Monday, May 27, 2024

Polaris of Enlightenment

Monday, May 27, 2024

Polaris of Enlightenment

Loophole in Chat Control 2.0 compromises information security

Mass surveillance

Published 14 October 2023
- By Karl Emil Nikka

The controversial mass surveillance proposal, Chat Control 2.0, is plagued by several technical and information security-related issues. The biggest problem is the requirement that even end-to-end encrypted communication services be included. This requirement exists despite it being technically impossible for service providers to scan the contents of properly end-to-end encrypted conversations. It has always been this way, and it always will be.

The face of the mass surveillance proposal, EU Commissioner Ylva Johansson, initially believed that such scanning was possible (see for instance Many inaccuracies around Chat Control 2.0 in the ‘Aktuellt’ interview). She likened the process to how a drug-sniffing dog can sniff for drugs in closed bags. This analogy is completely incorrect because properly end-to-end encrypted conversations never leak any sniffable traces of their content. It doesn’t matter how advanced future scanning technology becomes because there are never any traces to scan (“sniff”) for.

Proponents of the proposal, therefore, want to bypass the function of end-to-end encryption by implementing a technology called client-side scanning. This means that service providers have to equip their apps with backdoors, allowing them to scan the content before it is sent (before it’s encrypted) and after it has been received (after it has been decrypted). This is the technology that the UN’s Human Rights Commissioner literally advises against, partly due to the dangers it poses for vulnerable children and adults in totalitarian states. (The imminent risk of data leaks and the obvious risk of self-censorship are two other reasons highlighted by the UN’s Human Rights Commissioner.)

The loophole in the definition

From a strictly technical perspective, client-side scanning could be implemented without either prohibiting end-to-end encryption or weakening the encryption. Technically speaking, the client-side scanning itself doesn’t affect the encryption. Client-side scanning merely causes the encryption to cease serving its purpose. With implemented client-side scanning, conversation participants continue to send messages end-to-end encrypted to each other, but both parties simultaneously have a spy looking over their shoulder, seeing everything they write and hearing everything they say.

This definitional loophole is now being exploited by several parties. The parties and their EU Parliamentarians claim that they want to allow end-to-end encryption, yet at the same time, they demand that the content in end-to-end encrypted services can be scanned. In this way, their permission of end-to-end encryption becomes irrelevant. This loophole argument was, incidentally, precisely what I feared when I expressed my skepticism in an interview with Dagens Nyheter at the end of April (see comment in Possible EU turnaround on chat control law – must not weaken encryption).

On our theme website, chatcontrol.se, we have a monitoring database with over 400 Swedish articles written about the proposal. I’ve reviewed these articles as well as the amendment proposals that Swedish parties’ EU Parliamentarians have put forward. Based on this, I’ve been able to identify which proposal advocates are trying to mislead the public by allowing end-to-end encryption while simultaneously demanding that end-to-end encryption be bypassed.

The Tidö agreement parties and the Green Party

The governing parties have presented a proposal for Sweden’s position in the Council of Ministers. The proposal contains the following text which paradoxically wants encrypted messages to be protected while also needing to be scanned:

A tracing order must ultimately be executed without being impeded by a service being encrypted, for example, through machine scanning before the message is encrypted and sent. At the same time, information security must not be jeopardized; encrypted messages should be protected against unauthorized access”.

(From an appendix to a document from the EU Committee 2023/24:4F1902, 2023-09-18)

In the European Parliament, neither the Moderates nor the Christian Democrats share the stance of the Swedish government. Both the Moderates and the Christian Democrats are clear that the function of end-to-end encryption must never be undermined. This is evident in amendment 389 signed by all EU Parliamentarians from the Moderates and the Christian Democrats (Arba Kokalari, Jessica Polfjärd, Tomas Tobé, Jörgen Warborn, David Lega, and Sara Skyttedal).

“End-to-end encryption is an essential tool to guarantee the security, privacy, and confidentiality of the communications between users, including those of children. Any weakening of the end-to-end encryption’s effect could potentially be abused by malicious third parties. Nothing in this Regulation should therefore be interpreted as prohibiting or compromising the integrity and confidentiality of end-to-end encrypted content and communications. As compromising the integrity of end-to-end encrypted content and communications shall be understood the processing of any data, that would compromise or put at risk the integrity and confidentiality of the aforementioned end-to-end encrypted content. Nothing in this regulation shall thus be interpreted as justifying client-side scanning with side-channel leaks or other measures by which the provider of a hosting service or a provider of interpersonal communication services provide third party actors access to the end-to-end encrypted content and communications”.

(Amendment 389, 2023-07-28)

The Sweden Democrats have not criticized the government’s line domestically. However, in the European Parliament, the Sweden Democrats have clarified that they are opposed to the proposal. SD Parliamentarian Johan Nissinen has signed the same amendment as the Moderates and the Christian Democrats (amendment 389).

The Green Party, which was previously opposed to the proposal, has now chosen to support the government’s line, even though the Green Party initially said they did not want to support “the parts that involve mandatory scanning of private communication as it is formulated in the Commission’s proposal right now” (2023-04-18). The change is evident from the minutes of the Justice Committee’s meeting on 2023-09-14 and is confirmed by Rasmus Ling in an interview with Syre (2023-09-22).

The Social Democrats

The Social Democrats in Sweden support the Presidency’s (Spain) compromise proposal. This is reflected in the minutes of the Justice Committee meeting on September 14, 2023.

In addition, in the European Parliament, three Socialist MEPs are trying to use the same loophole to advocate for scanning of end-to-end encrypted services without banning end-to-end encryption.

Heléne Fritzon and Carina Ohlsson first want to introduce an amendment to allow for end-to-end encryption. They want to add the following point to Article 10’s list of technologies and safeguards.

“[The technologies shall be] not able to prohibit or make end- to-end encryption impossible”.

(From Amendment 1161, 2023-07-28)

In the introductory recitals, they also stress, together with S-Parliamentarian Evin Incir, that nothing in the proposal should be interpreted as prohibiting full-spectrum encryption.

Nothing in this Regulation should therefore be interpreted as prohibiting end-to-end encryption or making it impossible.

(From Amendment 385, 2023-07-28)

However, Heléne Fritzon and Carina Ohlsson also want the following addition to Article 7 (Issuance of tracking orders).

For the scope of this Regulation and for the sole purpose to prevent and combat child sexual abuse, providers of interpersonal communications services shall be subjected to obligations to prevent, detect, report and remove online child sexual abuse on all their services, which may include as well those covered by end-to-end encryption, when there is a significant risk that their specific service.

(From Amendment 1049, 2023-07-28)

Other parties

The Left Party and the Center Party have, unlike the other parliamentary parties, chosen not to use the definitional loophole. Both the Left Party and the Center Party instead side with the children and distance themselves from the mass surveillance proposal that violates the Convention on the Rights of the Child.

 


This article is published under the CC BY 4.0 license, except for quotes and images where another photographer is indicated, from Nikka Systems.

The position of the Swedish parties

More information on the positions of all parties and MEPs can be found on the thematic website chatcontrol.se. The information on these positions is also updated on a weekly basis.

TNT is truly independent!

We don’t have a billionaire owner, and our unique reader-funded model keeps us free from political or corporate influence. This means we can fearlessly report the facts and shine a light on the misdeeds of those in power.

Consider a donation to keep our independent journalism running…

Share via