THE EUROPEAN COMMISSION DOES NOT UNDERSTAND WHAT IS WRITTEN IN ITS OWN CHAT CONTROL BILL
Ylva Johansson is the EU Commissioner in charge of the Chat Control Bill. In recent days she has taken part in several interviews in Swedish media and also spoken in front of EU parliament members.
It’s obvious during the interviews that Ylva Johansson does not understand her own bill and what consequences it would have. She constantly repeats misleading and incorrect arguments. Above all, she continues to claim that it’s possible to scan end-to-end encrypted communication without breaking the encryption. It’s remarkable that the responsible EU Commissioner gets away with this, without tremendous criticism from media and members of the EU Parliament (we know, there are some speaking up, but it’s not enough).
Here are some of her statements during the last week and our comments.
PODCAST INTERVIEW IN THE SWEDISH NEWSPAPER SVENSKA DAGBLADET: "SIGNAL IS ALREADY SCANNING ITS USERS' ENCRYPTED COMMUNICATION"
In a podcast interview in the Swedish newspaper Svenska Dagbladet, Ylva Johansson claimed, among other things, that scanning for ***** ***** content in encrypted communication is equivalent to scanning for viruses and that encrypted communication can be scanned without breaking the encryption. She also said that “if you’re on Signal, and you want to send me a link to an interesting Svenska Dagbladet article … when you start typing the address of the article, a picture of the article pops up and that’s because they’re scanning the conversation”.
Apart from those highlights, here’s a summary of things she said during the interview (in bold) with our comments below.
“Next summer, all the scanning taking place right now of ***** ***** will be banned within the EU. That is, if we don’t have special legislation that allows it.”
· What Ylva Johansson is talking about is the current legislation (which makes it voluntary for internet services to carry out these types of searches). There’s nothing stopping Ylva Johansson, instead of introducing an extension of the law, from extending the current legislation.
“This is the special legislation that I proposed last year, which will make it possible to continue the scanning currently being done, except that I’m placing restrictions on what you can and may scan. Today they can scan almost anything anyway, if they’re looking for ***** ***** material; in my Bill it will only be following a court order that permission can be obtained to scan and continue to scan for ***** ***** material, so that we will continue to get the reports that facilitate the apprehension of perpetrators and that allow us to protect and save the *****ren.”
· It’s very impudent to say “limiting what can be scanned” when the bill will force all services to scan all people’s communications.
When asked to explain that the new proposal is actually mandatory instead of voluntary, as it is today, Ylva Johansson replies:
“If it is judged in a court that the situation is so serious, that the risk is so great that criminal material will be shared here, about little *****ren who are being exposed to violence – if you can scan, then you also have an obligation to do so – that’s a new element I’ve introduced. I don’t want to be dependent on the companies’ goodwill. Today, there are many people who are scanning, but I'm also aware of the fact that they are also being subjected to a variety of pressures saying they should not be scanning the communication and I want to ensure that if a court judges that this is so serious that the communication should be scanned and then that also should be obligatory.”
· The bill states that the law will apply to services that are likely to be used by *****ren, or can be used to search for other users, or allow users to be contacted directly, or allow images to be shared with others. In other words: all digital services.
· There’s no mention of courts having to make decisions in the bill. When asked to elaborate, Ylva Johansson backs off:
“It doesn't explicitly say “court”. But that’s what it will look like in the vast majority of countries, because that’s where most countries make this type of decision.”
· This means that Ylva Johansson improperly has used the court argument during the entire legislative period. In addition to that: in this type of discussion, "surveillance after a court order" refers to the fact that there must be a suspicion of a crime in order to monitor. This is not the case in Ylva Johansson’s chat control proposal. In her Bill surveillance orders refer to the surveillance of everyone on a particular messaging service after an authority (doesn't have to be a court) in a country decides to do so (mass surveillance).
“It's about sniffing, checking out you could say. It's not as if you read the communication; I mean, it’s like a police dog being able to smell if there’s something there.
· It’s not possible to “sniff” end-to-end encrypted communication without looking at the encrypted communication.
“This scanning has been going on for around ten years and there are incredibly few cases where someone has been falsely reported when contacting their guardian or anyone else.”
· This type of detection has not been going on for ten years. 1) End-to-end encrypted traffic has not been scanned, 2) a widespread system for AI to assess whether images and videos are criminal or whether conversations are grooming or not, has not existed.
“I’m introducing an additional control measure where persons were to share ***** ***** material, and it’s very sharply defined. We need to remember, it’s not nude pictures we’re talking about – we’re talking about *****ual ***** of *****ren, and there’s basically no such misreporting today; or perhaps only to a very small degree. So, there’s nothing new in what I am proposing; I’m only proposing that it should be allowed to continue.”
· Does Ylva Johansson believe that naked pictures of *****ren cannot be a crime? It sounds like she’s not familiar with the legislation as far as what qualifies being a crime and what doesn’t.
· Swiss police have measured the error rate. It’s around 80-90%. This mainly concerns ‘already known material’. It’s a dizzying thought what the margin of error will be if AI is to judge what’s what.
· Again, Ylva Johansson says that she’s “just suggesting that it should be allowed to continue”, despite confirming earlier in the interview that new measures will be introduced.
“If we take for example a company like Roblox, which caters a lot to *****ren, they promise their users that they scan so as to prevent grooming in their chats. They will no longer be able to promise their users that, if we ban all forms of scanning when it has to do with this type of *****.”
· Once again, the same lie. It’s possible to extend existing legislation instead of expanding it.
“*****ual ***** of *****ren is clearly defined in our EU legislation; it is not that you can have your own interpretation of what constitutes *****ual ***** of *****ren. Rather, it’s clearly defined, so it can’t be used to search for something else that you dislike, but that definition is crystal clear.”
· AI finds it – to say the least – quite difficult to “clearly define” between a holiday picture on the beach and a nude picture intended for criminal purposes.
· The technology can be redirected to be used to search for other things. Even before the bill came into force, one MEP suggested that drag queens should be targeted “as they’re often involved in the *****ual exploitation of *****ren”.
· Another point of view: what will the EU look like in ten to twenty years? Ylva Johansson doesn't know that. No-one knows. If you put a tool like this in the hands of people in power, tomorrow's people in power can use it for something else – and then it's too late to back out. Worth pointing out: Already today, the governments of five countries in the EU have been accused of spying on political opponents. Already today there are countries in the EU that are not classified as democratic.
“That risk will still exist (risk of false flagged material) it would be minimal I should say, but nonetheless, it will be there. And that's why I've included a special security measure so that no reports go directly to the police, rather they’ll go first to the center we're going to create against *****ual ***** of *****ren, and that’s like putting in a filter to preclude other material, which is not *****, such as the example you’ve just cited, unusual though it was, from cropping up. But if it should happen, I’ve put in such a filter, you could say, so that it does not go to the police.”
· Again: During investigations, 80-90% of mainly “existing material” has been found to be incorrect flagging.
· Why would you feel more comfortable with a large EU center reviewing private communications than the police? Such an organization would be a colossus and completely impossible to operate in a safe manner. If organizations can read private communications, sooner or later it will be leaked. This is why data gathering is dangerous. This is why it is incredibly important that end-to-end encryption won’t be forbidden by law.
“My Bill is not about encryption, it’s not even mentioned. The Bill includes nothing to do with encryption ... my Bill is technology neutral. This is not a Bill intended to break or weaken encryption. That’s the important thing; it doesn't specify any particular technology. Neither do we not exclude any specific technology in the Bill.”
· Ylva Johansson says that “it’s not about encryption” and in the next breath she says that “encryption isn’t excluded”. No more counter-arguments.
“It is not true that everyone will be obliged to do detection work. What all the companies will be obliged to do is to carry out a risk assessment, if there exists any risk that their services will be used to spread *****ual ***** of *****ren.”
· Again: The bill states that the law will apply to services that are likely to be used by *****ren, or can be used to search for other users, or allow users to be contacted directly, or allow images to be shared with others. In other words: all digital services.
Let's finish with a part from the interview, where the journalist Andreas Ericson from the Svenska Dagbladet presses Ylva Johansson about encrypted communication. It becomes extra obvious that Ylva Johansson has no idea how the technology works.
[Andreas Ericson] Can I just ask you one thing Ylva. If that happens, under this Bill, would you and I be able to have contact in the future, if, for example, you feel that you want to blow the whistle on the European Commission and contact Svenska Dagbladet under source protection regulations? And, would we also be able to have encrypted contact that the authorities are unable to read, with this Bill?
[Ylva Johansson] Yes, that goes without saying.
[Andreas Ericson] But if that’s the case, won’t all *****philes use the same encrypted contacts? And then what’s been gained?
[Ylva Johansson] No, but the thing is – the only thing that, the thing that ... *****ual ***** of *****ren, pictures of such, is always criminal.
[Andreas Ericson] But if you and I will be able to encrypt our communications, then surely *****philes will be able to encrypt theirs too?
[Ylva Johansson] If that material is shared, it may be that it is detected, that material.
Andreas Ericson] But then, isn't it encrypted?
[Ylva Johansson] But it's not as if you are able to read someone's communication. And there are techniques to detect without breaking the encryption. I think it's very important that we defend the possibility and the right to encrypted communication, but that does not mean that we should say that as long as we use encrypted communication, we will not take steps to apprehend ***** *****ual *****.
[Andreas Ericson] I'm a technology idiot, Ylva. This is how I understand it: if you send me pictures in encrypted documents, the authorities will not be able to read them. But if *****philes send ***** images to each other, the authorities will be able to read them because there are technological solutions for that. That’s how I understand it; have I understood you correctly?
[Ylva Johansson] No, you haven’t. You can make a comparison. Because encrypted communication today is scanned by the companies. They scan all communications for viruses. So, if you’re on Signal, and you want to send me a link to an interesting Svenska Dagbladet article, when you start typing the address of the article, a picture of the article pops up, because they’re scanning it. And that’s to make sure you aren’t sending me any viruses.
[Andreas Ericson] Okay, you can see the image but isn't it encrypted? Karl Emil (opponent in the debate), would you like to come in here?
[Karl Emil Nikka] That's not even how Signal works. The way Signal works is that if you get a preview, it's because your Signal client, from your device, is taking a picture of the website and including it in the message that's being sent. Signal has no access to this information ...
[Ylva Johansson] But that's not what I’m saying.
[Karl Emil Nikka] You said that Signal works the way you said, which it doesn't.
INTERVIEW IN THE SWEDISH RADIO: ”IT’S LIKE SCANNING FOR VIRUS”
In an interview with the Swedish Radio, Ylva Johansson continues to repeat the same misleading arguments. Meanwhile, she refuses to answer how she will ensure that future governments and EU parliaments won’t ***** the system and how the EU center will guarantee that private conversations are not leaked (this question Ylva refuses to answer three times a row). Here’s a few of examples of her repeated argument:
"If we protect our mobile phones (against viruses) better than we protect *****ren against very serious *****ual ***** …”
· Once again, Ylva Johansson goes on comparing scanning of communication with scanning of viruses. It’s not possible to do that comparison. Virus scanning never occurs on encrypted content.
"A police dog can sniff physical mails to see if they contain drugs, and if they contain drugs the police can intervene. It’s an invasion of privacy that we think is reasonable.”
· Alright, let’s take the Ylva Johansson’s sniffing dog comparison. Ylva Johansson’s chat control law is like having a police dog beside you wherever you go. 24 hours a day. Out in the street. At work. At home. In your bedroom. On the toilet. It’s not like going to the airport, say hi to the sniffing dog and then go to the bar (without the dog). There’s also a difference between the drug sniffing police dogs and this chat control dog – because this dog has poor sense of smell. So, the dog will bark eight times out of ten when you text your partner something dirty. And every time it barks, a bureaucrat from the new EU center will come to your home to check everything you wrote to your partner and all the (legal) nude pictures you have on your phone.
This won’t happen when you are at home. This will happen without you even know about it. Because the EU center employee has your house key you know. It’s one of the 450 million keys that hang in Europe's largest key cabinet. And this is where it comes down to Ylva Johansson's guarantees: she must guarantee that the EU employee will never enter again for any other reason (you know, he has the ability to go into you house to look for whatever he wants whenever he wants), that no criminal will accidentally come across the house key, that it will never be copied, that it will never get lost in a major key theft (hello data leaks!), that the EU employee does not drop it on the street or sell it for a million euro or that someone otherwise threatens to leak nude photos of the EU employee (of course everyone's communications must be intercepted and therefore there will be some nude photos circulating after a day or two, so to speak), that it is never used for anything else by any middle manager with his boss pressuring him, or that the EU center never gets new bosses who think that it’s a good idea to take a look at other stuff more often for new reasons.
And when you start to get the feeling that "damn it feels like they're in my house messing around in my living room a little bit from time to time" and it doesn't feel good, then you have to cross your fingers that someone wants to blow the whistle from the EU center and that person can do it without the police dog with a bad sense of smell starting to bark.
Above all, you can only hope that the situation has not gone so far that undemocratic countries have gained influence and that abortions and homo*****uality are being searched for. But now we're just speculating. We mean, the democracies of the free world would never begin to compromise on human rights, right?
PRESS CONFERENCE: ”WE HAVE STARTED TO DISCUSS TO USE CHAT CONTROL FOR DRUG DEALS AS WELL”
At a press conference that Dagens Nyheter was broadcasting Ylva Johansson talked about the chat control proposal as well as the drug problems within EU. Ylva Johansson told the press “they use snapchat for the actual deal” and then talked about using chat control to combat drug dealing. It’s not a wild guess that Ylva Johansson and the EU Commission want to extend the usage of the chat control system. The only question is, where will it end?
“I have raised this in the EU internet forum. It was first established together with the big internet companies to fight terrorist content online. Now we are also broadening it to ***** *****ual ***** and to prevent the *****. But we also started to discuss this drug selling online. It’s true that we have a real challenge here, because it’s not allowed to look into what’s really happening in these conversations, when it’s private conversations, when they are selling the drugs, so that’s a part of the very strong privacy that we have here, but there are some areas where can look into it. But in my view, we have to do more here. I think that we are so often lagging behind and the criminals are going more and more online and online the law enforcements are more with their hands tied back than in the offline world. That’s an imbalance that needs to be addressed It’s not easy to address it. But it’s an area that we cannot leave without new actions that I think is necessary.”
· The slippery slope is already happening. What’s next Ylva Johansson? An EU parliament member has already proposed to include drag queens in the AI filter.
MEETING OF THE JOINT PARLIAMENTARY SCRUTINY GROUP ON EUROPOL – JPSG EUROPOL
At a meeting with the joint parliamentary scrutiny group on Europol Ylva Johansson got a comment from Barry Ward saying:
“You made a comparison between a sniffer dog and the controls that you could put in place to monitor communications and information. My concern is that it’s not quite the same, because a sniffer dog doesn’t have the capacity to understand what what’s inside a package, whereas an algorithm and other search mechanism can do that.”
And this was Ylva Johansson’s answer:
“Theoretically there could be a situation where a court says ‘yes we should scan here’ but there’s no reliable technology available that will not be compliant with the privacy standards we think need to be met, and then it’s not possible to do it. That’s why my proposal is technology neutral.”
Ylva Johansson also talked about the widespread usage of encrypted communication today:
“Only a few years ago encrypted communication was only for governments or law enforcements, banks, things like that. Now encryption is everywhere. And I think that encrypted communication is going to be the normal. So that’s why it’s important that encrypted communication is not out of the scope when we say that we are going to protect *****ren from ***** *****ual *****, but of course the technology to be used – for example I have set up a special group to develop together with fundamental rights agencies, together with researchers, with companies, different kinds of technologies that is possible to use, also in encrypted environment, and companies are also using these kind of technologies when they are scanning for malware for example in encrypted communication without breaking the encryption. So, there are possibilities but the answer is also: if no technology existing that is acceptable in the way of use, then of course, then you cannot have the detection order. So, this always have to be taken into count for a decision.
It’s not easy to follow Ylva Johansson on this. After a long day with a lot of interviews she is all of the sudden talking about situations where the scanning won’t be possible.
We think it’s about time to have Ylva Johansson to clarify:
· Will you force message apps like Signal to break their encryption, install back doors or scan on the client side? Yes or no? Try to answer without forcing us to write another ten pages with your misleading information and non-answers.