Signal President Cautioned EU Lawmakers Against Underestimating Online Security Risks

In a direct challenge to web security’s future, Meredith Whittaker, head of the not-for-profit organization behind the secure messaging application Signal, highlighted the risks associated with a contentious legislative draft by the European Union, aimed at scanning individual’s private messages for child sexual abuse material (CSAM), in a statement released on their website this past Monday.

Whittaker elaborates on the impossibility of enforcing such measures without significantly weakening encryption standards, thus exposing a critical weakness in essential digital architecture. Such actions, she argues, would have far-reaching consequences, extending well beyond the borders of Europe.

Presented in May 2022 by the European Commission, the prospective regulation for the widespread scrutiny of private communication services to hinder the distribution of CSAM online was initially met with resistance from the European Parliament, which proposed excluding encryption-protected apps from mandatory scanning last fall. Nonetheless, the European Council, representing the governments of member states, has persisted in its efforts to include highly secure platforms within the regulatory framework.

A more recent suggestion by the Council under Belgium’s leadership, made public in May, necessitates that “providers of interpersonal communications services” incorporate “technologies for upload moderation” as described in a document shared by Netzpolitik.

Within the proposed Article 10a, it’s expected that these technologies would enable the detection and prevention of CSAM spread before transmission occurs.

A report by Euractiv last month hinted that the updated draft would necessitate user consent for scanning on encryption-protected messaging apps for CSAM. Non-consenting users would experience a reduction in functionality, essentially limiting their use to basic text and audio exchanges.

Whittaker critiques the Council’s approach as an attempt to disguise client-side scanning—a highly debated method seen as a threat to private and secure communication—through manipulative wording.

She boldly asserts, “Mandating mass scans of private interactions is a direct attack on encryption. No exceptions,” highlighting the myriad ways such invasive measures could tamper with encryption’s integral components, essentially making private communications vulnerable to malign interests.

Regardless of the terminology—be it a backdoor, a front door, or ‘upload moderation’—each method introduces risks that could be exploited, thus compromising the foundational security offered by encryption.

Pirate Party MEP Patrick Breyer has also voiced his dissent against the Council’s revisited proposal, equating it to a mere rebranding of the Commission’s initial invasive measures. To him, the reliance solely on text-based messaging is inconceivable in the modern world.

The European Union’s data protection authority has expressed its own reservations, indicating last year that such proposals stand in direct conflict with the values underpinning a free and democratic society.

Enforcement agencies are presumably among the strongest advocates for weakening encryption to scrutinize private communications. A unified statement from European police chiefs in April solicited the development of security measures that would allow for the identification of illicit activities without detailing the process—indicating a preference for some form of client-side scanning.

Although the proposal claims not to undermine end-to-end encryption or mandate decryption by service providers, Whittaker reasons these assurances conflict directly with the inherent risks posed by mandatory scanning technologies, making the proposal self-contradictory.

Despite reaching out, neither the Commission nor the Belgian presidency has responded to these criticisms. The process of EU legislation, involving negotiations among the Council, Parliament, and Commission, continues to unfold, with the outcome on CSAM scanning yet undecided, especially with recent changes in Parliament’s composition following the EU elections.