Attention is surging onto the years-long EU ChatControl debate, due to the German government’s modification of its position from opposed to undecided. This shift puts the EU at risk of approving this dangerously ill-advised proposal. Aside from the incompatibility of ChatControl’s mass surveillance approach with EU privacy laws, there is another fundamental issue with the proposal: it won’t work. The best-case scenario for ChatControl is failure, while alternative scenarios are considerably worse.
What is ChatControl Looking to Control?
The goal of the ChatControl proposal is to detect any online material within messaging communications that indicates evidence of abuse, otherwise known as CSAM. EU legislation—Directive 2011/93/EU—defines CSAM, requiring member states to criminalize:
- Production, distribution, dissemination, and possession of CSAM
- Knowing access to CSAM websites
- Grooming of children online
It also requires the removal of CSAM websites hosted in the EU, and cooperation with international partners when hosted abroad.
There is no controversy about the value of stopping these criminal behaviors. However, ChatControl will not be effective for several reasons.
Technical Obstacles Will Prevent Effectiveness
One of the significant problems with the ChatControl proposal is that its mechanisms have already been assessed to be infeasible by expert bodies within the EU and Germany.
The European Parliamentary Research Service (EPRS) under the Science and Technology Options Assessment (STOA) framework performed an assessment and found critical technical gaps that will make ChatControl unreliable.
“Technologies to detect known sexual abuse material are accurate, whereas technologies to detect new child sexual abuse material and grooming are of substantially lower [accuracy].”
Furthermore, the study called out the lack of any practical solution for end-to-end encrypted communications, which is technically incompatible with the regulation's detection mandate:
“A number of weaknesses in the European Commission’s problem definition; notably it only discusses the challenges posed by end-to-end encryption in the fight against child sexual abuse material online to a limited extent.”
Finally, the EPRS assessed that there was a serious risk of miscategorizing consensual communication between teens.
Unintended Consequences for Law Enforcement
As part of the technical assessments of ChatControl, experts called out a significant downside risk for law enforcement—massive false positives. Due to the technical gaps that would prevent accurate surveillance, law enforcement agencies will likely be overwhelmed by false positive reports that would still require investigation. Some of these could easily end up in misdirected prosecutions that pull innocent people into a censorship dragnet.
The scientific service of the German Bundestag presented a strong critique of ChatControl to the Digital Affairs Committee. On top of the fear of total Internet surveillance, all nine experts warned that law enforcement would be overwhelmed by false reports.
The Most Obvious Problem: Evasion
A truism about surveillance is that it is always most effective when the target parties are unaware that they are being surveilled. ChatControl fails this basic principle since it will be announced as a law and known to all parties. Providers will likely need to inform their users regularly that they are being monitored for CSAM violations.
It’s not hard to predict what will happen next. All those who might be behaving criminally will flee surveilled platforms and either use E2EE services, TOR services, VPNs, darknet services, or other noncompliant messaging sites. The result will be that all the offenders the proposal purports to detect will no longer be findable.
The concept of ChatControl is likely to be a bust. But that’s just the best-case scenario.
Worse Than Failure—What Comes Next
Mass surveillance laws are hard to contain. What happens when the inevitable disappointment around the impact of law enforcement comes? Will the proponents of this government overreach admit failure and rescind the law? Sadly, no. It’s more likely that they will push for further Internet control and restrictions, starting with dismantling the vital protection that end-to-end encryption provides to businesses and governments across the EU by mandating backdoors doomed to be compromised, as shown by the Salt Typhoon hack.
But it could get far worse. Mass surveillance is a slippery slope, potentially leading to growing censorship and state control. We see how this ends if we look at the Great Firewall in China. That might seem far-fetched, but glancing across the Atlantic tells us we can’t be too careful about protecting fundamental rights. ChatControl opens a Pandora’s box. It must not be allowed to pass.
