Tag Archive for: Encryption

Telecom operators must not become content police

/in , ,

Telecommunications companies are the backbone of the Internet, akin to road maintenance operators tasked with ensuring smooth and functional infrastructure. Just as road operators are not expected to monitor vehicles for illegal goods, telecom operators should not be burdened with policing Internet content. Their role would shift drastically from facilitators to enforcers if tasked with such responsibilities.

Intermediaries Are Not Responsible for Data Content

Under the EU’s Digital Services Act (DSA), intermediaries like telecom companies are not liable for content transmitted or stored by their users under certain conditions. The DSA also prohibits general monitoring obligations. However, recent EU legislative initiatives have started imposing new responsibilities on intermediaries, stretching the limits of this limited liability.

For instance, under Article 17 of the DSM Directive, online content-sharing service providers might be held accountable for copyright infringements. Other regulations increasingly require telecom operators to block or monitor online content, such as those addressing terrorist content or child sexual abuse. Even seemingly unrelated laws, onto the operators, like those governing payment services, propose shifting liabilities, such as financial losses from spoofing.

Protecting Communications Secrecy

Commission proposals like the CSAM Regulation suggest requiring all communication services to inspect users’ messages, undermining encryption. Scanning messages before encryption negates its purpose, much like obliging postal workers to read letters before sealing them. The European Court of Human Rights ruled in Podchasov v. Russia (2024) that weakening encryption violates human rights. Yet, Europol and Member States’ police chiefs recently called for breaking encryption for investigations.

These proposals often lack technical understanding, expecting telecom companies to assess the legality of all communications—an impossible and intrusive task. Content regulation should target platforms or sources, not infrastructure providers.

Legislation that weakens communication secrecy threatens human rights, risking a surveillance state akin to China. Good intentions cannot justify such erosion of freedoms.

Asko Metsola

Former legal advisor of FiCom

Joint industry call for allowing the continuation of current Child Sexual Abuse detention practices

/in ,

Together with other industry associations, EuroISPA is calling on EU Member States to allow the continuation of current Child Sexual Abuse detection practices.

Building on our previous joint statement welcoming the extension of the temporary ePrivacy Directive derogation, we reaffirm that proactive measures against CSA have been instrumental in protecting children online over the past decade.

Read the joint statement

Joint industry call for protecting encryption in the Child Sexual Abuse Regulation

/in ,

Together with other industry associations, EuroISPA is calling on EU Member States to preserve the integrity of end-to-end encryption in the Child Sexual Abuse Regulation, and to protect both safety and privacy in the Council position.

Some worrying suggestions have been put on the negotiating table last week which are highly problematic for the privacy of users and the security of the Internet. In our joint statement, we point at other avenues for improvement, including voluntary detection and prevention.

Read the joint statement

Cybersecurity in the EU: Milestones, Challenges, and the Road Ahead

/in , ,

The past year has brought several significant developments at EU level both in the Cybercrime and Cybersecurity field.

The adoption of the European Commission’s flagship project, the e-Evidence Regulation, in the summer of 2023, was a significant milestone given the ongoing discussions on the topic since 2017. For the first time, law enforcement authorities will now be able to directly address service providers established on the territory of a different Member State. The focus will now be on the technical implementation of the Regulation in the Member States, where new challenges will be posed by the EU-wide harmonisation of the national technical platforms for the secure exchange of data between law enforcement authorities and service providers via a decentralised IT-system.

Another central topic is the importance of encryption. The initial proposal on the Regulation to combat child sexual abuse stipulated detection measures that would have significantly undermined the use of end-to-end encryption in communication services. This provoked a huge wave of criticism showing that secure communications are also important to the broader public. This response ultimately led the European Parliament to explicitly exclude end-to-end encrypted communications from the scope of the Regulation.

At EU Member State level, the implementation of the NIS-2-Directive is still ongoing and will require substantial efforts by the affected companies, especially those that have not been subject to any cybersecurity requirements until now. On the other hand, providers of electronic communication networks and services are already under a sector-specific security regime as part of the European Electronic Communication Code. It will therefore be important that the national implementation of the NIS-2-Directive take into account the already existing security concepts in this sector and only stipulate additional measures where these would in fact lead to a higher level of security.

A political agreement on the Cyber Resilience Act has been reached, which harmonises cybersecurity standards for products and software with digital components and will also assist providers under the NIS-2-Directive to ensure supply chain security. Finally, it must be noted that the enormous frequency of new legal acts in the field of cybersecurity in recent years poses major challenges for the companies affected by them, as their internal processes must constantly be adapted, and it is often hard to find the necessary skilled workers to implement new requirements. With this in mind, along with the new mandate coming up this year, the focus of the upcoming European Commission should be on the smooth implementation of these legal acts rather than on new proposals.

Andreas Gruber
Former Chair of the EuroISPA Cybercrime & Cybersecurity Committee

EuroISPA hosts expert roundtable on privacy and encryption

/in , ,

On Thursday, 23rd of March 2023, EuroISPA hosted an in-person expert roundtable on privacy and encryption, organised in the context of the European Commission’s proposal for a Regulation to prevent and combat child sexual abuse.

The event gathered a distinguished expert panel comprised of Mr Matthew Green, Associate Professor at the Johns Hopkins University and expert on applied cryptography and cryptographic engineering, Ms Arda Gerkens, CEO and founder of EOKM, as well as Ms Ella Jakubowska, Senior Policy Advisor at EDRi.

EuroISPA’s Board member, Thomas Bihlmayer (eco), moderated the discussion and introduced EuroISPA’s views from its position as a constructive contributor to child protection and privacy debates, thanks to its diverse membership (hotlines, ISPs of all sizes, platforms, cloud infrastructure services, etc.) that is at the forefront of the efforts to protect children online.

He highlighted EuroISPA’s commitment with the Commission’s objective to prevent and combat child sexual abuse and noted concerns over several aspects of the proposal. He focused on the operability of the regulation and on the dangers of breaking encryption, which will have a direct impact on the technical Internet infrastructure and impede efforts to create an Internet which enhances trust, user privacy, and freedom of expression.

Professor Matthew Green expressed concerns about the lack of understanding of the technical implications of the Commission’s proposal, and the possible harm that could bring to the security of global communications systems. During his intervention, he stressed the technical limitations of such proposed measures and the issue of over-relying on them, considering encryption is a very young area. For him, the proposal would benefit from an in-depth evaluation by scientists and researchers in Europe, which in his view should be seen as a pre-condition for mandating new technologies. (He shared his intervention in a more extensive version on his blog).

Representing the Dutch hotline, Arda Gerkens highlighted the issues of weakening encryption, compromising the security both for children and adults. She also noted the potential positive points, especially when it comes to the creation of a EU Centre as a centre for knowledge and support in the EU. She further explained how the approach of the Netherlands to fight child sexual abuse is working, noting some of the main elements that could be brought to EU level.

Finally, Ella Jakubowska raised the perspective of civil society. She explained why the proposed measures will lead to unreliable client-side scanning practices, undermining end-to-end encryption and making our devices more vulnerable to attacks from malicious actors, all without addressing the core issues or finding the right solutions to tackle child sexual abuse.

The panel discussion was followed by a Q&A session were participants had the opportunity to exchange about the compatibility of these measures with privacy legislation, the potential for improvement of scanning technologies as well as other solutions to allow fighting child sexual abuse without hindering privacy safeguards and fundamental rights.

This session is one of the different actions that EuroISPA is taking around encryption, privacy and the Commission proposal to fight Child Sexual Abuse Material online.

If you would like to know more about EuroISPA’s work on the topic, you can contact [email protected].

To read our Position Paper on the proposed CSAM Regulation, click on the button below.

READ OUR POSITION PAPER

Contact details

EuroISPA

38, Rue de la Loi
1000 Brussels

+32 2 789 6618

[email protected]

General contact information | Privacy policy