Despite resistance from industry leaders, civil-society organizations, and many within the European Parliament, a proposed EU regulation to enable sweeping surveillance of private communications remains under discussion. If it is enacted, the right to privacy – a core European value – will be severely weakened.
BRUSSELS – In recent years, civil-society organizations and industry players have joined forces to protect encrypted messaging from government intrusion. In an age of surveillance, notes the former Council of Europe commissioner for human rights, encryption is “a vital human rights tool.” In my own work on security and foreign affairs as a member of the European Parliament, I have seen firsthand why this is true. Activists, journalists, human-rights defenders, and ordinary citizens all rely on the right to privacy, viewing it as a core European value that underpins freedom of expression and democracy itself.
Encryption is one of the most important privacy-enabling technologies in today’s world, which is why most essential online services – messaging apps, calls, emails, file sharing, payments – rely on it. The most effective form, end-to-end encryption, ensures that only the communicating parties can decrypt and see the content of their messages, making unauthorized access impossible (as with Signal or WhatsApp).
But governments and law-enforcement agencies have been increasingly eager to access encrypted communications, even if that means undermining public confidence in privacy protection. Across EU member states, several governments want to weaken encryption technologies under the guise of fighting terrorism and other crime.
The message is clear: many governments and authorities see encryption not as a human-rights safeguard, but as an obstacle. The European Commission has established a high-level working group on “access to data for effective law enforcement.” The group, composed of law-enforcement representatives, has recommended “lawful access by design” to data “en clair,” meaning that communication services would be required to install “backdoors” enabling criminal investigators to access unencrypted data.
The push to weaken encryption reached a peak in 2022 with the European Commission’s proposed Child Sexual Abuse Regulation (CSAR), nicknamed “Chat Control.” This regulation would empower authorities to mandate indiscriminate scanning of private messages, including those on end-to-end encrypted services, to detect child sexual abuse material.
Even if adopted with the best of intentions, such measures would inevitably create vulnerabilities that could be exploited by malicious actors. IT professionals have argued that it is impossible to break encryption safely; backdoors always create exploitable security gaps. Just weeks ago, news broke that major US internet service providers had been hacked by Chinese actors through legally accessible data channels.
At a time when democracy is under threat, there is an urgent need for incisive, informed analysis of the issues and questions driving the news – just what PS has always provided. Subscribe now and save $50 on a new subscription.
Subscribe Now
Intelligence agencies (including in the Netherlands) rightly warn that undermining encryption presents an unmanageable cybersecurity risk. In fact, ongoing discussions within the Council of the EU have ruled out scanning for accounts deemed critical for national security, revealing a glaring double standard.
Nor is cybersecurity the only issue. The regulation also would invite a legal challenge. The EU Charter of Fundamental Rights explicitly protects privacy in one’s communications, and the EU Court of Justice has made clear that indiscriminate and comprehensive scanning of private communications constitutes a disproportionate infringement of this right. Independent internal analyses by both the Council of the EU and the European Parliament have reached similarconclusions, and the European Data Protection Board and European Data Protection Supervisor have raised both privacy and efficacy concerns about the proposed law. After all, criminals could easily circumvent detection.
The European Commission has also failed to address the broader implications of intercepting encrypted messages under the pretense of combating child sexual abuse. Driven by a near-unlimited appetite for data, law-enforcement agencies would likely push to extend the surveillance regime to other domains. Europol, the EU police agency, has already recommended as much. And, contrary to the Commission’s assurances, significant doubts remain about the reliability, effectiveness, and feasibility of software to detect child abuse.
For all of these reasons, the European Parliament has settled on a more balanced approach, ruling out scanning on encrypted services and limiting surveillance to targeted suspects or groups of suspects.
Meanwhile, the Council of the EU is discussing an approach known as “client-side scanning,” whereby messages are intercepted before being sent. But while this method has been presented as a compromise between privacy, security, and child protection, what it actually does is compromise the integrity of encryption, ultimately raising the same privacy and cybersecurity concerns.
Acceptance of this approach would not bode well for privacy protection in Europe. Yet, the new European commissioner for internal affairs and migration, Magnus Brunner, has said that he is “convinced of the necessity and urgency to adopt the proposed Regulation.” During his hearings before the European Parliament, he refused to commit to protecting encryption, and he avoided answering questions about the use of spyware by EU governments, another deeply invasive way to circumvent encryption.
Encryption is not just a technical safeguard; it is a cornerstone of our digital rights and democratic freedoms. As debates on the CSAR proposal continue, we must remain vigilant against policies that undermine these values under the guise of safety. Weakening encryption jeopardizes not only individual privacy but also the broader digital ecosystem.
Rather than eroding encryption, the EU must champion robust privacy protections that balance security needs with fundamental rights. With this in mind, I signed a pledge to protect encryption. This is not just about defending technology; it is about defending the principles that define us as a society.
To have unlimited access to our content including in-depth commentaries, book reviews, exclusive interviews, PS OnPoint and PS The Big Picture, please subscribe
At the end of a year of domestic and international upheaval, Project Syndicate commentators share their favorite books from the past 12 months. Covering a wide array of genres and disciplines, this year’s picks provide fresh perspectives on the defining challenges of our time and how to confront them.
ask Project Syndicate contributors to select the books that resonated with them the most over the past year.
BRUSSELS – In recent years, civil-society organizations and industry players have joined forces to protect encrypted messaging from government intrusion. In an age of surveillance, notes the former Council of Europe commissioner for human rights, encryption is “a vital human rights tool.” In my own work on security and foreign affairs as a member of the European Parliament, I have seen firsthand why this is true. Activists, journalists, human-rights defenders, and ordinary citizens all rely on the right to privacy, viewing it as a core European value that underpins freedom of expression and democracy itself.
Encryption is one of the most important privacy-enabling technologies in today’s world, which is why most essential online services – messaging apps, calls, emails, file sharing, payments – rely on it. The most effective form, end-to-end encryption, ensures that only the communicating parties can decrypt and see the content of their messages, making unauthorized access impossible (as with Signal or WhatsApp).
But governments and law-enforcement agencies have been increasingly eager to access encrypted communications, even if that means undermining public confidence in privacy protection. Across EU member states, several governments want to weaken encryption technologies under the guise of fighting terrorism and other crime.
The message is clear: many governments and authorities see encryption not as a human-rights safeguard, but as an obstacle. The European Commission has established a high-level working group on “access to data for effective law enforcement.” The group, composed of law-enforcement representatives, has recommended “lawful access by design” to data “en clair,” meaning that communication services would be required to install “backdoors” enabling criminal investigators to access unencrypted data.
The push to weaken encryption reached a peak in 2022 with the European Commission’s proposed Child Sexual Abuse Regulation (CSAR), nicknamed “Chat Control.” This regulation would empower authorities to mandate indiscriminate scanning of private messages, including those on end-to-end encrypted services, to detect child sexual abuse material.
Even if adopted with the best of intentions, such measures would inevitably create vulnerabilities that could be exploited by malicious actors. IT professionals have argued that it is impossible to break encryption safely; backdoors always create exploitable security gaps. Just weeks ago, news broke that major US internet service providers had been hacked by Chinese actors through legally accessible data channels.
HOLIDAY SALE: PS for less than $0.7 per week
At a time when democracy is under threat, there is an urgent need for incisive, informed analysis of the issues and questions driving the news – just what PS has always provided. Subscribe now and save $50 on a new subscription.
Subscribe Now
Intelligence agencies (including in the Netherlands) rightly warn that undermining encryption presents an unmanageable cybersecurity risk. In fact, ongoing discussions within the Council of the EU have ruled out scanning for accounts deemed critical for national security, revealing a glaring double standard.
Nor is cybersecurity the only issue. The regulation also would invite a legal challenge. The EU Charter of Fundamental Rights explicitly protects privacy in one’s communications, and the EU Court of Justice has made clear that indiscriminate and comprehensive scanning of private communications constitutes a disproportionate infringement of this right. Independent internal analyses by both the Council of the EU and the European Parliament have reached similar conclusions, and the European Data Protection Board and European Data Protection Supervisor have raised both privacy and efficacy concerns about the proposed law. After all, criminals could easily circumvent detection.
The European Commission has also failed to address the broader implications of intercepting encrypted messages under the pretense of combating child sexual abuse. Driven by a near-unlimited appetite for data, law-enforcement agencies would likely push to extend the surveillance regime to other domains. Europol, the EU police agency, has already recommended as much. And, contrary to the Commission’s assurances, significant doubts remain about the reliability, effectiveness, and feasibility of software to detect child abuse.
For all of these reasons, the European Parliament has settled on a more balanced approach, ruling out scanning on encrypted services and limiting surveillance to targeted suspects or groups of suspects.
Meanwhile, the Council of the EU is discussing an approach known as “client-side scanning,” whereby messages are intercepted before being sent. But while this method has been presented as a compromise between privacy, security, and child protection, what it actually does is compromise the integrity of encryption, ultimately raising the same privacy and cybersecurity concerns.
Acceptance of this approach would not bode well for privacy protection in Europe. Yet, the new European commissioner for internal affairs and migration, Magnus Brunner, has said that he is “convinced of the necessity and urgency to adopt the proposed Regulation.” During his hearings before the European Parliament, he refused to commit to protecting encryption, and he avoided answering questions about the use of spyware by EU governments, another deeply invasive way to circumvent encryption.
Encryption is not just a technical safeguard; it is a cornerstone of our digital rights and democratic freedoms. As debates on the CSAR proposal continue, we must remain vigilant against policies that undermine these values under the guise of safety. Weakening encryption jeopardizes not only individual privacy but also the broader digital ecosystem.
Rather than eroding encryption, the EU must champion robust privacy protections that balance security needs with fundamental rights. With this in mind, I signed a pledge to protect encryption. This is not just about defending technology; it is about defending the principles that define us as a society.