The European Union’s law enforcement agency Europol has published a joint declaration by European Police Chiefs seeking action against the implementation of end-to-end encryption (E2EE) across online platforms, particularly on Meta’s messenger service.

“Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms. It will also stop law enforcement’s ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime and terrorism offences,” the Europol said in a press statement .

Why is the Europol against end-to-end encryption?

According to the declaration, the Police Chiefs are concerned that E2EE will undermine online safety of users by restricting the law enforcement agencies’ access to data about online activities, during investigation of cybercrime.

The declaration pointed out that E2EE will jeopardise the ability of tech companies to provide “lawful access” to data of suspected criminals on their service during law enforcement investigations. Secondly, the privacy-enhancing feature will also affect the companies’ ability to “proactively” identify “illegal and harmful activity on their platforms, especially when it comes to detecting users “who have a sexual interest in children” and those involved in disseminating child sexual abuse material.

The declaration calls for the tech industry to build “security by design” and maintain capabilities to identify and report harmful and illegal activities as well as “lawfully and exceptionally act on a lawful authority”:

“…we do not accept that there need be a binary choice between cyber security or privacy on the one hand and public safety on the other. Absolutism on either side is not helpful. Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments. We recognise that the solutions will be different for each capability, and also differ between platforms”, it said.

Meta’s plans for E2EE on messaging services:

In December 2023, Meta started rolling out E2EE for all personal chats on Messenger and Facebook in an attempt to strengthen user privacy. While Meta will also allow users to send and receive messages through third-party services in accordance with the EU’s Digital Markets Act (DMA), the company is taking up measures to keep the E2EE design intact by requiring third-party providers to use the Signal Protocol or any other compatible Protocol that provides same security guarantees.

Last year, the United Kingdom had opposed Meta’s plans to roll E2EE for messenger and Instagram. The country’s Online Safety Act (OSA) holds platforms responsible for transmission of CSAM content through their service. It also requires platforms to develop and deploy software to scan photos for prohibited content if asked by the Office of Communications. The OSA has come under sharp criticism by privacy rights organisations and even tech platforms for undermining encryption and users’ rights to communicate securely, and for providing backdoor access to user data for law enforcement agencies and enabling surveillance.

Is it possible to ensure privacy without E2EE?

Law enforcement agencies in several countries have been averse to E2EE on communication services. While they want access to more and more user data from tech companies to speed up investigation of cybercrimes, platforms are under pressure to devise methods to tackle crimes like distribution of CSAM without undermining privacy. While the Europol says that privacy rights cannot overshadow public safety, is it possible to ensure privacy without E2EE? Meredith Whittaker, President of Signal Foundation, disagrees.

“There is no way to implement client-side scanning that sends the information demanded to law enforcement or a third party safely and privately. No, there is no technology there. You can do on-device….you can have a software package that talks to itself and maybe uses some on-device technology. But the issue is that the second you insert a third party into an end-to-end relationship, you have created an exploit,” Whittaker stated in an interview with MediaNama Founder-Editor Nikhil Pahwa. Her response was over a question about introducing client-side scanning mechanism for accessing messages on a messaging app, without affecting the end-to-end encryption feature.

In a 2022 report commissioned by Meta, the Business for Social Responsibility had pointed out how E2EE services can be misused by bad actors to proliferate CSAM on the internet. But, the report also pointed out that choosing not to provide end-to-end encryption would likely not result in an improved ability to help law enforcement identify the most sophisticated and motivated criminals, given that they can always switch to other E2EE services. Further, solutions such as scanning content in an encrypted ecosystem always pose a risk of misuse by government actors to censor legitimate content.

