The End of End-to-End Encryption?
End-to-end encryption (E2EE), a cryptographic technology that ensures digital communications are visible exclusively to the sender and intended recipient, is facing considerable scrutiny from regulators worldwide. Nefarious actors such as terrorist groups and child sexual predators exploit E2EE to avoid detection, compelling governments to take action. However, protestors, journalists, and activists also leverage E2EE to organize and expose abuses of power. This contrast in usage poses a significant challenge for regulators, who must limit the abuse of E2EE without subverting the privacy it offers users.
A new proposal from the EU, known as the CSA Proposal, seeks to address the use of E2EE in spreading child sexual abuse material (CSAM) online by mandating technology companies scan digital communications upon government request. Digital CSAM is a significant global issue — worldwide reports of it have increased by 10,000 percent since 2004. Nevertheless, human rights advocates assert this requirement significantly impairs E2EE, which is essential in guaranteeing freedom of expression. As digital surveillance expands worldwide, threatening minorities, journalists, and activists, the CSA Proposal imperils human rights globally due to the EU’s international prominence.
A founding principle of the EU is “respect for human rights, including the rights of persons belonging to minorities.” This commitment is essential to the EU’s foreign policy — the EU Charter of Fundamental Rights obligates the EU to “advance and consolidate human rights in EU external action.” The EU must remove the scanning requirement from the CSA Proposal to demonstrate commitment to these values and remain a global leader in human rights advocacy.
End-to-End Encryption
E2EE is a powerful tool for privacy. It prevents all third parties, including the communication service provider, from viewing a communication. As digital technologies have grown in sophistication and prevalence, E2EE has become easy to use and commonplace. WhatsApp and Facebook Messenger, two of the most popular E2EE messaging services, have 2.4 billion and 2.1 billion global users, respectively.
As digital surveillance expands worldwide, E2EE is vital for preserving free and open expression. Governments frequently target marginalized individuals such as minorities, political dissidents, and activists through digital surveillance, leading to arbitrary detentions, torture, and extrajudicial killings. Security forces regularly monitor the communications of protestors during periods of unrest. Digital technologies are essential to modern life but expose vulnerable groups to abuse. Given this, the United Nations High Commissioner for Human Rights contends that digital privacy and freedom of expression are inseparable, making E2EE a human right.
The Brussel’s Effect
Both critics and advocates of the CSA Proposal acknowledge it will have a global impact due to the EU’s international stature. As a global human rights leader, EU policy shapes the international understanding of what governments consider acceptable. By undermining E2EE, the EU allows other governments to deflect human rights concerns in their attempts to weaken E2EE by pointing to the EU’s regulations and credibility.
Furthermore, the EU wields tremendous power through its market, enabling it to influence corporate behavior by mandating specific requirements to operate in the EU. As the European market is the largest in the world, companies will presumably comply with EU regulations and will typically extend their new behavior to all markets for efficiency.
The worldwide diffusion of EU regulations in this manner, known as the “Brussel’s Effect,” is prevalent in the digital sector. For example, the EU’s General Data Protection Regulation (GDPR) impacts technology worldwide despite only applying in the EU. It is simply easier for companies to implement the requirements of the GDPR globally rather than maintain distinct functionality in each country. While the CSA Proposal’s scanning requirement only applies to individuals in the EU, the ability to scan E2EE messages will likely diffuse worldwide.
End-to-End Democracy
Amid rising authoritarianism worldwide, the EU’s CSA Proposal presents a significant risk in backsliding democracies and contradicts its commitment to human rights. The EU has spoken out against both democratic backsliding in Brazil and the violations of minority rights in India — two nations taking steps to weaken E2EE. Brazil temporarily banned WhatsApp three times for denying the government access to communications. India, which arrested political dissidents for criticizing the government online, passed laws requiring service providers to scan users’ content upon government request. By implementing the CSA Proposal, the EU not only undermines its stance on human rights but may grant oppressive actors the cover and tools necessary to weaken E2EE further and attack political dissidents and minorities.
Protecting Encryption
To preserve user privacy and security, the CSA Proposal affirms that compliance should not diminish E2EE. Nevertheless, the technology to implement the scanning requirement without weakening E2EE does not yet exist, and technical experts are skeptical about whether it is possible. Further, privacy advocates insist that including any way for a third party to view the communications would, by definition, corrupt E2EE.
The European Union should remove the scanning requirement from the CSA Proposal. Including this requirement will set a powerful global precedent that E2EE can be sacrificed for security purposes and strongly incentivize E2EE-breaking technology to be created. Countless examples, including E2EE itself, demonstrate that once developed technology cannot be restrained solely to intended uses.
Further, it will undermine the EU’s credibility in human rights debates. While it is fair to question if this will impede states already intent on undermining E2EE from doing so, there are historical examples of the EU using its stature to drive meaningful progress in human rights, such as abolishing the death penalty. To live up to its values and protect free expression, the EU must start by defending E2EE.
Author: Chris Borges
Managing Editor: Sebastian Reyes
Web Editor: Anusha Tamhane