Technology companies no longer have an obligation to respect the privacy and confidentiality of private electronic communications. This is established by a regulation approved in Brussels last week aimed at combating the dissemination of child pornography and the exploitation of minors, which allows operators to monitor the messages that users send in search of such materials. The objective is to block this content and report it to the authorities. One of the consequences of the initiative is that the EU officially allows the tracking of private communications (emails, text messages and attachments) by technology companies that want to collaborate with justice. Only end-to-end encrypted communications would be safe, a guarantee that they incorporate among other messaging services such as WhatsApp or Signal.
The European Parliament approved on July 6 by a large majority (537 votes in favor, 133 against and 24 abstentions) a temporary regulation to combat the online dissemination of pedophile content. The regulation, which has already been baptized as Chatcontrol (chat control), temporarily repeals Directive 2002/58 / CE, known as ePrivacy, which regulates aspects such as the confidentiality of information, the treatment of personal data and the cookies from third parties. The suspension will last until December 31, 2022, although it is expected that before that date a permanent rule will be approved to replace it.
Why is the EU temporarily repealing this directive? To answer this question, we must enter the cumbersome community legal framework. In December of last year, another regulation came into force, in this case the European Code of Electronic Communications. Among other things, the code included instant messaging services such as WhatsApp and other chat applications, such as Tinder, within the umbrella of the ePrivacy directive. Perhaps due to their relative youth, this type of platform was not yet covered by the directive. In this way, since December, the confidentiality of the conversations we have from these applications, which were already protected by the General Data Protection Regulation (RGPD), are even more shielded.
So much so that, with the law in hand, the technology companies could not continue to monitor people’s private messages in search of pedophile content. Yes, keep monitoring: our messages have already been analyzed, until now by companies that voluntarily helped the authorities to track down the networks to find pedophile content. They did it through specific technologies that scan content, such as images and text, or traffic data. In some cases, artificial intelligence intervenes, used to screen platforms in search of keywords typically related to pedophilia. “We already have mandatory regulation to detect fraud in the protection of intellectual property rights, so I believe that if we can protect intellectual property, we can protect children,” said Commissioner for Home Affairs Ylva Johansson last year. when the possibility of implementing the regulations was discussed.
“As all applications are now under ePrivacy, companies that were carrying out a certain scan of messages no longer have a legal basis to continue doing so. Hence, the Commission has promoted temporary regulations to give legal coverage to a practice that was already normal, ”says Diego Naranjo, political advisor to the European Digital Rights think tank.
There is another aspect that contributed to Brussels deciding to patch the regulations so that technology companies could continue to monitor the conversations. Facebook announced two years ago that it intended to include end-to-end encryption in its instant messaging tool, Facebook Messenger. Although it is more popular in the United States than in Europe, Facebook Messenger is the second most used messaging system in the world: it has about 1,300 million active users, compared to the 2,000 accumulated by WhatsApp, also belonging to the group chaired by Mark Zuckerberg.
“It seems that a lot of pedophile content moves on Facebook, and the authorities feared that if they allowed it to be encrypted, they would stop being able to persecute those who distribute such content,” Naranjo emphasizes.
According to the European Commission, last year almost four million images and videos were reported showing abuse of minors and 1,500 files were opened for child sexual harassment through the networks. According to Europol, the situation has has significantly worsened during the pandemic.
A controversial regulation
The fight against this type of crime does not generate debate, but the suspension of the ePrivacy directive does raise suspicions among activists, some politicians and privacy experts. The European Data Protection Supervisor (EDPS) himself maintains his reservations regarding the legality of the Chatcontrol regulations. This independent authority, charged precisely with ensuring that EU policies and regulations respect the right to privacy and the protection of personal data, published a non-binding opinion at the end of last year in which he questions whether the monitoring of communications proposed by the European Parliament may be compatible with the right to privacy of citizens.
“All of our personal electronic messages will be monitored to see if they contain material related to the sexual abuse of minors. That is unacceptable ”, snapped Czech MEP Marcel Kolaja, from the Greens group, the same day the regulations were approved. His main criticism: it is impossible to scrutinize criminals alone.
The Pirate Party has announced that it will take legal action against the regulations. “The adoption of the first regulation in the history of the EU on mass surveillance is sad news for all of us who rely on free and confidential communications, including victims of abuse and journalists’ sources,” said Patrick. Breyer, a German MEP for this political formation.
More regulation on the way
The newly approved regulation is temporary. The same text of the regulation also specifies that the national data protection agencies, as well as the European one (the EDPS), must provide guidance on what type of safeguards are included to guarantee as far as possible the privacy of the users.
Despite the fact that this regulation has just been approved, with retroactive effect from December 21, 2020 (the day the European Code of Electronic Communications came into force), Brussels is already preparing a new regulation, which is expected this autumn. The new text should address the thorny issue of maximizing the protection of the right to privacy of Europeans and at the same time subject their communications to the scrutiny of technology companies in search of pedophile content.
Beyond the safeguards that are included in the drafting of the standard, there are two key aspects that should be clarified. In the first place, if the companies that provide these services will have the obligation to monitor whether pedophile content circulates on their platforms, or if on the contrary, as up to now, such surveillance will be voluntary. And secondly, if the scrutiny to which electronic communications are subjected must also include end-to-end encrypted messages, so far safe from any observation. In which case, it would be the end of encrypted messages.