On Friday 1 March, the Belgian Presidency of the Council of the European Union will attempt to relaunch work on the regulation on the removal of online child sexual abuse material (CSAM) with a new approach to the content of this regulation, which was proposed in May 2022 and blocked in part because of its provisions on detection orders imposed on private messaging services, reported the German media outlet Netzpolitik on Tuesday 27 February.
Parliament adopted its position at the end of October (see EUROPE 13280/11). While an agreement remains possible at the Council of the EU under the Belgian Presidency, the trilogues will not be concluded within this term.
In its working paper submitted to the EU Council Working Party on Law Enforcement, the Presidency proposes that detection orders should be more targeted and that services using end-to-end encryption should be protected in detection orders.
It proposes to discuss: - risk categorisation of services for more targeted detection orders; - protecting cyber security and encrypted data, while keeping services using end-to-end encryption within the scope of detection orders.
Following this discussion, the Presidency plans “to assess the consequences on other parts of the proposal, including the functioning and tasks for the envisaged EU Centre” and to return with a new concept to be incorporated into the text, explains Netzpolitik.
With regard to more targeted detection orders, the note proposes classifying the (parts of) services of providers of hosting services and interpersonal communications services according to their level of risk on the basis of objective and non-discriminatory parameters. Depending on their ranking, (parts of) services would then be subject to mandatory or recommended risk mitigation measures and, as a last resort, detection orders.
The Presidency suggests developing a methodology for categorising the risks and the parts of services most at risk. The categorisation of risks should be based on a set of objective parameters (linked to the type of service, the basic architecture of the service, the provider’s policies, security features at the design stage and user trends), explains Netzpolitik.
Following this risk categorisation process, systems or parts of systems are classified as ‘high risk’, ‘medium risk’, ‘low risk’ or ‘negligible risk’.
The categorisation of service providers could be re-assessed more or less frequently depending on their category.
On risk mitigation and detection orders, depending on the risk category of the service (or part of the service), the provider may be required by the coordinating authority to implement mandatory risk mitigation measures appropriate to the risks identified in the risk assessment.
If the implementation of these measures is deemed insufficient, the coordinating authority may request a detection order. “To make the issuing of detection orders more targeted and tailored to the situation of the specific service provider, the Presidency proposes establishing two different types of detection orders, aligned with the risk categories identified above”, reads the note.
Services classified as ‘high risk’ could be subject to mandatory risk mitigation measures and a standard detection order. Services classified as ‘medium risk’ could be subject to mandatory risk mitigation measures and a limited detection order. Services classified as ‘low risk’ may receive a list of recommended mitigation measures. Services categorised as ‘negligible risk’ would not receive a list of recommended mitigation measures (but would have to take voluntary mitigation measures based on their risk assessment).
On end-to-end encryption, the note proposes “to include services using [this technology] in the scope of standard detection orders issued to high-risk services, under the condition that a detection order should not create any obligation that would require a provider to create access to end-to-end-encrypted data and that the technologies used for detection are vetted with regard to their effectiveness, their impact on fundamental rights and risks to cyber security”.
For MEP Patrick Breyer (Greens/EFA, German), who forwarded this new memo, “the fact that the Belgian Interior Minister’s so-called new proposal is presented as ‘more targeted’ is an outright lie. In reality, it is a matter of continuing to make it compulsory to monitor the private conversations of totally unsuspecting people”.
Link to the note: https://aeur.eu/f/b1w (Original version in French by Solenn Paulic)