The Council of the European Union recently prohibited the weakening or undermining of encryption measures online – as per the altered text of the prevention of child sexual abuse proposal. Acknowledging the role of encryption in cybersecurity measures, the added text to the proposal said that the “regulation shall not create any obligation to decrypt data.”
What is the prevention of child sexual abuse proposal?
Titled “Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse” or simply the Regulation, the document specified rules to “prevent and address in a targeted, carefully balanced and proportionate manner the misuse of relevant information society services for online child sexual abuse in the internal market.”
Within the ambit of its scope, it also states that the Regulation “shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users.”
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
Encryption is critical for data protection: As per the Union, encryption technologies are “critical tools to safeguard the security of information within the Union as well as trust, accountability and transparency in the online environment.”
It argued that the Regulation should not adversely affect such measures since the weakening or circumventing of encryption could be “abused by malicious third parties.” This means that mitigation or detection measures should not hinder cybersecurity measures regardless of whether the data is processed at the user’s device before encryption or is in transit or stored by the service provider.
Why it matters: There is a longstanding tussle between law enforcement agencies across the globe and service providers on the topic of end-to-end encryption. One the one hand, those against encryption say such measures pose a hurdle to ensuring child safety. Others say encryption is essential to ensure privacy and protects users from malicious third parties. While some parts of the European continent seem to be working on policies that threaten encryption, the EU proposal has confirmed the importance of encryption in cybersecurity.
Other changes made to the Regulation
Age verification shall not involve biometric identification of users: Article 4 on risk mitigation added Clause 3a, which said, “any age verification measures shall not involve any profiling or biometric identification of users.”
The Union stated that age verification and age assessment measures may be based on profiling, biometric identification, age identification tools, etc., that process personal data. To keep the Regulation in compliance with the EU’s data protection standards and to avoid undermining cybersecurity measures, a set of conditions was suggested. The added text does not further elaborate on these conditions.
Service providers must include unique identifiers and metadata of users in reports: Changed provisions under Article 13 state that providers of hosting and interpersonal communications services must submit a report on child sexual abuse, including “unique identifiers of the user and metadata related to media files and communications.”
According to the footnotes, metadata is useful for investigative purposes and to identify a suspect of a child sexual abuse offence. It defined ‘metadata’ as non-content data referring to information about documents, files or communications.
“Metadata may include, depending on the case, information about the time and place of, and the devices used for, the creation or exchange of the documents, files or communications at issue and about any modifications made thereto,” said the footnote comment.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Online Abuse Won’t Stop Because Companies Stop Looking: Task Force Highlights Impact Of E2E Encryption On Child Safety
- No, The Council Of The European Union Is Not Considering A Ban On End-To-End Encryption
- Banned And Confused: Element App Releases A Statement On Being Blocked In J&K
- WhatsApp Will Rather Be Blocked In UK Than Weaken Encryption: CEO Will Cathcart