A leaked draft memo written by the Council of the European Union has sparked speculation that the European Union is considering a ban on end-to-end encryption.
End-end encryption is a system that prevents messages from being intercepted or read by anyone else between leaving one device and being received by another. Although this ensures that apps such as WhatsApp and Signal are secure, views differ on whether law enforcement should have a way of accessing encrypted messages in the event of a criminal investigation.
In the draft resolution, leaked to Austrian TV network ORF, the Council of the European Union says it fully supports “the development, implementation and use of strong encryption”. However, it goes on to say that encryption can make accessing electronic evidence, which can aid law enforcement in criminal investigations, stopping terrorism and protecting victims, challenging or practically impossible.
The document states: “Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organised crimes and terrorism, including in the digital world, are extremely important.”
Although the document does not lay out specific plans for this area, it has led some to ask whether the EU intends to expand “targeted lawful access” to encrypted messages to aid law enforcement in accessing electronic evidence.
EU end-to-end encryption does not propose outright ban
It is important to highlight that the document is not proposing an outright ban on end-to-end encryption, nor does it specifically mention backdoors, instead calling for “a better balance” between upholding end-to-end encryption and allowing “competent authorities” to “access data in a lawful and targeted manner”.
It highlights the “clear need to review the effects arising from different regulatory frameworks in order to develop further a consistent regulatory framework across the EU that would allow competent authorities to carry out their operational tasks effectively”. At the same time it emphasises that “potential technical solutions will have to enable authorities to use their investigative powers which are subject to proportionality, necessity and judicial oversight under their domestic legislation, while upholding fundamental rights and preserving the advantages of encryption”.
It is worth pointing out that the Council of the European Union does not propose EU law. It instead negotiates and adopts EU laws based on proposals put forward by the European Commission.
Despite this making it less likely that an EU end-to-end encryption ban will come to fruition, privacy advocates have expressed concern that the EU is exploring the creation of backdoors, a means for encrypted messages to be intercepted.
They point out that any kind of access contradicts the idea of end-to-end encryption and could create security vulnerabilities.
Matthew Hodgson, CEO of Element, a messaging app that supports end-to-end encryption, said:
“Backdoors necessarily introduce a fatal weak point into encryption for everyone, which then becomes the ultimate high-value target for attackers. Anyone who can determine the secret needed to break the encryption will gain full access, and you can be absolutely sure the backdoor key will leak – whether that’s via intrusion, social engineering, brute-force attacks, or accident.
“And even if you unilaterally trust your current government to be responsible with the keys to the backdoor, is it wise to unilaterally trust their successors? Computer security is only ever a matter of degree, and the only safe way to keep a secret like this safe is for it not to exist in the first place.”
In June, US Senators introduced a bill that if passed would require companies to grant law enforcement access to encrypted data, called the Lawful Access to Encrypted Data Act, and in March senators also introduced the EARN-IT Act.
The Five Eyes, an intelligence alliance comprised of Australia, Canada, New Zealand, the UK and the US also recently called for tech companies to introduce “backdoors” into encrypted messaging apps for law enforcement, claiming that they “pose significant challenges to public safety.”
It is not yet clear whether the EU will take a similar stance on allowing law enforcement access to encrypted messages in investigations, but it is clear that such a move would face backlash from the security community.
“Governments have always had an odd relationship with encryption”
Jake Moore, Cybersecurity Specialist at ESET said:
“Governments have always had an odd relationship with encryption at the expense of their own reputation. We have heard of politicians wanting to create backdoors in encryption and now we hear hints that they are trying to ban it altogether, which would be ludicrous.
“All of this shows that the government either does not fully understand the concept of security and privacy or that they are holding their hands up simply stating that they are at a dead end when it comes to investigating crime. The old fashioned police tactics cannot decrypt encrypted messages very easily, putting many cases on hold, and no doubt law enforcement is worrying about WhatsApp introducing new disappearing messages also. However, putting the internet in jeopardy by demanding the relaxation of encryption is not the answer.
“Furthermore, if these rules were ever actually pushed out, the normal user would just move to other messaging platforms which may even be more privacy-focused and deeper underground.”