European justice and home affairs ministers are putting their heads together to try to decide on a collective response to Internet companies’ use of strong encryption.
And, ultimately, whether to push for legislation requiring backdoors in end-to-end encryption to afford the region’s law enforcement agencies access to user data on-demand.
Last summer home affairs ministers from France and Germany called for a law to enable courts to demand Internet companies decrypt data on request.
Their call was repeated earlier this week by UK Home Secretary, Amber Rudd, who said intelligence services must be able to access readable data from apps such as end-to-end encrypted WhatsApp, asserting: “There should be no place for terrorists to hide.”
As is typically the case when politicians denounce technology companies’ use of encryption, Rudd was speaking in the wake of a terror attack. France and Germany have also suffered a series of terror attacks in recent years, upping the ante for ministers to be seen to be taking action to defuse more terrorist plots.
Encryption technology has been the scapegoat of choice for Western politicians responding to terrorist attacks for multiple years now, despite governments also operating vast, dragnet digital surveillance programs. And having access to ever more traceries of metadata to link possible suspects to potential plots. (Arguably it’s the volume of data that security agencies are now systematically collecting that’s causing them problems in prioritizing which suspects to watch closely — hence calls by Rudd et al for access to content too.)
Yesterday EU Justice Commissioner Vera Jourova also touched on the topic of encrypted apps, speaking during a press conference held following a meeting of the Justice and Home Affairs Council in Brussels. A Euractiv report of her comments suggests the EC has already made up its mind to put forward measures this summer — aimed at forcing what she described as a “swift, reliable response” from encrypted apps when asked to hand over decrypted data.
Jourova also reportedly said she’s holding “very intensive” talks with big Internet companies about giving police access to encrypted data.
However a Commission spokeswoman told TechCrunch that no decisions have been made about how to approach encryption at this stage, adding that discussions are not yet “very advanced”.
On encryption the discussions are still ongoing. And for now there’s no legislative plan.
“On encryption the discussions are still ongoing,” the spokeswoman told us. “And for now there’s no legislative plan.”
She could not confirm whether WhatsApp is one of the companies Jourova is holding talks with.
The Facebook-owned messaging giant has had its service blocked by courts in Brazil on several occasions, after the company was penalized for not providing decrypted chat logs pertaining to criminal investigations (the company has maintained it cannot provide the data to police as it does not have access to the data). Whether similar legal actions might be brought against it and other encrypted apps in Europe in future remains to be seen.
We’ve reached out to WhatsApp for comment on the EC discussions and will update this story with any response.
The Commission spokeswoman said a separate issue under discussion by the Council — so-called e-evidence; aka the process for prosecutors to request digital evidence across legal jurisdictions (such as a prosecutor in an EU country seeking to obtain data held on a server in California, for example) — is at a more advanced stage, and confirmed there will be legislative options and other measures proposed on that this June.
But the question of whether EU lawmakers intend to push to require Internet companies such as WhatsApp to effectively backdoor their end-to-end encryption remains an open-ended one.
Asked for more details of the ongoing talks between EU ministers on encryption, the spokeswoman confirmed there is agreement between them that the technology presents a challenge for law enforcement — though, again, she stressed there is no clarity on what measures they might push for in future.
“Yesterday all the ministers agreed that this is an issue and that criminal justice in cyberspace is being challenged by this, but for now no one really came up with any concrete solution,” she said. “There’s a working group that’s organized by the Commission, bringing experts from all over Europe and from different [sectors], technology but also justice, to discuss it together.
“We’re gathering evidence and information on this, and this will be discussed again in June.”
The spokeswoman also noted there are further complications for having an EU-wide response on this issue, given Member States set their own laws where national security issues are concerned.
Indeed, the UK has already legislated to be able to demand decryption on request and block use of e2e encryption in the Investigatory Powers Act, which passed into UK law last year — although some elements of the legislation have yet to be implemented, owing to a separate EU legal ruling regarding “generate and indiscriminate” data retention, which the law appears to breach.
“Everyone agrees that if there is a crime, if the data is encrypted, it has to be handed in to the authorities in a readable way. But the issue is very, very complex in the sense that matters of national security are also Member State competence so there’s no competence at the EU level. So that’s also a point that’s complicating the discussions here,” the spokeswoman told us.
“Also we have to find the right balance,” she added. “For which reasons would you access this data? And so there is still a lot of open questions. If someone wants to access it for bad reasons… how do you put safeguards for that? So it’s really all those open questions are out there.”
The EU’s anti-terrorism coordinator, Gilles de Kerchove, previously discussed this notion of balance, telling Euractiv: “We need a very strong internet — we don’t want to create vulnerabilities”, but also emphasizing that security services, police, and law enforcement agencies must be able to “get access to the content, which is important for security reasons”.
“The question is, can you open a backdoor for Europol only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies? This is part of the discussion but we are not there yet. There is internal work — it’s a tricky issue,” de Kerchove added.
Elsewhere, the Commissions’ technology policy chief recently tweeted a confirmation he’s still against the idea of mandating backdoors and weakening encryption — although in his earlier comments, from November he also conceded the issue is not so black and white where the interests of law enforcement are concerned.
The EC spokeswoman confirmed to us today that there is no timeframe at this point for when the Justice & Home Affairs working group will have reached a decision on how to proceed.
Which means this is an opportune moment for the technology and security industry to get in touch with EU politicians to reiterate the point that weakening security for all Internet users is not a sensible nor proportionate response to national security concerns.
The region has also recently legislated to beef up local data protection laws. So any push to perforate commercial security systems and put millions of app users’ data at risk of hacking would be a hugely contrarian move vs the incoming General Data Protection Regulation which will hike potential fines for data breaches to up to 4 per cent of a company’s global turnover.
Featured Image: Bryce Durbin/TechCrunch