Tag Archive for: Encryption

Joint industry call for protecting encryption in the Child Sexual Abuse Regulation

Together with other industry associations, EuroISPA is calling on EU Member States to preserve the integrity of end-to-end encryption in the Child Sexual Abuse Regulation, and to protect both safety and privacy in the Council position.

Some worrying suggestions have been put on the negotiating table last week which are highly problematic for the privacy of users and the security of the Internet. In our joint statement, we point at other avenues for improvement, including voluntary detection and prevention.

Cybersecurity in the EU: Milestones, Challenges, and the Road Ahead

The past year has brought several significant developments at EU level both in the Cybercrime and Cybersecurity field.

The adoption of the European Commission’s flagship project, the e-Evidence Regulation, in the summer of 2023, was a significant milestone given the ongoing discussions on the topic since 2017. For the first time, law enforcement authorities will now be able to directly address service providers established on the territory of a different Member State. The focus will now be on the technical implementation of the Regulation in the Member States, where new challenges will be posed by the EU-wide harmonisation of the national technical platforms for the secure exchange of data between law enforcement authorities and service providers via a decentralised IT-system.

Another central topic is the importance of encryption. The initial proposal on the Regulation to combat child sexual abuse stipulated detection measures that would have significantly undermined the use of end-to-end encryption in communication services. This provoked a huge wave of criticism showing that secure communications are also important to the broader public. This response ultimately led the European Parliament to explicitly exclude end-to-end encrypted communications from the scope of the Regulation.

At EU Member State level, the implementation of the NIS-2-Directive is still ongoing and will require substantial efforts by the affected companies, especially those that have not been subject to any cybersecurity requirements until now. On the other hand, providers of electronic communication networks and services are already under a sector-specific security regime as part of the European Electronic Communication Code. It will therefore be important that the national implementation of the NIS-2-Directive take into account the already existing security concepts in this sector and only stipulate additional measures where these would in fact lead to a higher level of security.

A political agreement on the Cyber Resilience Act has been reached, which harmonises cybersecurity standards for products and software with digital components and will also assist providers under the NIS-2-Directive to ensure supply chain security. Finally, it must be noted that the enormous frequency of new legal acts in the field of cybersecurity in recent years poses major challenges for the companies affected by them, as their internal processes must constantly be adapted, and it is often hard to find the necessary skilled workers to implement new requirements. With this in mind, along with the new mandate coming up this year, the focus of the upcoming European Commission should be on the smooth implementation of these legal acts rather than on new proposals.

Andreas Gruber
Former Chair of the EuroISPA Cybercrime & Cybersecurity Committee

EuroISPA hosts expert roundtable on privacy and encryption

On Thursday, 23rd of March 2023, EuroISPA hosted an in-person expert roundtable on privacy and encryption, organised in the context of the European Commission’s proposal for a Regulation to prevent and combat child sexual abuse.

The event gathered a distinguished expert panel comprised of Mr Matthew Green, Associate Professor at the Johns Hopkins University and expert on applied cryptography and cryptographic engineering, Ms Arda Gerkens, CEO and founder of EOKM, as well as Ms Ella Jakubowska, Senior Policy Advisor at EDRi.

EuroISPA’s Board member, Thomas Bihlmayer (eco), moderated the discussion and introduced EuroISPA’s views from its position as a constructive contributor to child protection and privacy debates, thanks to its diverse membership (hotlines, ISPs of all sizes, platforms, cloud infrastructure services, etc.) that is at the forefront of the efforts to protect children online.

He highlighted EuroISPA’s commitment with the Commission’s objective to prevent and combat child sexual abuse and noted concerns over several aspects of the proposal. He focused on the operability of the regulation and on the dangers of breaking encryption, which will have a direct impact on the technical Internet infrastructure and impede efforts to create an Internet which enhances trust, user privacy, and freedom of expression.

Professor Matthew Green expressed concerns about the lack of understanding of the technical implications of the Commission’s proposal, and the possible harm that could bring to the security of global communications systems. During his intervention, he stressed the technical limitations of such proposed measures and the issue of over-relying on them, considering encryption is a very young area. For him, the proposal would benefit from an in-depth evaluation by scientists and researchers in Europe, which in his view should be seen as a pre-condition for mandating new technologies. (He shared his intervention in a more extensive version on his blog).

Representing the Dutch hotline, Arda Gerkens highlighted the issues of weakening encryption, compromising the security both for children and adults. She also noted the potential positive points, especially when it comes to the creation of a EU Centre as a centre for knowledge and support in the EU. She further explained how the approach of the Netherlands to fight child sexual abuse is working, noting some of the main elements that could be brought to EU level.

Finally, Ella Jakubowska raised the perspective of civil society. She explained why the proposed measures will lead to unreliable client-side scanning practices, undermining end-to-end encryption and making our devices more vulnerable to attacks from malicious actors, all without addressing the core issues or finding the right solutions to tackle child sexual abuse.

The panel discussion was followed by a Q&A session were participants had the opportunity to exchange about the compatibility of these measures with privacy legislation, the potential for improvement of scanning technologies as well as other solutions to allow fighting child sexual abuse without hindering privacy safeguards and fundamental rights.

This session is one of the different actions that EuroISPA is taking around encryption, privacy and the Commission proposal to fight Child Sexual Abuse Material online.

If you would like to know more about EuroISPA’s work on the topic, you can contact [email protected].

To read our Position Paper on the proposed CSAM Regulation, click on the button below.