To the EU: Your proposal is bad and you should feel bad.
I will consider this partially a rant, but also an open letter to the European Parliament (profanity included).
Keep your nose out of my messages.
What it’s about
From what I know and what I’ve read, the EU is planning to introduce a new piece of legislation that would allow them to read our messages, see our images and video, and inspect all of them. The “wrapping paper” they have chosen now is the security of children. The proposal is currently being debated, and I would like to give my two cents on why we should care and do our best to kill this proposal.
My reasons
Reason #1: It’s against human rights
Title 2, Article 7 states the following:
Everyone has the right to respect for his or her private and family life, home and communications.
If you read to the very end, it says communications. What I tell my friends is no business of yours. What I tell my family is no business of yours. I, as every EU citizen, have a right to respect for my private life. If the EU came to my door and asked to rummage around in my underwear, I’d tell them to fuck off, because that is my right. We all have that right.
With communications, we have a thing called secrecy of correspondence. It protects our right as citizens to not have our mail read. This law came into effect with snail mail, almost 150 years ago, and extends to e-mail today. Sure, this law most likely does not apply to the likes of Twitter, since what you write is considered public (anyone can read it). Your law would mean an end to secrecy of correspondence as we know it today.
You already have systems in place that permit you to breach this secrecy, under very specific circumstances, e.g. in cases of active criminal investigation. Your law bypasses all of this and turns the system on its head. Innocent until proven guilty would morph into we snoop on everyone in case they do something bad.
Reason #2: The panopticon effect
This proposal poses a risk to mental health of everyone aware of its existence. Sure, you may hide behind the words “temporary” or “only for people already under scrutiny,” but the fact remains that we, the citizens, will probably never know if we are being observed. This is commonly described as a “panopticon,” where inmate– I mean citizens have no way of knowing if they are being surveilled, and alter their own behaviour considerably, just in case.
This will have a tremendous effect on children, as well as adults, who face any kind of adversity. They will know they are being observed by a force they cannot see and cannot escape from, that everything they say and do may be catalogued. In this scenario, people will be hesitant to speak out about abuse or any other issues they may have, especially against the government. The people will be in a constant state of “if I snitch, they will expose my secrets and ruin me,” even if their issue is fully justified.
These may be minor issues to you, as parliament members, but remember that you, too, will one day drop the statesmanship hat and become one of us, the people. At that point, you will fully enter and enjoy the world you helped shape, and although your motives may have felt noble at the time, you may face the other end of the stick. If that happens, I will still defend your right to privacy, but you will have to allow me one or two (hundred) “I told you so.”
Reason #3: Burning down the barn
Your target appears noble. Catching groomers and pedophiles online. I can absolutely agree that these people need to be taken off the streets. However, the proposal you present is the equivalent of hunting deer with a tactical nuclear missile. In a hunt for a tiny percentage of our population, you are willing to throw all of Europe’s population under the bus. Is that really the best you can do? Find a needle in a haystack by burning down the barn? You already have a sizeable police force, which can be targeted. As far as I know, your track record for finding evildoers is not great, not terrible.
Let’s get technical about why your system would never work the way it was intended to work.
Reason #4: You are one step behind
In the hunt for more brownie points, you have checked the first results on Google for “secure communication” and decided that the first X results would be the one you have a problem with. Signal, Protonmail, Whatsapp. We are opening an old issue that the US had with PGP quite a while ago. Encryption with keys larger than 40 bits was considered “munitions” and you needed a license to be able to export it. My question is: Will this ban concern general encryption? If not, what good is your ban? If so, how do you intend to read people’s messages if they are sent using some algorithm such as PGP? Will you force people who send PGP-encrypted mail and IMs to open your phone? At that point, I can safely tell you to fuck off and cite Article 7 to whoever you decide to send after me.
Reason #4a: There will always be other options
The only thing you will achieve by enforcing your proposal is to drive people elsewhere. You can rest assured that the day this goes into motion and app X will no longer work without your oversight, I am moving everyone I know elsewhere or embedding my own encryption. I have experience tunneling PGP-encrypted Signal messages over Tor, and it works nearly as well as the stock thing. What good will your system be if all it takes is one step in another direction to render it useless? There are way too many hops of complexity I can take to make my messages none of your business, and at some point, you will no longer be able to catch up.
Your proposal would move us into the past. The world may move away from information silos such as Google, Facebook, or Twitter in favour of smaller, tighter, federated communities. We are seeing this shift now, with the exodus of infosec professionals from Twitter after Musk bought it. We have enough skilled people and enough skilled people in the world that if all these companies went belly-up, we’d all be fine.
Imagine the following future with me:
I want to send my friend a message. I fire up my laptop, go to my own, self-hosted XMPP server, find their PGP key along with their server address, encrypt what I want to send them, and ship it to their server for them to decrypt and read at their leisure.
We already have the technology, it’s been here since the 1990’s at the latest, all we have to do is establish a network. After that, you’re back to square one: looking at metadata, seeing that all the data goes through systems you can’t peek into, out of your control, and crying that your billions of € spent on this fancy new system was all for naught.
The tables will turn
What you are proposing, the snooping on everyone’s messages and correspondence, is inherently not secure. There is a reason why I use encryption, and believe it or not, it’s not (just) to hide from you lot. There are bad actors on the internet, not just you, that I want to keep my life private from. As much as you would like to believe that a world without privacy will be easier to police, it simply is not so. Any measure you can set up, any company you can coerce, will eventually be broken or broken into, and the data on everyone will be made public. It happened to Facebook multiple times, LinkedIn, any website we entrust our data with. Your assumption that “this time, it will be different, because it’s us at the wheel” is nothing short of laughable. Hell, it happened to governments in the past, why not now?
You will have a great big data silo full of people’s secrets, information, things they don’t want to share with the world. This data silo will be everyone’s top target of the decade. I will bet you 100$ that your system, if implemented, will not last 4 years without some issue, misuse, or leak. Your implementation of this system will not be perfect, as much as you would like it to.
At that point, everything will be laid bare. Not just the people’s data, your data will be made public. All the shady deals you may have had or even thought about will be exposed. And who says it needs to leak to us? We are not what you fear, obviously. Your political opponents, however? That’s a different story. The day your systems go live, every politician on the planet will try to find some dirt on their rival.
If you enroll yourselves in the system, you risk anything you have to leak and be turned against you.
If you don’t enroll yourselves in the system, you are nothing short of hypocritical scum.
In closing
This open letter was partially meant to address your proposal, partially as a rant on the delusions you people live in. You can dress it up in terror prevention, you can dress it as protecting the children. The fact remains that your totalitarian proposal is nothing short of disgusting. It is inefficient, aimless, and dangerous in the best case scenario.
In short, go back to your drawing boards and stay out of my private life. Who I send messages to is none of your business, and the fact that I sent blue waffle to my friend a week ago will hardly help your search for online predators.
Eat shit.