abuse material. The European Data Protection Board will also be asked to publish guidelines to assist the relevant authorities in assessing compliance with the General Data Protection Regulation of the processing in scope of the agreed Regulation.

• The Commission will have to establish a public register of organisations acting in the public interest against child sexual abuse, with which providers of online communications services can share personal data resulting from the voluntary measures.

• Transparency and accountability to be supported by annual transparency reports.

• A 3-year limit on the application of the Regulation, allowing time for the adoption of long-term legislation in this area.

The Regulation must now be formally adopted by the European Parliament and the Council.

This interim Regulation will cease to apply at the latest 3 years from its application. As announced in the EU Strategy for a more effective fight against child sexual abuse and in the Commission Work Programme for 2021 , the Commission will propose later this year new comprehensive legislation with detailed safeguards to fight child sexual abuse online and offline. These long-term rules will be intended to replace the interim legislation agreed today.

The EU's anti-terrorist coordinator Gilles de Kerchove, is urging the censorship of internet game chat lest it could be used to propagate extremist ideologies and even prepare attacks.

The official commented ahead of a proposed Digital Services Act that aims to address US dominance of the internet and to propose censorship measures targeting speech that the EU does not like. De Kerchove commented:

I'm not saying that all the gaming sector is a problem. There are two billion people playing online, and that's all very well ...BUT... you have extreme-right groups in Germany that have come up with games where the aim is to shoot Arabs, or (George) Soros, or Mrs Merkel for her migration policy, etc.

That can be an alternative way to spread ideology, especially of the extreme right but not only them, a way to launder money -- there are currencies created in games that can be exchanged for legal tender

He also suggested the Digital Services Act include a provision forcing providers of encrypted communication to give police and prosecutors unencrypted versions of the messages sent on their services when ordered to do so by a judge.

The European Commission has outlined new requirements for telecoms companies, clouds, email service providers, and operators of messaging apps, to produce snooping data on a specified individual within six hours of a rquest.

The proposed European Production Order will allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from internet companies with an office in any Member State. The data may be nominally held overseas but will still have to be produced.

That super-short deadline will only be imposed in the case of an emergency. Less urgent investigations have been offered a ten-day deadline.

A European Preservation Order will also be issued to stop service providers deleting data.

The Production Orders will be applicable only to crimes punishable with a maximum sentence of at least three years, but governments have been artificially increasing maximum sentences for quite a while now to ensure that relatively minor crimes can be classed as 'serious'.

The EU Commission has cited terrorism as the justifications for the new requirements, but a 3 year maximum sentence rather suggests that the these orders will be used for more widely than just for terrorism prevention.