Tech experts and companies offering encrypted messaging services are warning that  pending European regulation, which would grant governments broad authority to scan messages and content on personal devices for criminal activity, could spell “the end” of privacy in Europe.

The European Union will vote Oct. 14 on a legislative proposal from the Danish Presidency known as Chat Control — a law that would require mass scanning of user devices, for abusive or illegal material. Over the weekend, Signal warned that Germany — a longtime opponent and bulwark against the proposal — may now move to vote in favor, giving the measure the support needed to pass into law.

On Monday, Signal CEO Meredith Whittaker warned that her company, which provides end-to-end encrypted communications services, could exit the European market entirely if the proposal is adopted.

“This could end private comms-[and] Signal-in the EU,” Whittaker wrote on BlueSky. “Time’s short and they’re counting on obscurity: please let German politicians know how horrifying their reversal would be.”

According to data privacy experts, Chat Control would require access to the contents of apps like Signal, Telegram, WhatsApp, Threema and others before messages are encrypted. While ostensibly aimed at criminal activity, experts say such features would also undermine and jeopardize the integrity of all other users’ encrypted communications, including journalists, human rights activists, political dissidents, domestic abuse survivors and other victims who rely on the technology for legitimate means.

The pending EU vote is the latest chapter in a decades-long battle between governments and digital privacy proponents about whether, and how, law enforcement should be granted access to encrypted communications in criminal or national security cases. 

Supporters point to increasing use of encrypted communications by criminal organizations, child traffickers, and terrorist organizations, arguing that unrestricted encryption impedes law enforcement investigations, and that some means of “lawful access” to that information is technically feasible without imperiling privacy writ-large.

Privacy experts have long argued that there are no technically feasible ways to provide such services without creating a backdoor that could be abused by other bad actors, including foreign governments.

Whittaker reportedly told the German Press Agency that “given a choice between building a surveillance machine into Signal or leaving the market, we would leave the market,” while calling repeated claims from governments that such features could be implemented without weakening encryption “magical thinking that assumes you can create a backdoor that only the good guys can access.”

The Chaos Computer Club, an association of more than 7,000 European hackers, has also opposed the measure, saying its efforts to reach out to Germany’s Home Office, Justice Department and Digital Minister Karsten Wildberger for clarity on the country’s position ahead of the Chat Control vote have been met with “silence” and “stonewalling.”

The association and U.S.-based privacy groups like the Electronic Frontier Foundation have argued that the client-side scanning technology that the EU would implement is error-prone and “invasive.”

“If the government has access to one of the ‘ends’ of an end-to-end encrypted communication, that communication is no longer safe and secure,” wrote EFF’s Thorin Klowsowski.

Beyond the damage Chat Control could cause to privacy, the Chaos Computer Club worried that its adoption by the EU might embolden other countries to pursue similar rules, threatening encryption worldwide.

“If such a law on chat control is introduced, we will not only pay with the loss of our privacy,” Elina Eickstädt, spokesperson for the Chaos Computer Club, said in a statement. “We will also open the floodgates to attacks on secure communications infrastructure.”

The Danish proposal leaves open the potential to use AI technologies to scan user content, calling for such technologies “to be vetted with regard to their effectiveness, their impact on fundamental rights and risks to cybersecurity.”

Because Chat Control is publicly focused on curtailing child sexual abuse material (CSAM), the intital scanning will target both known and newly identified CSAM, focusing on images and internet links. For now, text and audio content, as well as scanning for  evidence of grooming — a more difficult crime to define — are excluded. 

Still, the Danish proposal specifies that scanning for grooming is “subject to … possible inclusion in the future through a review clause,” which would likely require even more intrusive monitoring of text, audio and video conversations. 

It also calls for “specific safeguards applying to technologies for detection in services using end-to-end encryption” but does not specify what those safeguards would be or how they would surmount the technical challenges laid out by digital privacy experts.

The post Potential EU law sparks global concerns over end-to-end encryption for messaging apps  appeared first on CyberScoop.

Researchers have found two Android spyware families masquerading as messaging apps Signal and ToTok, apparently targeting residents of the United Arab Emirates.

ESET revealed the spyware campaigns Thursday in a blog post, saying that researchers discovered it in June but believe it dates back to last year. They dubbed the campaigns ProSpy and ToSpy, with the first impersonating both Signal and ToTok, and the second just ToTok.

ToTok has been effectively discontinued since 2020, after The New York Times reported that the app itself was a spying tool for the government of the UAE. The spyware was posing as an enhanced version of the app, ToTok Pro, ESET said.

Upon download, the spyware requests permission to access contacts, text messages and stored files, and once granted, it can start exfiltrating data, according to the researchers. That includes the data for which it sought permission, but also device information, audio, video, images and chat backups.

“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” said ESET researcher Lukáš Štefanko, who made the discovery. “Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.

“Confirmed detections in the UAE and the use of phishing and fake app stores suggest regionally focused operations with strategic delivery mechanisms,” he said.

It’s not the first time hackers have disguised malware in phony messaging apps. ESET shined a spotlight on the phenomenon last year, pointing to fake WhatsApp updates with mysterious intentions, copycat Telegram and WhatsApp websites for stealing cryptocurrency and a Chinese government-linked group seeking to distribute Android BadBazaar espionage code through authentic-looking Signal and Telegram apps.

ESET concluded that the latest spyware campaigns are likely targeting privacy-conscious UAE residents partly because the ToTok app was primarily used there and also because of a domain name ending in the substring “ae.net,” with “AE” being the two-letter country code for UAE.

“Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions,” ESET wrote in its blog post.

The post Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal appeared first on CyberScoop.

Former White House national security adviser Mike Waltz brushed aside criticisms Tuesday that he put sensitive military operations at risk by holding discussions about military strikes in a Signal group chat, claiming the app’s use was authorized by the federal government’s top civilian cyber agency.

In a Senate Foreign Relations Committee hearing, Waltz — who has been nominated to represent the U.S. at the United Nations — was pressed about his short tenure as President Donald Trump’s top national security official. In particular, he was grilled by Sen. Chris Coons, D-Del., for his use of the end-to-end encrypted messaging application Signal to coordinate with other officials over airstrikes on Houthi rebels.

While much of the initial attention was focused on Waltz adding journalist Jeffrey Goldberg to the chat, national security experts were also aghast by  government officials at the highest levels coordinating highly sensitive military operations using a free application.

The incident is widely viewed as contributing to Waltz’s departure just months after leaving Congress to take the role, and his subsequent shuffling to a new nomination at the U.N.

Coons referenced Waltz’s long background of public and military service, arguing he should have known better.

“In your role in the Army, in the House, as national security adviser, you have long handled classified and highly sensitive information. We both know Signal is not an appropriate, secure means of communicating highly sensitive information,” Coons said.

But Waltz was defiant in his response, not only insisting that classified information wasn’t involved — the chats involved detailed descriptions of targets, timing, aircraft and munitions that would be used — but that his use of Signal had been “driven by and recommended by the Cybersecurity [and] Infrastructure Security Agency.”

“The use of Signal is not only … authorized; it was recommended in the Biden-era CISA guidance,” he said.

Waltz was referencing a piece of 2024 guidance put out by CISA on mobile security. He later read from a portion of the guidance, which recommended using “only end-to-end encrypted communication” and to “adopt a free messaging application to secure communications that guarantees end to end encryption, particularly if you are a highly targeted individual, such as Signal or other apps.”

CISA is the federal government’s top civilian cyber agency, but has no legal authority over U.S. military or Department of Defense operations. It’s not clear why Waltz believed that voluntary guidance from the agency — which was directed to the broader public following news that the Chinese hacking group Salt Typhoon had penetrated U.S. telecommunications infrastructure — would cover sensitive military operations overseen by the White House and DOD.

A request for comment sent to CISA was not returned at press time.

Waltz further claimed that the incident was subject to investigations by the White House and DOD. While the DOD investigation is still ongoing, he said the White House review cleared him of any wrongdoing, concluding that “the use of Signal was not only authorized, it’s still authorized and highly recommended.”

Signal is considered the gold standard for end-to-end encrypted communication apps, and cybersecurity experts broadly endorse its use for a range of parties and scenarios. But the highest levels of the U.S. government and military are exceptionally valuable targets that are routinely targeted by the most advanced hacking groups and foreign intelligence services around the globe. Further, additional reporting identified that Waltz was relying on an insecure third-party clone of Signal called TeleMessage.

The DOD has multiple classified systems and Secure Compartmentalized Information Facilities (SCIFs) that are designed to secure classified or sensitive military discussions.

Coons retorted that he was “hoping to hear from you that you had some sense of regret over sharing what was very sensitive, timely information about a military strike on a commercially available app,” arguing that there have been “no consequences” for the incident.

In response to questions submitted to the White House about the investigation into Waltz and current policy on the use of Signal, spokesperson Anna Kelly responded:
“As we have said many times, Signal is an approved app for government use and is loaded on government phones. Mike Waltz will make an outstanding US Ambassador to the United Nations.”

Sen. Tim Kaine, D-Va., questioned how Waltz could claim no classified information was shared when there are separate ongoing investigations by DOD and Air Force into Secretary of Defense Pete Hegseth for his role in the chat.

“They certainly haven’t reached any conclusion that classified information wasn’t shared,” Kaine said. “Am I wrong about that?”

Waltz said he couldn’t comment on ongoing investigations but echoed previous congressional testimony from Hegseth that no names, targets, locations, units, routes, sources or methods were shared in the chats.

The post Waltz brushes off SignalGate questions, points finger at CISA  appeared first on CyberScoop.