Europe’s Moral Crusader Lays Down the Law on Encryption

On April 23, the German politician Patrick Breyer uploaded a meme to his Mastodon account. “Big Sister is Watching You”, it warned in big white letters, written behind a smiling photograph of Ylva Johansson, the EU commissioner in charge of home affairs. Within the bureaucratic confines of Brussels, it’s rare for a politician to evoke enough anger to feature on a meme—let alone be labeled as the modern incarnation of author George Orwell’s Big Brother by her colleagues.

But Johansson has become a divisive figure in Europe. The Swedish politician has positioned herself in the midst of a vitriolic debate over online child sexual abuse material (CSAM), one that pits individual privacy against the safety of vulnerable young people. The EU Home Affairs Commissioner is the architect of a deeply controversial new bill that proposes ways to force tech companies, including those with encrypted platforms, to scan their users’ private messages in an attempt to wipe both CSAM and grooming attempts off the internet. This is a personal crusade for the Swedish Johansson, a straight talker with a penchant for brightly colored blazers. Both supporters and opponents describe the commissioner as the passionate and stubborn driving force behind the bill, which she regularly describes as “my proposal.”

Arrayed against her is a fierce coalition of privacy advocates, American YouTubers, German soccer fans, and tech executives who argue that the proposal would severely impact online privacy. They call it the “chat control” bill and warn that it would open dangerous backdoors into encrypted apps. Because Johansson has made herself the face of this bill, criticism is lobbed at her personally. “Either she’s stupid or she’s evil,” says Jan Jonsson, CEO of Swedish VPN service Mullvad. In February, she was given a dubious “prize” at the Dutch Big Brother Awards, an event organized by digital rights group Bits of Freedom, which identifies heroes and villains in the fight for privacy. Johansson was firmly in the latter category, winning a public vote for the individual who has most threatened individual privacy.

The award ceremony took place on Johansson’s birthday. But she still attended—virtually, at least—and gave an acceptance speech. She says she doesn’t care about the criticism. “I think I have a moral obligation to act,” she told WIRED in March. “If I don’t, who am I? I will be a little mouse. I will be nothing.”

Child sexual abuse is not a crime that can be blamed on technology. But the internet has created a global market for its dissemination. In 2022, US charity The National Center for Missing and Exploited Children (NCMEC) received 32 million reports of suspected online CSAM. And Europe bears some responsibility for that market. Last year, more than 60 percent of all known child sexual abuse material was being hosted on EU servers, according to British nonprofit the Internet Watch Foundation (IWF).

This is not news to tech giants. The world’s largest social media platforms already have established systems to try and root out such content. Facebook, for example, uses photo-matching technology that compares photos and videos posted to the platform against a database of known CSAM content so replicas can be automatically pulled down. The company also uses AI to detect previously unidentified CSAM content. When the AI finds it, this content is sent to the NCMEC, which over the years has evolved into a clearing house for some of the most disturbing content on the internet. Once the NCMEC receives content, its staff decides what to do next: whether to report the material to the police or try to rescue the child shown in the video.

End-to-end encrypted platforms, like WhatsApp, can’t use photo-matching technology to scan messages. WhatsApp does deploy those tools to scan group and profile photos, while also using metadata and user reports to identify suspicious patterns. The company says these methods are enough to ban 30,000 accounts per month.

Right now, CSAM detection is purely voluntary for platforms in the EU. And searching for CSAM is illegal, so companies need permission to even search on their own platforms. The EU law giving them that permission is set to expire in August 2024, but Johansson is pitching for its replacement. Her vision for a new system is wide-ranging and includes setting up an EU version of the NCMEC and making CSAM detection mandatory for platforms found by a court to be at risk. But the real lightning rod in this proposal is that Johansson wants courts to be able to force all platforms, including encrypted ones, to scan not just metadata but also the content of messages and to send suspected offensive material on to the authorities.

The wording of Johansson’s proposal is “technology neutral,” meaning it doesn’t even mention encrypted spaces. But, crucially, it doesn’t rule out encrypted services either.

Johansson’s supporters argue that end-to-end encrypted messengers should not be allowed to become a safe haven for people sharing CSAM. Her opponents say that if her proposal passes in its current form, there wouldn’t be any encrypted messengers—because the technology that would allow this scanning to happen without breaking end-to-end encryption doesn’t exist. “That’s just not how technology works,” says Ella Jakubowska, a senior policy advisor at the digital rights group European Digital Rights (EDRi). “You either have encryption or you don’t.”

For Jakubowska, the real threat to encryption is not the scanning, per se, but the suggestion that problematic content—including any false positives, which might include pictures of children at the beach or teenagers consensually sexting—detected in private messages would be forwarded to the EU child abuse center. Johansson often argues publicly that encrypted messengers like WhatsApp already scan their users’ messages for suspicious links. But Jakubowska says the results of that scanning never leave WhatsApp. The app might deliver a message to a user that a link looks suspicious. But it will not report that suspicious link to the police. “So the integrity of your message is not broken,” Jakubowska adds. “That is fundamentally different, technically and legally speaking, from what [Johansson is] proposing.”

The debate unfolding in Brussels is just another iteration of ongoing tensions between governments and tech companies over the subject of end-to-end encryption. In 2021, WhatsApp sued the Indian government in an attempt to block new rules requiring messaging apps to trace the “first originator” of a message if demanded to do so by a court. This year, WhatsApp threatened to leave the UK if the country’s online safety bill, which is currently progressing through parliament, weakens encryption. Signal also threatened to walk. But an EU law, if passed, would establish a precedent that could be used, or abused, elsewhere.

“If we, as the EU, can mandate service providers to scan for some content through a backdoor, other states will also be able to say that you have to scan for [something else] through the same backdoor,” says Karl Emil Nikka, an IT security specialist who has debated Johansson on a podcast run by Swedish newspaper Svenska Dagbladet. He suggests that other countries could use this backdoor to search for content relating to whistleblowers, abortions, or members of the LGBTQ community.

Johansson stresses that this bill is not about privacy, but about protecting children. We should be thinking about the 11-year-old girl who has been coerced into sending someone explicit pictures and is now seeing them circulate around the internet, she says. “What about her privacy?”

This is a difficult debate to have; an ideological battle where child safety and privacy square off against each other. When this has unfolded in other countries, politicians have avoided talking about the grim details of child abuse—expecting that the public would disengage if they did. But Johansson is trying a different tack. She insists on talking about the details—and accuses her opponents of pretending that these problems don’t exist. “We now have robots that send out these grooming attempts to children on a mass scale, this is quite new,” she says. “We also have this livestreaming of children in the Philippines that have been locked into houses, special houses where they are being raped and livestreamed.”

She dismisses concerns by tech companies like WhatsApp that their encryption would be weakened. “Some companies don’t want to be regulated,” she says.

Asked about the technological underpinnings of her bill, Johansson says she thinks legislation will spur companies to innovate. Once technology has been invented that can scan encrypted messages, it needs to be accredited by the EU before countries can deploy it. “If no technology exists, of course you can’t use it. That’s clear,” she says.

WhatsApp has been dismissive about the possibility of developing a technology like this. “I haven’t seen anything close to effective,” Will Cathcart, head of WhatsApp, told WIRED in March. Yet statements like that leave Johnasson unphased. “I’m challenging the big companies,” she says. “And they are strong. They put a lot of energy, probably money, into fighting my proposal. But that’s life. That’s how democracy has to work.”

This is a technical debate about what is possible in the backend of the internet. To make it easier for the public to understand, both sides have resorted to strange analogies to explain whether the proposal is or isn’t sinister. The bill’s supporters compare the concept to the way spam filters in your email read your messages to decide whether they’re junk or a speed camera only sends footage of cars driving over the speed limit to human reviewers. But those in opposition say proposed scanning technology is the equivalent of installing surveillance cameras inside your apartment or allowing the post office to open all letters so they can search for illegal content. “What I fear is, where does it lead to? Where does it stop?” asks Patrick Breyer, an MEP who represents Germany’s Pirate Party. “They will also want to expand it in terms of scope. So why only scan for CSAM? What about terrorism? What about copyright?”

For Johansson, what she is proposing is not new or radical. She sees her proposal as just formalizing what tech companies are already doing voluntarily. “This detection is ongoing right now,” she says. “Last year we got more than 5 millions videos and pictures and grooming attempts reported to us. And of course, that is because this detection is ongoing.”

Johansson has some high-profile supporters. Both the NCMEC and the Internet Watch Foundation—two of the most prolific child safety organizations—have expressed  optimism about her bill. But the support gathering the most traction in Brussels is from the Hollywood actor Ashton Kutcher. “Huge thanks to Ylva Johansson for all the work from you and your team,” the celebrity tweeted last year. In March, Kutcher flew to Brussels to talk to MEPs and advocate for her proposal, prompting a flurry of celebrity selfies with MEPs. Kutcher is connected to this issue through Thorn, the technology nonprofit he cofounded with his ex-wife, actress Demi Moore, that builds tools to help platforms scan for CSAM.

Kutcher’s presence might feel bizarre. But he brings accessibility to the debate, says his Thorn colleague Emily Slifer, who is the group’s director of policy and is based in Brussels. Slifer supports Johansson’s proposal and says it’s important that the bill be applied to encrypted platforms once there is technology to make that possible. “I think the tech-neutrality of this bill is actually extremely important,” she says, adding that Thorn does not make tools to scan encrypted platforms right now but potentially could in the future. “We know how slow regulation is and how quick technology evolves.”

Johansson’s proposal will be debated in the European Parliament over the next two months. The discussions are expected to be fraught, with MEPs already comparing the emotional intensity of the debate to “moral blackmail.” But Johansson has uncovered a division in how different parts of Europe think about privacy. Some of the most heated opposition to the proposals has come from Germany, a country that tends to be fiercely protective of its privacy, partly due to its history of Stasi-era surveillance. In Germany, no race data is recorded, and many Germans use pseudonyms on social media. Johansson’s native Sweden, however, is a country that values transparency. Salary data, addresses, and phone numbers are all available publicly, with companies allowed to use that data to create products. Although there is strong opposition to the bill in Sweden, Johansson’s old party, the Social Democrats, has expressed support, as well as key government figures, including the justice minister.

This debate has arisen before. But Johansson is a rare public figure willing to face the privacy backlash. Ask Johansson about her motivation, and she keeps coming back to her duty—as a mother, as an adult, as a politician. “These children have to be protected,” she says. “And we have to do what we can to do that.”