Chat control: What is it?

Chat control is a form of mass surveillance, that scans

• people's private online communication (e.g. chats)
• private online data (e.g. automatic cloud backups)

without prior suspicion, to detect CSAM.

An analog analogy

• chat control 1.0: Your landlord may install a surveillance camera in your home, because he/she doesn't want to house any potential child abusers
• chat control 2.0: Your landlord must install a surveillance camera in your home, because your city has a high risk for child sexual abuse

Child sexual abuse almost always has an analog aspect. Why don't we surveil the analog world?

The digital world should not be a second class world in terms of privacy

Why is it bad?

• Much of our life happens on­line (even without COVID)
• Chat control means that much of what is happening in our life is monitored
• We communicate digitally even when we are physically close to each other.
• Europe happens online. We need the internet to interact with each other across borders.

Where does chat control come from?

Based on 2 EU regulations:

• Regulation 2021/1232 chat control 1.0: Scanning of private data is allowed
• COM(2022) 209 chat control 2.0: Scanning of private data is required

The first regulation is currently in effect and but it is planned to replace it with the second.

Who's to blame for chat control?

Ursula von der Leyen, President of the European Commission

Politicians try to make laws for something they don't understand

Private com­mu­ni­ca­tion - The Pfizer SMSs

• Official EU communication has to be documented
• But despite a court confirming that the communication needs to made public, VdL refuses to share the correspondence
• Double standard: No confidential communication for the ordinary citizen

EU: Legislative Process

Simplified Ordinary Legislative Procedure. There are some approval loops missing. A proposal can be rejected at any stage by the parliament and the council.

The European Parliament's position: Most bad things removed

• No mass surveillance. Only targeted surveillance when there is reasonable suspicion
• No scanning of end-to-end encrypted messages (client-side scanning)
• Requirement to design online services to be safer for minors to use
• Requirement to delete detected CSAM instead of blocking
• No age restriction for communication apps

2 days ago: Sudden shadow rapporteur meeting.

The Council of the EU: No agreements so far

EU Council timeline
2023a Sweden: Minor weakening of scanning obligations
2023b Spain: Forbid end2end encryption
2024a Belgium: Force user to agree to be scanned
2024b Hungary: Only known CSAM, no grooming detection. Still mass surveillance
2025a Poland: Scanning must be voluntary
2025b Denmark: Move closer to original Commission proposal

Danish presidency compromise text

• Largely the same as Belgian text (from 1 year ago!)
• Mandatory detection orders and online service risk classification
• Consent banners for violating confidentiality of communication
• Detection of visual content and URLs
• Detection of new CSAM is in scope (false positives, here we come!)
• Detection in E2E should be done via client-side-scanning
• Still mass surveillance

Danish compromise text: How to scan

When issued a detection order, the service shall

• Install and operate software approved by the EU Commission
• If E2E: Scan messages prior to transmission
• If E2E: EU centre assesses if scanning technology is not weakening the encryption
• No scanning for special accounts: National security, law and order, military
• No use of technology that would introduce security risks for which it is not possible to take any effective measures to mitigate the risk

Near future and potential next steps

13-14 October: Council session to discuss

• chat control 2.0
• UN cybercrime convention

Germany's new interior minister doesn't care much about fundamental rights and he might support the new Danish compromise text.

Countries with larger populations have more voting power in the council

Meanwhile, Danish politicians confirm our concerns ...

• They also want chat control for other crimes.
• This would normalize mass surveillance of private data

To Brussels!

• I arranged a meeting in Brussels with MEP Christel Schaldemose in the European Parliament

Discussing chat control with a Danish MEP

• We agreed that the police has to be able to fight crime
• But we did not agree on the methods that the police should be able to use
• My technical arguments didn't seem to impress her
• She wants to ensure that the police can still wiretap conversations like they did with telephones
• It seems that I could not explain my concerns well enough

We need to talk about privacy

EU Charter of Fundamental Rights

Article 7 - Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 - Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

Why is privacy important?

Case study: Vastaamo Clinic in Finland (1/3)

• It's 2020 and the Coronavirus causes world-wide lockdowns
• A psychology clinic in Finland gets hacked and patient records and conversations with therapists were stolen
• Approximately 27500 patients affected

Case study: Vastaamo Clinic in Finland (2/3)

• The cybercriminal tried to ex­tort the clinic and released highly personal medical in­for­mation piece by piece on the internet
• Patients start committing suicide as their deepest secrets were made public

Case study: Vastaamo Clinic in Finland (3/3)

• Eventually the complete dataset was available online
• Released data caused extreme additional trauma for patients who aready had psychological issues

Case study: Hostile Takeover of the USA Intelligence Apparatus (1/3)

• It's 2025 and Tulsi Gabbard becomes Director of National Intelligence
• Her team identifies trans agents who have been com­mu­ni­cating about their special needs and experiences in an internal forum

Case study: Hostile Takeover of the USA Intelligence Apparatus (2/3)

• The posts were encouraged in the old admin­istra­tion
• The agents got fired despite doing nothing wrong
• The agents thought they had nothing to hide and were loyal towards their employer

Case study: Hostile Takeover of the USA Intelligence Apparatus (3/3)

• But they did not foresee a future administration that betrays their trust.
• Other agents will probably avoid using internal communication methods in the future

Signalgate

Signalgate (1/2)

• Some of the most important people in the US-admin­istra­tion joined a signal group chat
• They used the insecure TeleMessage client
• Mike Waltz accidentally invited the editor-in-chief Jeffrey Goldberg of the Atlantic

Signalgate (2/2)

• Highly confidential information was accidentally leaked to the press
• Information that could potentially endanger US soldiers
• Unintended recipient: Chat control in action!

The European Commission's comment on Signalgate

I wrote an e-mail to Commissioner Magnus Brunner, describing the situation with signalgate and that with chat control we would have similar leaks.

I got a standard non-reply from the general director which basically didn't address any of my points. The response emphasized the importantance of child protection is and that the regulation ensures compliance with fundamental rights.

It seems the department of home affairs doesn't care about likely negative consequences.

Going Dark & ProtectEU

Whose opinion does the Commission listen to?

• The EU Commission has been advised by the "going dark group".
• The list of participants and meetings has been requested and is shown on the right:
• Members are probably law enforcement and intelligence officers
• They want "access by design" for cars, smart homes, computer systems, ...
• Do the good guys need to black out their names?

ProtectEU

• The European Commission has released a strategy paper called "ProtectEU"
• It proposes a large number of surveillance measures
• It lists Russia, terrorists, organised crime and child abusers as threats
• A reframing of the controversial chat control bill?

Expert Group for a Technology Roadmap on Encryption (E04005)

• Restructuring of responsibilities in the EU Commission: Split responsibility for chat control:
  • DG HOME Commissioner Magnus Brunner (predecessor: Ylva Johansson)
  • DG Connect: Commissioner Henna Virkkunen

New development: A new expert group that also genuinely takes into account the technological reality

• But: The Commission still wants to pass the law, regardless of whether it makes technical sense or not
• Bad legislative practise: It's not possible to predict the negative consequences of technology that has not been invented yet

My opinion: Fundamental cryptographic knowledge is all you need

• Any intentional design flaw or "special access key" will eventually leak, making everyone insecure
• State of the art cryptographic algorithms rely on expensive computation and combinatorial explosion to protect data.
• We also have quantum-resistant encryption now: FIPS203
• Criminals can always use their own non-backdoored encryption

Backdoors are a security risk: Salt Typhoon (2025)

Since then, another new China-backed hacking group called “Salt Typhoon” appeared in the networks of U.S. phone and internet giants, capable of gathering intelligence on Americans — and potential targets of U.S. surveillance — by compromising telecom systems used for law enforcement wiretaps.

https://techcrunch.com/2025/01/10/meet-the-chinese-typhoon-hackers-preparing-for-war/

Conversations of Kamala Harris and Donald Trump were wiretapped by China

Joint statement of FBI, NSA, CISA, ...:

Ensure that traffic is end-to-end encrypted to the maximum extent possible.

There is no backdoor just for the good guys!

Extremist Propaganda (2025)

• Norwegian tourist is forced to hand over his smartphone at the US border after a long flight
• Border control agents make remarks about extremist propaganda on his smartphone (shown right)
• They denied him entry with the silly reason that he legally smoked weed 2 times

Extremist Propaganda (Europe edition)

• There are still EU countries where LGBTQ+ rights are under threat
• Chat control could be used as a justification to scan for additional "extremist" content
• Minorities need their (online) spaces to find each other and make sense of the world

The internet as a space without prejudice

Crucially, the internet was a place of self-discovery. It was where you could stumble upon different worldviews, confront your prejudices, engage with others who were different from you – and in doing so, learn more about yourself. For many of us, it was the first space where we could voice our thoughts without fear of judgment, a safe haven where we could explore our identities.

source: https://www.joanwestenberg.com/p/i-miss-the-internet

Surveillance harms minorities the most

• Surveillance is a tool to enforce conformity
• People who don't fit mainstream stereotypes are under the most pressure to not be themselves
• Every chat message that talks about unusual but harmless things can trigger the detection algorithms

Big Tech &
The Government

• Big tech is a bad inspiration for mass surveillance
• Facebook is a fancy-looking dystopia
• The EU must do better and not use BigTech as a reason to disrespect the confidentiality of online spaces
• This is a matter of principle

On Encryption

• Technologists know how information flows through the internet
• Encryption is our seat belt on the information superhighway
• You could use the internet without it, but it would be irresponsible
• IT security people are really upset about the chat control bill, because it messes with the things that keep us safe.

Internet-safety: Both for children and grown-ups

• Internet-Safety starts with private data safety.
• Anonymous internet usage is a very powerful protection, especially for children
• Better education is needed for both parents and children
• Surveillance platforms like Facebook should be avoided
• Nick names instead of real names are much better fit for the internet and nick names protect children as well.

Shout-out to https://www.privacyguides.org

CSA directive: Redefinition of CSAM

• Another EU law: CSA directive 2024/0035(COD)
• Actually an updated version of a really good child protection law
• Introduces new category of CSAM: Pedophile manuals
• Potential problem: Services with detection orders might flag privacy guides as CSAM

Online privacy is important for everyone, including children!

German docu­men­tary: The end of the pedo forums (1/2)

• 2 Journalists worked for 3 months to automatically scrape links to CSAM from several darknet forums
• Deleted 21.6 Terabytes of CSAM data
• 2 Darknet forums shut down after the deletion and 1 became inactive

German docu­men­tary: The end of the pedo forums (2/2)

• Effective deletion of CSAM on the internet. Relief for victims of sexual abuse
• This is effective work that the police could do
• probably more effective than chat control

Kære danske rådsformandskab:

Vores private kommunikation rager ikke dig!

Questions?

(Slides will be posted on chatcontrol.dk)