Take action! Protect end-to-end encryption

In our introduction to this series of articles on privacy, we highlighted how, although we may have nothing to hide, we do have everything to protect. We asked you to help strengthen end-to-end encryption by using it, and we listed various free software tools that you can use and share. This article is the second part of this series, and it targets the question of how to counter the dangers resulting from the ongoing, worldwide legislation that threatens end-to-end encryption, and privacy in general. The list is long: Chat control in the EU, the EARN IT Act in the US, and the so-called "Online Safety Bill" in the UK all require a backdoor that would allow companies and governments to monitor end-to-end encrypted communication. The STOP CSAM Act, introduced in the US Congress in April, tries to hold end-to-end encryption providers liable for the hosting of child sexual abuse material (CSAM) and opens the door for civil lawsuits against platforms for facilitating the distribution of CSAM if they refuse to give law enforcement the keys to decrypt user communications.

Meanwhile, India's new cybersecurity order CERT-In is driving VPN services and other privacy-concerned internet service providers out of the country because it requires the providers to keep logs of users. In Australia, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA) from 2018 already allows law enforcement and intelligence agencies to request or demand assistance from communications providers to access encrypted communications. The fact that the TOLA Act provides the legal standing to decrypt messages led to a collaboration between the Federal Bureau of Investigation and the Australian Federal Police and thereby granted the FBI power it has long desired to have in its domestic territory. In 2021, the Surveillance Legislation Amendment (Identify and Disrupt) Act added even broader powers to this which allow the Australian Federal Police to modify data on accounts or devices of suspects, no matter if they are encrypted or not. But departmental representatives still claim end-to-end encryption is detrimental to public safety. The example of Australia shows that giving way to the claims of those who prioritize illusory safety over privacy is no option. They won't stop after passing one bill. On the contrary, they will demand you to surrender your fundamental right to privacy bit by bit, more and more.

Take action

It is important to let the representatives of your government know that end-to-end encryption is vital even if there is no ongoing legislation threatening end-to-end encryption in your area or even if your country has already passed a bill that weakens it. Write a letter to the appropriate agencies to let them know that you value your privacy and the privacy of the people around you, and remind them of their duty to protect it. Below are sample letters that you can adapt to your needs.

Post your letter on social media to inspire others to do the same. Others might especially benefit from letters that are adapted to the specific legislation of your country and/or translated into your mother tongue. If you email such letters to campaigns@fsf.org, we may attach them to the blog article as a template for others citing your name, if you give us permission to do that.

Sample letter to members of the European Parliament

Chat control (2022/0155(COD)) just passed the council of the European Union and will soon be read in the European Parliament. Essentially, this proposal aims to introduce an "obligation for providers to detect, report, block and remove child sexual abuse material from their services." The problem is that this would make chat control mandatory for all messenger and e-mail providers including end-to-end encrypted services. Now is the perfect time to appeal to members of the European Parliament to amend the proposed regulations. Here is a sample letter that you can adapt to your needs:

Dear [Name of Member of the European Parliament],

Thank you for all the work you do representing people like myself in the European Parliament. Today, I am appealing to you to uphold the right to privacy and to safeguard end-to-end encryption. Only with encryption can we guarantee rights as fundamental as privacy, freedom of the press, and freedom of opinion and expression. Free societies like the countries of the European Union need end-to-end encryption! At their current state, the proposed regulations to prevent and combat child sexual abuse in the European Union (2022/0155(COD)) would force encrypted services to insert a backdoor in their services because there is no other technical solution to comply with the detection obligations that the proposal would impose on providers of encrypted services. Inserting a backdoor would destroy end-to-end encryption! The text of the regulations even recognizes this risk when it warns: "When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users." This is not possible. Once a backdoor is installed, it will be abused by criminals and state actors. And this means the encryption can no longer protect the users' privacy. As Matthias Pfau, entrepreneur and privacy advocate, rightfully said: "Encryption is either securing everyone or it is broken for everyone." In addition, backdoors do nothing to serve the stated goal of preventing and combating child sexual abuse. One reason is because criminals are simply able to use cryptographic tools that don't comply with the law Please urge the European Commission to either drop the European Union (2022/0155(COD)) or radically amend the proposed regulations to keep unmediated end-to-end encryption legal. Please also prevent any future law that try to insert a backdoor in end-to-end encryption.

Thank you for your consideration.

Sincerely,

[Your name and signature]

Select from the list of current members a Member of the European Parliament to whom you want to write the letter. We recommend selecting someone from your region because they are in the Parliament to represent you. Address your letter to:

Parlement Européen
Bât. ALTIERO SPINELLI
08H341
60, rue Wiertz / Wiertzstraat 60
B-1047 Bruxelles/Brussel

You can also send a fax to 0032 2 28 49627.

Sample letter for the United Kingdom

The so-called "Online Safety Bill" threatens to destroy end-to-end encryption. Sections 8, 9, and 16 of the Bill would mandate providers of user-to-user services that have links with the United Kingdom to detect, report, and assess the risk of illegal text, images, or videos on their platforms.

On their homepage, the government lists software and platforms that are supposed to help providers of user-to-user services to "identify and remove known illegal content [...] which features child sexual exploitation or terrorist activity" and to "detect potentially harmful content." Most of this software is proprietary and a serious concern to privacy. This shows how the government intends to implement the "Online Safety Bill" if it passes: Proprietary software or SaaSS providers scan chats and thereby eventually "detects, categorizes and evaluates child abuse content with no human interaction." Because it's proprietary software, the user has no control over the process and can't look into the workings of the algorithm. This makes it effectively impossible to detect false flagging, not to mention the privacy implications of feeding all communication of a platform to a centralized instance.

In order to comply with the duties set out in the "Online Safety Bill," providers of encrypted services would have to insert a backdoor in their services. But installing a backdoor would abolish the benefits of end-to-end encryption and dismantle digital privacy.

The "Online Safety Bill" started in the House of Commons and is now in the House of Lords. This is your chance to contact members of the House of Lords and let them know that you value end-to-end encryption.

Here is a sample letter that you can adapt to your needs:

Dear [Title of a member of the House of Lords],

Thank you for all the work you do as a member of the House of Lords. Today, I am appealing to you to uphold the right to privacy and to safeguard end-to-end encryption. Only with encryption can we guarantee fundamental rights as privacy, freedom of the press, and freedom of opinion and expression. End-to-end encryption is vital for a free society like the UK. The Online Safety Bill threatens to destroy end-to-end encryption. In order to comply with the duties about illegal content risk assessments set out in section 8, the duties about illegal content set out in section 9, and the duty about content reporting set out in section 16, providers of encrypted services would have to insert a backdoor in their services. But installing a backdoor would abolish the benefits of end-to-end encryption and dismantle digital privacy. As Matthias Pfau, entrepreneur and privacy advocate, rightfully said: "Encryption is either securing everyone or it is broken for everyone." Please either drop the *Online Safety Bill* or radically amend the proposed regulations to keep unmediated end-to-end encryption legal. Please also prevent any future law that try to insert a backdoor in end-to-end encryption.

Thank you for your consideration.

Yours sincerely,

[Your name and signature]

Select a member of the House of Lords to whom you want to write the letter from the members of the House of Lords section of the parliament. In the same section, you can find the email address of each member. Alternatively, you can send an email to contactholmember@parliament.uk. We recommend addressing the Lords Member in accordance with the guidance on addressing Lords Members.

Sample letter for the United States

This April, Senator Lindsey Graham re-introduced the EARN IT Act for the third time, after the bill had been successfully defeated twice in 2020 and 2022. The bill is now with the House and the Senate for consideration. Fight for the Future sponsored a petition which can unfortunately only be signed using nonfree JavaScript. But you can write your senators urging them to reject the EARN IT Act.

In addition, the STOP CSAM Act, introduced in the Congress in April, tries to hold end-to-end encryption providers liable for the distribution of child sexual abuse material although it is not clear how providers should detect child exploitation conduct in encrypted text.

There was also the Lawful Access to Encrypted Data Act that aimed at requiring "certain technology companies to ensure that they can decode encrypted information on their services and products in order to provide such information to law enforcement." Luckily, this bill died 2021 in Congress but it could be re-introduced or included in another bill any time.

Furthermore, there is reason to fear that the Kids Online Safety Act, which was reintroduced in the US Congress at the beginning of May, will prompt platforms to require all users to upload identity verification documentation or biometric information to validate their age because the bill lacks guidance on how else platforms shall predict if the videos, pictures, or text on the platform might have a negative impact on minors. This is not related to encryption, but it is definitely a bill we should watch, as it would impact our privacy if it passes.

Let the representatives of your government know that end-to-end encryption and privacy are vital. Here is a sample letter that you can adapt to your needs:

Dear Chairman Jordan, Ranking Member Nadler, and members of the Committee,

Thank you for all the work you do as senators. Today, I am appealing to you to uphold the right to privacy and to safeguard end-to-end encryption. Only with encryption can we guarantee fundamental rights as privacy, freedom of the press, and freedom of opinion and expression. End-to-end encryption is vital for a free society like the US. I am deeply concerned about the re-introduced *EARN IT Act* and the *STOP CSAM Act*. Section 5(7)(A) and (B) of the *EARN IT Act* encourage courts to deem providers of encryption services guilty of acting recklessly or negligently and not preventing CSAM crimes only because they offer end-to-end encrypted services. Similarly, the *STOP CSAM Act* tries to hold end-to-end encryption providers liable for the distribution of child sexual abuse material. In order to prevent this accusation, providers would have to insert a backdoor in their encryption service to screen messages en masse. Once a backdoor is installed however, it *will* be abused by criminals and state actors, and the encryption will no longer protect user privacy. As Matthias Pfau, entrepreneur and privacy advocate, rightfully said: "Encryption is either securing everyone or it is broken for everyone." Neither the *EARN IT Act* nor the *STOP CSAM Act* will serve the goal to prevent and combat child sexual abuse because criminals are simply able to use cryptographic tools that don't comply with the law I urge you to oppose both the *EARN IT Act* and the *STOP CSAM Act* and to prevent any law that will try to insert a backdoor in end-to-end encryption.

Thank you for your consideration.

Sincerely,

[Your name and signature]

For an alternative text, see this sample message from the Electronic Frontier Foundation's Action Center.

Send your letter to:
Chairman Jim Jordan
Committee on the Judiciary
United States Senate
711 Hart Senate Building
Washington, D.C. 20510

and

Ranking Member Jerrold Nadler
Committee on the Judiciary
United States Senate
135 Hart Senate Office Building
Washington, D.C. 20510{/if }

Illustration Copyright © 2014, Johannes Landin. Licensed under Creative Commons Attribution-Share Alike 3.0 Unported International license.