Civil liberties MEPs warn against undermining or circumventing encryption in CSAR

Content warning: contains discussions of child sexual abuse and child sexual abuse material

Amending the draft Child Sexual Abuse Regulation (CSAR)

On 30^th May 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE committee) published the 1633 amendments (links at the end of this article) received on the draft Regulation laying down rules to prevent and combat child sexual abuse (2022/0155(COD)). These amendments were put forward by Members of the European Parliament (MEPs) in response to the ‘draft report’ (draft Parliament position) on the Child Sexual Abuse Regulation (CSAR) by the Rapporteur (lead MEP) Javier Zarzalejos (EPP).

The CSAR proposal is ostensibly a law to require digital service providers that operate in the EU (including social media platforms, message apps, email providers and app stores) to search online communications for evidence of child sexual abuse, as well as to check the ages of their users.

However, the law has been criticised for seriously violating human rights and lacking evidence of effectiveness of its measures by numerous civil society groups, data protection authorities, the legal service of the Council of the EU, the Commission’s own Regulatory Scrutiny Board, national parliamentarians, independent human rights advisors to the European Parliament, public prosecutors, police forces, child protection hotlines and more.

Over a dozen MEPs call on EU to go back to the drawing board

Showing that they have taken notice of this unprecedented level of concern that an EU proposal might violate the essence of the right to privacy, fourteen MEPs from four of the seven political parties tabled amendments rejecting the CSAR entirely (AMs 277, 278, 279 and 280).

Sending such a signal is a democratic prerogative of the Parliament. If followed, this would return the proposal to the European Commission. They would have to revise it in a way that is compatible with EU human rights laws. Whilst the Rapporteur has thus far expressed no desire to do this, these amendments reveal the high levels of discontent among MEPs about the CSAR – and should be seen as clear evidence that dramatic changes are needed in order to make the proposal acceptable.

The battle over end-to-end encryption

Unsurprisingly, the issue that gained the most attention was whether or not encrypted communications can or should be scanned for evidence of child sexual abuse material or grooming. As experts have repeatedly warned, it is not possible to scan the content of encrypted messages without fundamentally undermining the purpose of that encryption and introducing dangerous security vulnerabilities. These warnings were clearly heeded by a large number of MEPs.

Socialists & Democrats (S&D) MEPs Repasi, Wölken, Vitanov and Sippel proposed on behalf of their group that “the use of end-to-end encryption” should not just be “promoted” but in some cases even made “mandatory in accordance with the principles of security and privacy by design” (AM 287), expressly recognising that encryption also benefits children (AM 288). This was echoed by their S&D colleagues MEPs Tang and Saliba, who added that the law cannot lead to creating or facilitating “backdoors” (AM 359).

A group of over a dozen EPP, ECR and Renew MEPs led by Sara Skyttedal (EPP) warned against “compromising the integrity and confidentiality of end-to-end encrypted content and communications” (AMs 308, 353, 389, 695). These MEPs also rejected any access to the content of messages via a technique called client-side scanning (AM 383), with four EPP MEPs making a similar demand (AM 381). Client-side scanning has been proposed by the EU’s home affairs directorate, but technical experts warn that it amounts to distributed spyware.

The Left group’s MEPs Cornelia Ernst and Clare Daly also added wording which would protect encryption from measures “undermining or bypassing” it (AM 317) or which would discourage its use (AM 530). ECR’s Rob Rooken clarified that third parties accessing encrypted communications also constitutes a “bypassing” of the encryption (AM 392).

MEPs from five groups call to exclude encrypted communications from detection rules altogether

Rapporteur Zarzalejos’s draft report includes a new Article 6 a (AM 106) with wording that rules out any weakening of encryption. However, encrypted communications services as Signal or WhatsApp such are still in scope of the CSAR in his draft. What’s more, the same article expressly authorises detection orders for communications metadata, which can interfere with services such as Signal where the technical design protects metadata as well as content.

Four members of his group, the European People’s Party (EPP), MEPs Tobé, Polfjärd, Warborn and Kokalari, want to go further and propose that encrypted communications must be taken out of scope of the scanning requirements entirely (AMs 356, 391). An equivalent cross-group proposal is put forward by MEP Patrick Breyer and the Greens, Tang (S&D), Melchior (Renew), Rooken (ECR) and Terheş (ECR) (AM 897), and throughout the amendments on detection orders (which will be tackled in a separate blog).

On the other hand, four MEPs from the Renew group (Vautmans, Keller, Chastel and Ďuriš Nicholsonová) agreed with the Rapporteur that end-to-end encrypted communications should remain in scope (AM 328), echoed by Identity and Democracy (ID) MEP Bruna (AM 341).

Standalone articles protecting encryption

On behalf of their group, S&D MEPs Repasi, Wölken, Vitanov and Sippel proposed a new article fully protecting end-to-end encryption, and rejecting not only client-side scanning, but other similar techniques, or “any other software deployed on users’ terminal equipment,” showing their strong understanding of the problem from a technical perspective (AM 722). Another standalone article to fully protect encryption is found in a proposal from seventeen MEPs from EPP, Renew and ECR, which includes preventing client-side scanning (AM 875), with similar wording in a subsequent amendment by seven MEPs from EPP (AM 876). ECR’s Weimers, Terheş and Rooken also put forward a standalone protection of encryption (AM 877).

Additional amendments which would protect end-to-end-encryption, including through requirements not to weaken or undermine it, came from: S&D MEPs Tang, Saliba and Sippel (AMs 358, 360) as well as in a group with three more of their colleagues (AM 532, 608); from MEP Patrick Breyer on behalf of the Greens group (AM 380, 388); from ECR MEP Rob Rooken (AM 382); from ECR’s Sofo and Wiśniewska (535); and from non-attached MEP Puigdemont i Casamajó (AMs 390, 874) – although like the Rapporteur, he proposed to swap content for metadata, opening a can of worms which will be explored in the next article in this series.

Elsewhere, several MEPs clarify that risk mitigation measures – measures in Article 4 of the draft proposal requiring providers to safeguard their services – cannot undermine or compromise end-to-end encryption. This includes the Left’s Daly and Ernst (AM 790), echoed by ECR’s Rooken (AM 791); Tobé, Polfjärd, Warborn and Kokalari from EPP (AM 795); and Breyer and the Greens (AM 813);

Having their cake and eating it?

Taking a less clear approach than many of their colleagues, a group of thirteen S&D, EPP and Renew MEPs (AM 385) – including Renew’s shadow Hilde Vautmans – tabled an amendment to protect encryption, but in a way that would not actually make it fully protected. Their proposal would improve on the Commission’s text by requiring that encryption cannot be rendered “impossible” by the law, which seems to show an intention to protect encryption. At the same time, this is semantically vague, creating a potential loophole. This is because client-side scanning, for example, does not make encryption impossible – but rather, makes it pointless.

What this does show, however, is that no MEPs have proposed that it is acceptable to have an EU law which would prevent the widespread use of end-to-end encryption. This is an important message, given that several EU member states admitted in a leaked memo that they see the CSAR as a way to set precedent for generalised state access to encrypted communications.

Our verdict

The majority of amendments have recognised that either works for everyone, or it works for no-one. It seems fair to say that the amendments are largely in favour of fully protecting encryption, including preventing backdoors and client-side scanning, and even proposing to remove end-to-end encrypted communications from the scope of scanning obligations entirely.

That being said, our digital rights are not out of the woods. The minority that want to scan encrypted communications are, in the LIBE committee, led by Renew MEP Hilde Vautmans, who has publicly reiterated the European Commission’s widely-debunked claims that the CSAR proposal is safe and lawful.

What’s more, whether or not the Rapporteur will heed these amendments and respect the clear will of the European Parliament to protect encryption, a vital enabler of human rights, is still to be seen. The European Commission has been lobbying their fellow institutions to maintain their version of the text, with a leaked ‘non-paper’ simply dismissing the concerns that have been raised by lawyers, technologists and human rights specialists.

Look out for the second article in this series, which will examine how the LIBE amendments have tackled issues including age assessment and mass surveillance.