The European Union (EU) is inching closer to formally ending the use of end-to-end encryption by web platforms such as Signal and WhatsApp, following a spate of Islamist terror attacks in Austria and France.
In a draft resolution document leaked to Austrian TV network ORF, which can be read in full here, the EU said it recognised the value of encryption as a “necessary means of protecting fundamental rights”, but at the same time “competent authorities in the area of security and criminal justice” needed to be able to exercise their lawful powers in the course of their work.
Previous European Council conclusions delivered at the beginning of October declared that the bloc planned to “leverage its tools and regulatory powers to help shape global rules and standards”, and that funds from its Recovery and Resilience Facility are to be used to enhance the EU’s ability to protect against cyber threats, to provide for a secure comms environment – possibly through quantum encryption – and, crucially, “to ensure access to data for judicial and law enforcement processes”.
The document states: “Law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes. For competent authorities, access to electronic evidence is not only essential to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security.
“The principle of security through encryption and security despite encryption must be upheld in its entirety. The European Union continues to support strong encryption. Encryption is an anchor of confidence in digitisation and in protection of fundamental rights and should be promoted and developed.
“Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organised crimes and terrorism, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully.”
ORF’s reporting noted the similarity in some of the document’s wording to the October 2020 statement from the Anglophone Five Eyes surveillance alliance, notably around enabling law enforcement access to content in a readable and usable format where authorisation is lawfully issued.
Subject to the receipt of further comments and wording suggestions by midday on Thursday 12 November, the revised text of the resolution is set to be presented to the Council Working Group on Cooperation in the National Security Sector on 19 November and then to the Council of Permanent Representatives of the EU Member States.
ProPrivacy’s Ray Walsh described the move as a massive threat to data privacy and a disappointing change given that the EU has previously been, by and large, in favour of privacy for European citizens.
“Providing backdoors into people’s messages creates ongoing access for government agencies to everyone’s private messages, without reducing the ability for criminals to send encrypted messages via other covert means on the dark web,” said Walsh.
“Removing strong encryption from consumer-facing platforms is detrimental to large numbers of people, including journalists, human right activists, and even the politicians themselves who are rushing through this legislation.”
Competent cyber security authorities are largely now in agreement that the contention that strong encryption technology can co-exist with purposely built backdoors is completely contrary to the principles of cryptography – secure encryption means that only those who control data can access it, and attempting to change this introduces cyber security vulnerabilities.
“Robust encryption relies on the secure transmission of data between two parties using keys that are only known to them,” said Walsh. “Removing strong end-to-end encryption creates vulnerabilities that can be exploited not just by EU government agencies, but also by anybody – including hackers, cyber criminals and state-sanctioned operatives from foreign governments – with the technical ability to discover that purposefully created backdoor.”