In great comfort we tend to forget which values are important for society to thrive in a liberal democracy. With the recent influx of authoritarian right-wing leaders in the world, and specifically in the Eurozone, people ought to think twice about how the political climate is evolving, and which changes are to follow.
What many fail to realize is that it’s not the election of an authoritarian leader which marks a country’s descent into an autocratic and fascistic state. The foundations of authoritarianism lay rather in the tools that politicians have access to, and the powers implied in them. The speed at which an autocracy can be established is predetermined by elements such as the nature of the relationship between the government and media, and if the media is given the freedom to publish without consequence. The more freedoms are tampered with, the easier it will be for further erosions to occur.
Many right-wing leaders utilize fragmented laws that have been curated in their favor, an example being Erdogan using PKK sympathies as a way to label people as supporters of terrorism, enabling him to suppress journalists and law-abiding citizens, even outright putting them in jail.
In the EU, the path that will allow those leaders to flourish can already be seen by ongoing proposals like Chat Control (under the banner of ProtectEU), as well as hardline rhetoric against VPNs (Virtual Private Networks) and digital anonymity. Chat control has been proposed as a measure to halt or stop the spread of child sexual abuse material, tracking organized crime as well as cybercrime.
On the surface, this is all Chat Control is supposed to be, a simple tool meant to “solve” these issues and nothing more. It is, however, a little more complex than that. Chat Control is fundamentally a software (or backend tool) that private companies will be forced to use in their messaging and email/storage platforms, the main purpose of which is to act as a tool that will scan messages and files before they get encrypted.
In today’s tech world many companies are using end-to-end encryption (E2EE), including Meta, Signal and Telegram. How Chat Control would function in these environments would be that for every message that gets sent, Chat Control would record and scan the message before it gets encrypted. Once it’s encrypted it is sent to the receiver and vice versa.
E2EE is a very sophisticated form of encrypting communication, the reason being that only the communicating entities are entitled to read the messages that get sent. You can imagine this as Bob writing a letter with a specific pen, wherein the pen contains a very particular ink that only allows Anna to read it. When Bob sends this letter to Anna it goes through the postal system, and should any person in the postal office open it they will be presented with an empty white paper where the words themselves are invisible. The postal service sends the letter to Anna and only then when Anna opens the letter will she see the message that Bob wrote.
In this analogy, Chat Control can be used by the postal worker as a specific light which can illuminate the ink and therefore let someone else read the message.
So what’s the big deal, you might ask? Well, it boils down to three forms of implementation, which summarize the overall elements and its implications.
Limits and scope
Under the umbrella of Chat Control all forms of messaging or communications will be monitored. This can be both messaging apps or email platforms, on top of cloud and file storage services.
What this means for the end user is that any company that provides any of the mentioned services to EU citizens must deploy Chat Control. It doesn’t matter if the said company has their servers outside the EU or is based outside of the EU. This in turn effectively means that all social media and data providers will be subjected to the processes and conditions of Chat Control.
Users and their data will be indiscriminately analysed, as the monitoring will be a constantly ongoing process. The legal ramifications of tracking users will effectively cease to mean anything. In fact, although companies such as Google already do scan user data on their Drive and other platforms, Apple does not, as it encrypts a user’s data so that even they cannot read it. But with Chat Control, Apple would be forced to change.
Automation and AI
The implementation of Chat Control involves both automated systems and the use of artificial intelligence to scan, label and send user data to law enforcement directly, should there be suspicions of storing or sharing abuse material. The methods of automations and the dataset which the AI will be trained on is unknown to the public, as are the methodologies it will use hidden from the public. This means that regular citizens or third parties won’t have access to see how Chat Control is deployed, nor how it will operate or if it will do its job faithfully.
Previous studies have shown both from Irish and Swiss law enforcement that automated searches for known abuse material have a very high error rate (80%), where a majority of cases are criminally irrelevant. This means in practice that more resources of law enforcement are wasted, as is potentially the time of law-abiding citizens, who have had their privacy violated and been reported to the police for no reason.
The usage of AI does not add comfort, and as the methods used remain behind closed doors, no-one can be sure that the AI has been trained correctly. As of right now, there are no guidelines in Chat Control for how the usage of AI would be vetted by third parties, or by those who can make sure the due process is upheld.
Verification and censorship
Any companies mentioned previously that would fall under the umbrella of Chat Control would be forced to verify the age of their users, this is to ensure that no underage users can be reached by nefarious actors. To guarantee that the user is not underage naturally means a full user verification, which in the majority of cases requires the upload of government ID, and potentially also the upload of a feed of a face scan. Any service that fails the aforementioned steps or is deemed to be failing to adhere to previous elements would be banned and blocked through internet service providers.
The main cause of problems with the following would mean that there won’t be any free communication accessibility in the EU. Any journalist, whistleblower or human rights defender would not have any access to communication services which would allow them to do their work in a secure and safe way. At that point Virtual Private Networks (VPNs) would be the only option for users to access the web without any form of tracking. Since most users are not tech savvy, this would mean that a majority probably wouldn’t use a VPN and would instead simply swallow the tracking.
This would allow for an internet infrastructure that draws similarities with China’s Great Firewall, as an example. Should Chat Control be implemented in the future, and considering its nature, there would be quite a high risk that VPN accessibility would be cracked down upon and be limited through either monetary (i.e. Visa/Mastercard would have to block the transactions of EU users) or VPN companies would be forced to track and record their customers.
As demonstrated above and their implications, Chat Control has not addressed the “elephant in the room” of the security of how it gathers and stores data. Chat Control, in forcing apps to have a digital “backdoor”, would open a possible attack vector for malicious groups or foreign state actors to abuse, and risk leaking user data. Considering the unknowns of how Chat Control will be implemented with respect to data storage, the risk of data leakage is high. It is quite common that actors that rely on “security through obscurity” in many cases face data leaks from those who wish to expose and stop them. Not all who want anonymity are criminals.
To see where the risk of abuses exist, even within Europe, one need look no further then Germany. German law enforcement and its domestic intelligence agency designated the political party AfD as a right-wing extremist party. What this means is that intelligence services are allowed to intercept AfD politicians phone calls and use undercover agents to infiltrate the party. Some may think that this is justifiable considering the AfD’s controversial agenda, history and leadership, and politicians may then see this as a natural way to defend the principles of democracy.
Consider, then, that should any right-wing extremist party get into power in the future, the same methods could be applied to left, liberal and other opposing parties, and Chat Control would prove itself to be quite a strong tool for these extremists to utilize. The same tools we use to defend democracy, will be the same exact tools that authoritarian regimes will utilize to entrench their power.
Chat Control-like security powers are what enable nationalistic and authoritarian leaders to flourish and cement their firm grip on power. Monitoring every interaction at large scale allows them to see any potential dissident, any person who might be considered a potential threat to their regime, and to stop any form of uprising before it assembles or forms. This is the strength that Chat Control would give ruling parties or leaders.
The anti-privacy rhetoric is already in full swing in the current political climate, as is exemplified in an interview with Catherine De Bolle, head of Europol, when she states that “Anonymity is not a fundamental right” and that “When we have a search warrant and we are in front of a house and the door is locked, and you know that the criminal is inside the house, the population will not accept that you cannot enter.”
The sentiments mentioned by De Bolle are what we should be careful of. Whenever citizens are told to sacrifice some of their freedoms for some ill-defined amount of safety, it should inspire caution and scepticism. Because those changes are there to stay, and in the majority of cases would mean that there is no going back. Chat Control’ nature is to be operating silently in the background, meaning that a majority of people would not even notice that they are actively being monitored, and as such there would be no drive to make a pushback to reverse the law.
Criminality is the best angle by which these legislators justify their anti-privacy laws, while they all neglect to mention the implications for the average law-abiding citizen and how much power it ultimately gives ruling politicians. Rather, they focus on the extremes – the small minority – as a way to become untouchable against critics.
Chat Control extends surveillance into a large share of our digital communication. Because of that, the EU would effectively be borrowing practices from authoritarian countries like China. To answer if legislation like this really will tackle criminality, we can actually look at what results China has gotten. Recent findings from the Supreme People’s Procuratorate (China’s supreme court) have shown that abuse material is tough to crack, and that crimes against minors have increased despite WeChat, Weibo and other Chinese social medias requiring full user identification, the tracking of users and the recording of interactions.
Chat Control has not been passed yet and is currently still under discussion. Over the years since it was introduced in 2022 it has undergone changes as proposed from various EU countries. And although this has yielded surface-level changes, its main purpose is still to be used as a tool for surveillance and the tracking of users online, with vaguely defined limits and the potential for deeply invasive monitoring.
However, despite its controversy it is still on the table, and by the looks of it, it seems that a majority of countries in the EU are now in favour. Currently only Austria, Belgium, the Czech Republic, Finland, Netherlands and Poland are opposing, while Estonia, Germany, Slovenia, Luxemburg, Greece and Romania are currently undecided and still reviewing the proposed law. All EU governments need to finalize their evaluation by the 12th of September, and the final deliberation is set to be on October 14th, meaning if Chat Control gets approved it could be introduced as early as October this year. Sound the alarm bells.
↓ Image Attributions
“Close-Up Shot of Macbook Laptop” by Adrian Regeci // Licensed under Pexels
