Leaked documents have sparked questions over whether the EU may be moving towards a ban on end-to-end encryption. But is that what is actually happening?
While end-to-end encryption has been seen as a positive step towards better privacy and security for users, the EU has been growing concerned about how this type of encryption can be regulated.
Now, a leaked memo from the Council of the European Union has reignited concerns from privacy activists that the EU may move towards banning end-to-end encryption or introducing a backdoor.
The memo in question is a draft council resolution that discusses the challenges end-to-end encryption can pose to public authorities when it comes to lawfully accessing communications for security purposes.
However, the memo acknowledges the importance of encryption and seeks “a better balance” between protecting the privacy and security of communications while also upholding the possibility for authorities to access relevant data for legitimate purposes.
Crucially, the memo does not propose banning or prohibiting end-to-end encryption, nor does it mention introducing a backdoor.
“The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society,” the memo reads.
“At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, eg law enforcement and judicial authorities, to exercise their lawful powers, both online and offline.”
Calls for ‘lawful access’
While the leaked memo from the Council of the European Union is new, the discussion around ‘lawful access’ to end-to-end encrypted services has been a contentious topic both in and outside of Europe in recent months.
Last month, Five Eyes – the intelligence sharing group comprising the US, UK, Canada, Australia and New Zealand – called for the introduction of a backdoor to end-to-end encrypted services.
The group was joined by government representatives from India and Japan to say that end-to-end encryption poses “significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children”.
In June 2020, US senators introduced the Lawful Access to Encrypted Data Act which, if passed, would require technology companies to assist law enforcement with search warrants that seek encrypted data.
However, privacy advocates and tech firms have long been fighting against such moves, including so-called backdoors, as they believe it would pose significant privacy and security concerns for users.
Does this memo pose a threat to end-to-end encryption?
Commenting on the draft council resolution from the Council of the European Union, German digital rights activist and member of the European Parliament, Patrick Breyer, said there is “simply no partial backdoor” when it comes to end-to-end encryption.
“Anyone who sacrifices secure encryption in order allow for eavesdropping will destroy the protection of private secrets, business secrets and state secrets, and open the door to mass-spying by foreign secret services and hacker attacks,” he said. “The security of all our communications must have priority.”
While the draft resolution doesn’t mention a backdoor, it does state there is a need to review the effects arising from different regulatory frameworks and develop a consistent regulatory framework that would allow competent authorities to carry out their duties effectively.
“Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity,” it says. “Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.”
However, speaking to TechCrunch, independent cybersecurity researcher Dr Lukasz Olejnik expressed concerns: “Undermining encryption is a tricky territory because modern technology goes in a direction of more security, not less. In modern security ecosystems it would be hard to imagine a lawful intercept functionality known from the telecommunication infrastructure.”
The memo states that “the presidency intends to present this revised text for endorsement” on 19 November 2020, so the discussion around what better balance can be achieved will continue.
Meanwhile, MIT Technology Review yesterday (9 November) reported a separate, privacy-friendly move by the European Union, with the adoption of stricter rules on the sale and export of surveillance technologies such as facial recognition and spyware.
The regulation requires companies to obtain a government licence to sell technology with military applications and requires governments to publicly share details of the licences they grant.