Summary of Statement by the Federal Commissioner for Data Protection and Freedom of Information on the public hearing of the Committee on Digital Affairs of the German Bundestagon the topic of “Chat Control”
Original Statement here.
The fight against child sexual abuse is an extremely important social task that must be fulfilled with all suitable and appropriate means at our disposal. The so-called chat control, however, significantly exceeds the goal of this task. It hardly offers greater protection for children, but instead it would be Europe’s and Germany’s entry into a disproportionate, unconditional and comprehensive surveillance of private communication.
Implications
- Not compatible with the right to respect for private life under Article 7.
- Incompatible with the right to protection of personal data under Article 8 of the EU Charter of Fundamental Rights (CFR).
- From a constitutional point of view, not compatible with the secrecy of telecommunications under Article 10 of the German Basic Law (GG).
- From a constitutional point of view, not compatible with the right to informational self-determination Article 2(1) in conjunction with Article 1(1) (GG)
- Mandatory risk assessment lacks clarity in standards and in determining which parameters are used as a basis and to what extent they are weighted.
- Detection orders require service providers to view private communications and information content (all content of all users of a service and, if necessary, break encrypted communication)
- Not compatible with the right to respect for private life under Article 7 CFR
- No exceptions are provided for, not even for professionals with confidentiality requirements such as doctors, psychologists, lawyers or state-recognised youth and social workers. Paragraph 1 of the Criminal Code (Strafgesetzbuch, StGB) provides for a penalty of up to one year’s imprisonment for the unauthorised disclosure of information by persons subject to professional secrecy and thus underlines the special worthiness of protection of this communication.
- Voice messages would also be intercepted despite the special protection afforded to the spoken word by the provision of section 201 of the Criminal Code (Strafgesetzbuch, StGB).
- Infringement of the principle of transparency under Article 5(1)(a) of the General Data Protection Regulation (GDPR)
- Undifferentiated search for CSA material contradicts the principle of data minimisation under Article 5(1)(c) GDPR.
- According to the case law of the European Court of Justice, unprovoked mass surveillance is not compatible with the EU Dharter of Fundamental Rights (GRCh)
- Lack of data protection supervision (data protection supervisory authorities should only be able to participate with non-binding opinions prior to deployment, Article 7(3) Draft Regulation).
- Detection order: All services and devices on which digital communication takes place or could take place are covered by the provisions of the draft regulation. It is irrelevant whether the services are actually used to exchange abusive material or whether grooming takes place there; a “significant risk” that they could be used for this purpose is sufficient. This means that hosting services, stores for software applications or internet access services are covered by the scope of application. In addition, personal cloud storage, which serves as a backup of one’s own photos on mobile phones and is not shared, is also covered.
- Scanning all textual communication for ‘grooming’ affects everyday conversations of participants of all ages and age constellations.
- False reports and false positives as well as the screening of personal communication will also lead to users only using the respective services to a limited extent or not at all for fear of continuous surveillance (so-called “chilling effects”).
- There are no known technologies that can reliably distinguish between harmless, sexually or romantically charged communication and grooming.
Sensible measures
- Strengthening and expanding the resources of law enforcement agencies
- Prevention of child sexual abuse – also outside the online world
- Require service providers to set up low-threshold reporting channels for affected persons that are linked to law enforcement agencies or other state counselling centres.
- Login traps and quick freeze (targeted investigation after initial suspicion and court order)
Critique
- In my opinion, the draft regulation leads to unjustifiable encroachments on the fundamental rights enshrined in the EU Charter of Fundamental Rights and the Fundamental rights.
- End of confidential communication, whether by breaking end-to-end encryption or by so-called client-side scanning.
- Mandatory age controls by app and software stores incl. exclusion of certain age groups from software applications leads to a restriction of communication and endangers the possibility of anonymous/pseudonymous internet use.
- Lifting anonymity would have serious consequences in many countries, especially for opposition members or whistleblowers, both within and outside the European Union.
- Technologies for finding CSA material, still have error rates of up to 12% in some cases.
- Once introduced, there is a threat of an expansion of monitored content in Europe as well.
- Apart from official identity documents, such as the German electronic identity card, I am not aware of any technologies that enable reliable, anonymous age verification.
- Alternative technologies, such as AI-based age verification (facial recognition, behavioural analysis) regularly fall short of the necessary level of reliability. They regularly require additional, often sensitive personal data. The collection and recording enables identification, which jeopardises anonymity.
- The use of third-party providers bears the risk that calls are linked and users are identified.
- The lifting of anonymity in certain countries (especially for opposition members, whistleblowers) can have dangerous or even life-threatening consequences.
- As soon as technologies and interfaces are implemented, there is nothing to prevent illegitimate use (by authoritarian states or malicious actors), these would be “surveillance ready” in the future.
- False-positive reports in connection with possible criminal investigations (e.g. in the case of consensual sexting among young people) threaten unnecessary contact with criminal investigation authorities, which could well have a formative character for these young people.
- Chilling effect on the exercise of free will undermines the foundation of a free society.
- The blocking of entire domains regularly leads to excessive blocking (so-called overblocking) and does not meet the requirements of the European Court of Justice for targeting.