WEBVTT

00:00.000 --> 00:05.000
Thank you.

00:05.000 --> 00:15.000
Hi, my name is Marcel Colya. I'm the policy and advocacy director for Europe at Access Now.

00:15.000 --> 00:23.000
And we are going to be talking today about how is the European Commission planning to break

00:24.000 --> 00:33.000
cryptography this time, which is a bit provocative title I understand, but also I think it kind of reflects the reality unfortunately.

00:33.000 --> 00:50.000
Access Now is a civil society organization, our mission is to defend and extend the digital rights of people and communities at risk and I work in the Brussels office.

00:50.000 --> 00:59.000
So the crypto wars and attacks on encryption is something that's been here for decades.

00:59.000 --> 01:06.000
I'll be speaking only about the recent events that I think we can date back to June 2023.

01:06.000 --> 01:16.000
When the European Commission sets up a high level group on access to data for effective law enforcement.

01:16.000 --> 01:25.000
Next in italic is is quote is a quote and there will be a lot of quotes on these slides.

01:25.000 --> 01:32.000
So the group is tasked to explore and it challenges that law enforcement and the union face in their daily work.

01:32.000 --> 01:45.000
In connection to access to data and explore and contribute to finding potential solutions to overcome them with the aim of ensuring the availability of law enforcement tools to fight crime and enhanced public security in the digital age.

01:46.000 --> 02:11.000
Now this is followed up in May 2024 where the high level group adopts a set of recommendations that include establishing a research group to access the technical feasibility of built in lawful access obligations including for accessing encrypted data for digital devices.

02:11.000 --> 02:18.000
So now you already recognize that things are getting very serious and dangerous.

02:18.000 --> 02:29.000
In June 2024 the council of the European Union which is a body where the ministers from the individual member states meet.

02:29.000 --> 02:37.000
They hold an exchange of views on these recommendations and one of the priorities that the home affairs ministers identified

02:37.000 --> 02:54.000
is establishing legally and technically sound solutions for accessing encrypted electronic communication in individual cases and subject to a judicial order for the purpose of preventing investigating and prosecuting serious and organized crime and terrorism.

02:54.000 --> 02:58.000
What happens around the same time is the European elections.

02:58.000 --> 03:07.000
The parliament is elected for five years, so 24 to 29 and subsequently a couple months later from the first of December.

03:07.000 --> 03:10.000
The Hyundai Line Commission to start.

03:10.000 --> 03:23.000
Now with the political landscape shift as you can see you know on the colors here on the seats of the in the European parliament.

03:23.000 --> 03:39.000
The colors are political groups and the color that I believe is like blue I'm color blind sorry for that is the European people's party and what I believe is yellow is renew Europe.

03:39.000 --> 03:49.000
So if you look at 2020 then you see that renew Europe which are which is the you know social liberals and neoliberals basically the liberal political group.

03:49.000 --> 04:04.000
They are kind of in the center who is in the center is very often in negotiations the kingmaker they decide where the needle moves because they are by definition in the center.

04:04.000 --> 04:12.000
Now as you see from 2024 this has shifted so that the European people's party is more in the center.

04:12.000 --> 04:22.000
So they are in a better position to basically find compromises left or right from them because these are the political groups that are closest to them.

04:22.000 --> 04:35.000
Well the issue of course is that if on the right side from you where you can find alternative majorities there are only zero skeptics the far right and the far far right.

04:35.000 --> 04:43.000
The secularization narrative strengthens the political appetite for lawful access to encrypted data even though.

04:43.000 --> 04:56.000
I would argue it removes security by definition and the secularization narrative is something that is very very live in the current political landscape.

04:56.000 --> 05:11.000
So now the European Commission starts a European internal security strategy called protects EU that is published by the European Union on the first of April 2025 unfortunately not as a joke.

05:11.000 --> 05:35.000
And that replaces the European security union strategy which led to the check control proposal among others so it's not a completely new thing it's more of a evolution from the previous strategy that also let's do some bad things and this strategy sets out the objectives and actions for the next years to ensure a safer and more secure Europe.

05:35.000 --> 06:02.000
Commission will present a technology roadmap on encryption to identify and access technologies solutions to be able to enable lawful access to encrypted data by law enforcement authorities in 2022 and this political narrative totally contrast with the technical reality and that the objective cannot be achieved without actually weakening encryption and therefore security.

06:05.000 --> 06:21.000
Road map for effective. What is it 10 minutes? Road map for effective and local access to data for law enforcement. So this was published by the Commission in back in June.

06:21.000 --> 06:32.000
It was published in 2005 as an important deliverable under the protects EU strategy it outlines six areas with key actions defined because we don't have too much time.

06:32.000 --> 06:48.000
I will not go through all of these so maybe if you want to read this later the picture we will focus on the fact that the commission wants to in that strategy.

06:48.000 --> 07:00.000
Road map wants to ensure that so called evidence can be read to quote this which means they need to decrypt encrypted data in their understanding.

07:00.000 --> 07:24.000
So they want to deliver a technology roadmap on encryption in Q2 this year and also a second very important action outline is support the rich and development of new decryption capabilities to equip Europe all with next generation decryption capabilities from 2030.

07:24.000 --> 07:42.000
So when he speak about encryption and how words like the commission like to access encrypted data well that's technically speaking we are about to see in Q2 2022 with this roadmap.

07:42.000 --> 07:56.000
However at this moment it is already clear that client sites scanning is something that the commission has been exploring already for quite some time including in the debates around chat control.

07:56.000 --> 08:18.000
And I see this as a change of strategy that instead of attacking encryption directly the narrative is that they will work around the encryption and therefore the narrative which is very false is we are not weakening encryption.

08:18.000 --> 08:34.000
So client sites scanning is a technique that content is scanned before it is encrypted which means on the client and then for instance checking hashes of content against the database of prohibited material.

08:34.000 --> 09:00.000
Then this of course expands the attack surface there are rates and of course hash collisions is something that complicates everything so this is an example from a research paper bugs in our pockets this picture shows two pairs of hash collisions that that actually exists.

09:00.000 --> 09:06.000
So basically according to that software this would be seen as the same picture.

09:06.000 --> 09:21.000
What is the potential impacts we can in encryption is detrimental to fundamental rights enshrines in the charter of fundamental rights of the European Union specifically protection of person data and the freedom of expression and information.

09:21.000 --> 09:36.000
There is no technical lawful access to an encrypted communication without breaking privacy and security period client sites scanning therefore breaks privacy and security.

09:36.000 --> 10:04.000
And my favorite parallel on what client sites scanning is is like imagine that that encryption is a seed belt in a car that is protecting the passengers and encryption is protecting the data now client sites scanning means we are not directly weakening the seed belt.

10:04.000 --> 10:23.000
But we just make you sit in front of the seed belt which means when there is a crash the seed belt is perfectly fine unfortunately this may have a very disastrous impact on you and with encryption and data I see it as the very same.

10:23.000 --> 10:42.000
The risk of this proportion surveillance and lack of judicial oversight companies can avoid Europe or implement weaker security which would lead to innovations low down which I find interesting enough given the commission's agenda where Europe's competition.

10:42.000 --> 10:54.000
And of course as already outlined in the road map research funding shift so instead of strengthening security.

10:54.000 --> 11:06.000
Okay I will water the plans I promise when I come home so instead of instead of funding strengthening security.

11:06.000 --> 11:20.000
Well funding which shift to to to to to research on access to encrypted data and of course potential major for free and open source software because how do you implement client sites scanning in an open source project.

11:20.000 --> 11:45.000
So actually you do but then by definition anyone who finds a bug in that software can fix it and for kids and I would say this client sites scanning is not only a bug it's a security vulnerability that needs to be fixed assup and then how do you deal with that and more and more complications like this of course in the eyes of the politicians and lawmakers can actually damage free and open source software.

11:45.000 --> 11:54.000
So let's frame the debates correctly first strong encryption is essential for security and protect national security.

11:54.000 --> 12:07.000
Second given law enforcement exceptional access threatens human rights and democracy third strong encryption strengthens privacy and security.

12:07.000 --> 12:14.000
And bagdors to encrypted systems will not stop criminals and terrorists from using strong encryption.

12:14.000 --> 12:36.000
If you are for if everybody all providers are forced to implement client sites scanning for instance or system with any sort of bagdors into encrypted communication channels then this does not mean that criminals and terrorists will use the same platforms.

12:36.000 --> 12:46.000
So basically that would mean the whole society would be under surveillance just with the exception of those were the law enforcement wants to target.

12:46.000 --> 13:03.000
So what can be done definitely supports civil society organizations, politicians and networks like for instance access now where I work a bunch of others that I have listed here for the interest of time I'm not going to read all of those.

13:03.000 --> 13:12.000
Like all of them or most of them have you know newsletters they are active on social networks follow them of course.

13:12.000 --> 13:24.000
You can also donate most of those also receive individual donation donations if you go on an access now dot org there's a button to do it so very easy.

13:24.000 --> 13:44.000
These basically advocate for digital rights and defend the strong encryption and or advocate against these efforts to undermine encryption of course you can also talk to policy makers yourself.

13:44.000 --> 13:52.000
These organizations very often provide hints how to speak who to speak to and so on.

13:52.000 --> 14:05.000
You can also participate in public consultations if you want to spend a couple of evenings trying to figure out what the commission tried to ask in a specific feedback request.

14:05.000 --> 14:14.000
And of course raise public awareness you know speak about the this with your friends with your colleagues in the community.

14:14.000 --> 14:24.000
And so on credits for the picture I by the way really really recommend this research paper bugs in our pockets.

14:24.000 --> 14:30.000
It's it's very well accessible and that's it. I am afraid there is no time for questions.

14:30.000 --> 14:36.000
The part of the panel has kindly donated to that question too. Okay, so first of all, can we thank myself.

14:36.000 --> 14:39.000
Thank you.

14:43.000 --> 14:45.000
Five minutes.

14:45.000 --> 14:48.000
I'll let you pick them.

14:48.000 --> 14:52.000
Okay, so do you have a question for myself.

14:52.000 --> 14:54.000
We have a question.

14:54.000 --> 14:56.000
Go ahead.

14:57.000 --> 15:00.000
I'm going to do the first one as well.

15:00.000 --> 15:02.000
I can get that.

15:06.000 --> 15:18.000
Obviously, breaking or doing client science can only works in centralized systems that can control the client.

15:18.000 --> 15:25.000
Now if you have mastered on or the Fediver's federated communication.

15:25.000 --> 15:34.000
Is this discussed at all that we centralize or regulate only centralized systems.

15:34.000 --> 15:41.000
So, unfortunately this would apply to everyone targeting the European markets, right?

15:41.000 --> 15:44.000
This is how usually European regulation works.

15:44.000 --> 15:51.000
And I think it was also indicated in the previous talk.

15:51.000 --> 15:55.000
You know, that it's not only the applications themselves that can be targeted.

15:55.000 --> 15:57.000
It's also app stores for instance.

15:57.000 --> 16:05.000
You know, that you can have an obligation potentially that it would say those clients that do not comply with these obligations.

16:05.000 --> 16:07.000
They cannot be on the app store.

16:07.000 --> 16:15.000
So, there's a myriad of very bad proposals that can come up as part of this.

16:15.000 --> 16:23.000
And, you know, it does not mean that decentralized or federated systems would not fall into the scope.

16:23.000 --> 16:35.000
But what definitely applies is that there it's very difficult to have it on the control for niche communities.

16:35.000 --> 16:40.000
Or for criminals or terrorists that I have outlined.

16:40.000 --> 16:50.000
Because if you basically fix all the systems in the eyes of the politicians that the society uses,

16:50.000 --> 16:59.000
it doesn't mean that there will not be a terrorist organization who will fork the one existing system.

16:59.000 --> 17:02.000
And that they would actually escape these obligations.

17:02.000 --> 17:05.000
So, I would say that effectively cannot work.

17:05.000 --> 17:11.000
It's a really, really bad proposal to go in the direction.

17:11.000 --> 17:14.000
And there was another question done here, I think.

17:14.000 --> 17:16.000
Yes.

17:16.000 --> 17:17.000
Thank you.

17:17.000 --> 17:18.000
Bake quickly.

17:18.000 --> 17:20.000
So, from what can we do perspective?

17:20.000 --> 17:22.000
How much time do we have?

17:22.000 --> 17:27.000
And what would you say are the most effective ways among the ones you have listed to help?

17:27.000 --> 17:28.000
What was it?

17:28.000 --> 17:30.000
How much time do we have?

17:31.000 --> 17:33.000
What's the most effective way?

17:33.000 --> 17:34.000
Right.

17:34.000 --> 17:37.000
So, I wouldn't, I take it from the end.

17:37.000 --> 17:43.000
I wouldn't say that there's one silver bullet, you know, most effective approach.

17:43.000 --> 17:45.000
I think it's a combination.

17:45.000 --> 17:47.000
And it's a puzzle that's basically you have to build.

17:47.000 --> 17:58.000
So, there are several elements you have to, basically, strategically, strategically use all of them.

17:59.000 --> 18:02.000
On the first part of the question, how much time we have?

18:02.000 --> 18:06.000
Well, in Q2, which means very soon in a couple of months,

18:06.000 --> 18:09.000
the commission will come up with the technology roadmap.

18:09.000 --> 18:12.000
And then things can spin very quickly.

18:12.000 --> 18:17.000
At this moment, there is no legislative proposal when it comes to this on the table.

18:17.000 --> 18:22.000
Of course, there is the chat control, but that's, you know, separate from this very initiative.

18:22.000 --> 18:27.000
But this could potentially lead to a proposal of a very broad,

18:27.000 --> 18:34.000
obligation to provide access to law enforcement if they need evidence for criminal investigation,

18:34.000 --> 18:38.000
which I would say chat control is nothing compared to this, you know.

18:38.000 --> 18:43.000
And that, we will see after the technology roadmap is here in Q2 2020 this year.

18:43.000 --> 18:44.000
Q2 this year.

18:44.000 --> 18:45.000
Thank you.

18:45.000 --> 18:47.000
We have time for one more question.

18:47.000 --> 18:49.000
And it's the back of course.

18:49.000 --> 18:57.000
Thank you.

18:57.000 --> 19:03.000
So, yeah, this makes a lot of sense.

19:03.000 --> 19:06.000
But from the point of view of law enforcement,

19:06.000 --> 19:09.000
how can we help them not implement this?

19:09.000 --> 19:11.000
Good question.

19:11.000 --> 19:16.000
Because I tried to hint with the framing,

19:16.000 --> 19:24.000
because I think it's a bad idea to, like advocacy efforts to go against this

19:24.000 --> 19:27.000
and dismiss basically the goal.

19:27.000 --> 19:31.000
Because the objective is to protect the society.

19:31.000 --> 19:36.000
But I think we need to be hinting at the facts and framing the debate correctly,

19:36.000 --> 19:43.000
because encryption is a key element in ensuring security of citizens.

19:43.000 --> 19:49.000
So, basically going into this direction, you're undermining the main objective

19:49.000 --> 19:52.000
that this is, you know, trying to achieve.

19:52.000 --> 19:53.000
That's one thing.

19:53.000 --> 20:02.000
Second thing where I think we can actually, like, go against the arguments is that the main argument

20:03.000 --> 20:08.000
is law enforcement operates in dark because everything is encrypted.

20:08.000 --> 20:10.000
Well, this is, of course, not true.

20:10.000 --> 20:17.000
I believe that we actually live in a golden age of surveillance.

20:17.000 --> 20:19.000
Everyone is under surveillance.

20:19.000 --> 20:27.000
So, saying we cannot actually catch criminals because we don't have access to an encrypted communication

20:27.000 --> 20:28.000
is just false.

20:28.000 --> 20:32.000
I mean law enforcement needs to focus also on other angles.

20:32.000 --> 20:37.000
And third, law enforcement is not necessarily an answer to everything.

20:37.000 --> 20:43.000
Maybe prevention, maybe setting up a society that does not encourage so much,

20:43.000 --> 20:48.000
you know, into criminal activities, you know, living environments for people

20:48.000 --> 20:55.000
that would not feel incentivized or that, you know, would not be let down if they have mental health issues.

20:55.000 --> 21:01.000
And so, like, there's a myriad of other elements that you need to also take into scope

21:01.000 --> 21:06.000
and not just look into, we need to access encrypted data.

21:06.000 --> 21:08.000
Thank you very much indeed.

21:08.000 --> 21:09.000
Thanks.