Belgium wants to ban Signal – and is a harbinger of European policy
Last week, the Belgian government launched a proposal that would ban Signal. What’s going on?
This is a translation of an article in Dutch. It describes recent developments in Belgium from a Dutch perspective, but the essence is equally applicable to any other member state of the European Union.
Just over seven years ago, a Dutch court threw out the Dutch Telecommunications Data Retention Act. Under that law, telecommunication providers were obliged to retain metadata about our communications for up to two years. This did not concern the content of a message or conversation, but information about who has contact with whom. And when. And the geographical location of the participants. It was almost inevitable that the judge invalidate this law: European judges previously declared the European Data Retention Directive invalid, and the Dutch law was it’s national implementation.
You can assume that if Belgium passes such legislation, other member states will follow suit.
Everything and everyone in the cross-airs
The European law was declared invalid because the law obligated providers to keep data about everyone in Europe, even if there was no concrete suspicion of any crime. The judges found that far too sweeping, and in violation of our European Charter of Human Rights. Moreover, the necessity of this far-reaching measure had not even been demonstrated. Since that famous ruling of the European Court, the Member States have been working behind the scenes to devise alternatives. How can you (let someone else) retain “targeted” data, yet still collect as much data about people as possible?
Help us prevent governments from doing stupid things like banning Signal. Donate now!
Our southern neighbours did not sit on their hands either. The Belgian government proposed new legislation last week. With this proposal the government wants reintroduce long-term retention of this type of data. To ensure that no one can claim that there is blanket retention of all data, this proposal only calls for retention of data in “specific” situations. Well, specific… Retention might be demanded if there is a serious threat to national security. A terrorist attack just across the border, for example, where the suspects are on the loose. That would suddenly allow everyone’s data to be stored. Or retention on the basis of a geographic location for a more specific threat. For example, some intelligence was picked up about a potential terrorist attack in a large city. That might trigger the retention of the data of everyone in the city and for miles around. However, with such broad definitions and an ongoing threat of terrorist attacks, it is likely that large parts of the Belgian population fall within the scope of such an obligation.
Obligation to register
But the new Belgian proposal goes even further than the previous data retention obligation. Under the “old” legislation, a provider was only obliged to retain data that he already had anyway. Data that the provider did not have could not be retained. You can’t keep what you don’t have. If, to handle a telephone conversation between two people, records were kept of who was calling whom, then that data had to be saved. But if an email provider didn’t log who sent whom an email and when, then there was nothing to keep. The fresh Belgian proposal goes much further. The new proposed legislation forces providers to record that data on behalf of the government, even if the provider doesn’t see a need for themselves. The provider therefore has to enable logging on behalf of the government. So it is not only an obligation to retain data, but also to record.
Signal does not store more data than is strictly necessary. That’s what makes Signal so great.
Ban on Signal
The consequences are potentially far-reaching. It means that chat services such as Signal will become illegal. The makers of Signal pride themselves on the fact that they really only store the data they genuinely need, and no more than that. They do so, because you can’t leak what you don’t have. And so, the company behind Signal only knows when an account was created, and when the user was last connected to the network. It does not keep track of who sends a message to whom and when. But the Belgians now want to force Signal to keep track of that and to store it for a long time. And since that is exactly what Signal does not want, it actually means Signal is doomed.
The fact that Signal does not want to store any more data than strictly necessary for the provision of its service is what makes Signal so great. We don’t have to trust Signal to withstand massive pressure from government officials. Because Signal can’t be forced to give up data that they do not have. We also don’t have to worry that Signal suddenly wants to monetize data about our behavior, like Facebook (or Meta) does with WhatsApp. And you don’t have to protect data that you do not have against attacks from bad actors. These are all reasons why people, including journalists and politicians, rely on Signal. The Belgian government is now threatening to annihilate this safety.
Chat app providers have to enable logging on behalf of the government.
Harbinger of times to come
And now you may think: that is Belgium and I have no Belgian friends. But that is, of course, taking a very short view. You can assume that if Belgium passes such legislation, other member states will follow suit. Ever since the European judges overturned the old data retention obligation, European governments have been debating how to introduce a new data retention obligation. Their aim is an obligation under which as much data as possible is collected, without the court nullifying it. What is now happening in Belgium is a precursor to European policy. Sooner or later, every European Member State will want something like this, including the Netherlands.
We keep in touch with our Belgian colleagues. Where we can help in stopping this disastrous proposal, we will certainly make a contribution. Proposals like this one put secure communication at risk.
This article was translated by Celeste Vervoort.