Last week, the Belgian government launched a proposal that would ban Signal. What's going on?

This is a translation of an article in Dutch. It describes recent developments in Belgium from a Dutch perspective, but the essence is equally applicable to any other Member State of the European Union.

Just over seven years ago, a Dutch court threw out the Dutch Telecommunications Data Retention Act. Under that law, telecommunication providers were obliged to retain metadata about our communications for up to two years. This did not concern the content of a message or conversation, but information about who has contact with whom. And when. And the location of the participants. It was almost inevitable that the court would invalidate this law: European judges previously declared the European Data Retention Directive invalid, and the Dutch law was its national implementation.

Everything and everyone in the crosshairs

The European law was declared invalid because the law obligated providers to keep data about everyone in Europe, even if there was no concrete suspicion of a crime. The court found that far too sweeping, and in violation of the European Charter of Human Rights. Moreover, the necessity of this far-reaching measure had not even been demonstrated. Since that famous ruling of the European Court, Member States have been working behind the scenes to devise alternatives. How can you (let someone else) retain "targeted" data, yet still collect as much data about people as possible?

Our southern neighbours did not sit on their hands either. Last week the Belgian government released a proposal for new legislationThis proposal is over 800 pages long, partly because it is bilingual . With this proposal the government attempts to reintroduce long-term retention of metadata. To ensure that no one can claim this constitutes blanket data retention, this proposal only calls for retention of data in "specific" situations. Well, specific… Retention might be demanded if there is a serious threat to national security. A terrorist attack just across the border, for example, where the suspects are on the loose. That situation would allow everyone's data to be stored. Or retention on the basis of a geographic location in the case of a more specific threat. For example, intelligence is picked up about a potential terrorist attack in a large city. That might trigger the retention of the data of everyone in the city and for miles around. With such broad definitions and an ongoing threat of terrorist attacks, it is likely that large parts of the Belgian population would fall within the scope of such an obligation.

Obligation to register

The new Belgian proposal goes beyond the previous data retention obligation. Under the "old" legislation, a provider was only obliged to retain data they collected anyway. Data that the provider did not have could not be retained. You can’t keep what you don’t have. If, to handle a telephone conversation between two people, records were kept of who was calling whom, then that data had to be saved. But if an email provider didn't log who sent whom an email and when, and therefore there was nothing to keep, that was the end of story. The new Belgian proposal, however, doesn't leave it at that. The new proposed legislation forces providers to record that data on behalf of the government, even if the provider doesn’t see a need for it itself. The proposal therefore is not only an obligation to retain data, but also to record it.

Ban on Signal

The consequences are potentially far-reaching. It means that chat services such as Signal will become illegalBelgium's most prominent cryptographer has flagged this issue as well (behind a paywall, and in Dutch only). The developers of Signal pride themselves on the fact that they really only store the data they genuinely need, and no more than that. They do so, because you can't leak what you don't have. Signal only knows when an account was created, and when a user last connected to the network. It does not keep track of who sends a message to whom and when. But the Belgians now want to force Signal not only to keep track of that, but also to store that information for a very long time. And since that is exactly what Signal does not want to do, it means Signal is doomed.

The fact that Signal does not want to store more data than strictly necessary for the provision of its service, is what makes Signal so great. We don't have to trust Signal to withstand massive pressure from government officials. Because Signal can't be forced to give up data they do not have. We also don't have to worry that Signal will suddenly start to monetize data about our behavior, like Facebook (or Meta) does with WhatsApp. And you don't have to protect data that you do not have against attacks from bad actors. These are all reasons why people, including journalists and politicians, rely on Signal. The Belgian government is now threatening to annihilate this safety.

Harbinger of times to come

Now, you may think: that is Belgium and I have no Belgian friends. But that is, of course, a bit shortsighted. You can assume that if Belgium passes such legislation, other Member States will follow suit. Ever since the European court overturned the old data retention obligation, European governments have been debating how to introduce a new one. Their aim is an obligation under which as much data as possible is collected, without the court being able to nullify it. What is currently happening in Belgium is a precursor to European-wide policy. Sooner or later, every European Member State will want something like this, including the Netherlands.

We remain in touch with our Belgian colleagues and we will contribute however we can to help stop this disastrous proposal. Because proposals like this put everyone's secure communication at risk.

This article was translated by Celeste Vervoort.