EU ‘Chat Control’ proposals should be red flag to businesses everywhere

Data privacy campaigners have warned that any celebration of the news that the European Union (EU) has abandoned its plans to break end-to-end encryption in mobile messaging apps could be short-lived.  According to one expert, this announcement should be a “red flag” to organizations operating within Europe.

There has been a long-standing threat to end-to-end encryption within Europe, as tech companies have battled with legislators over the EU Council’s attempt to limit messages shared by child sexual abusers through scanning of communications. Hoping to calm companies’ fears, on November 26, the Council issued a statement saying that all monitoring of communications will be performed by providers on a voluntary basis. It also announced a modified approach to the automated scans, dubbed Chat Control by privacy campaigners, as a new way of tackling child abuse online.

However, privacy campaigner and former member of European parliament Patrick Breyer noted, “the enterprise aspect was often overlooked in this debate.”

While there has been plenty of talk about the protection of individuals, Breyer said that, for CISOs and enterprises, the EU proposals should be a red flag. He pointed out there could be a real risk of the leakage of sensitive data. “The technology has high error rates. For a corporation, a ‘false positive’ could mean that confidential internal documents, code, or strategic plans are flagged and sent to external authorities or police forces without the company’s knowledge,” he said. 

Breyer has been a long time critic of the EU proposals, and feels that the move to voluntary monitoring of communications is not enough protection.

“The headlines are misleading: Chat Control is not dead, it is just being privatized,”  wrote Breyer on his website. “What the Council endorsed today is a Trojan Horse. By cementing ‘voluntary’ mass scanning, they are legitimizing the warrantless, error-prone mass surveillance of millions of Europeans by US corporations, while simultaneously killing online anonymity through the backdoor of age verification.”

Breyer’s position is supported by another digital privacy group, European Digital Rights (EDRi). It posted a statement on LinkedIn saying that digital rights may still be at risk. “We want to be absolutely certain that lawmakers don’t leave loopholes that would lead to harm,” it said. “For example, the Council text would have been better if it expressly rejected the use of ‘client-side scanning’ tools, as a lot of discretion is still left to national authorities.”

In particular, EDRi drew attention to the possibility of voluntary monitoring. “This means that Big Tech companies can decide to scan your personal messages, without suspicion that you’re doing anything wrong, and apply error-prone predictive AI tools to look for evidence of abuse. This sort of scanning already happens, with very little transparency and oversight, and no proper legal basis,” said the organization.

And for corporations looking to protect their intellectual data and maintain secure communications, the threat is very real, said Breyer. “In short: If this proposal passes, no European company can guarantee the confidentiality of its communications any more.”

This article originally appeared on CSOonline.