A draft resolution from the European Union Council calls for tech firms, academics and legislators to develop new mechanisms to permit law enforcement and terrorism investigations to breach functionally unbreakable encryption.
“The European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline,” reads the resolution, first publicized by the Austrian radio station FM4.
After the Austrian story came out, the resolution took on a life of its own on Twitter, with speculation the resolution would be binding or that legislation was imminent. Neither are true. But it’s another signal that encryption isn’t settled policy in even the privacy-protective EU.
EU Council resolutions are non-binding, but can often set the tone for legislation. In the European system, laws originate in a different body, the European Commission. And, as the resolution is more a call for more study than a request for new, specific rules, it’s not as much of a tone-setting issue.
Confounding the matter further was the timing of the draft resolution, coming soon after the Vienna terrorist attacks, which lead some online voices to assume this was a full steam ahead issue.
“I don’t see a clear vision for legislation in the draft,” said Triin Siil, general council for secure data transfer company Cybernetica, the firm that created, among other products, Estonia’s eVoting system.
The draft calls for a balance between “security through encryption” and “security despite encryption,” an artful reminder that the security encryption provided everyone also protects criminals. But it’s a more specific balance EU governance need to worry about.
“Regulating encryption has been discussed before, but it has never happened because the EU has an overarching right to privacy among European citizens, said Sarah Pearce, partner in the Privacy and Cyber Security Practice of Paul Hastings and head of the firm’s European team from the London and Paris offices. “But even GDPR has exceptions in certain situations.”
A near uniformity of security experts and cryptographers have opposed global governments trying to enforce extraordinary access to encrypted data for decades for the same set of reasons: A backdoor built for law enforcement dramatically weakens security; terrorist groups can make their own encryption apps (Al Qaeda had one as far back as the mid-2000s); there’s a chance for over-reach; there are typically other ways to access the same information (such as malware on user devices); and users enjoy the guarantee of privacy.
This isn’t the first effort in the EU or its member nations individually to create some kind of bypass so that law enforcement or national security investigators can access encrypted data with a warrant. A document leaked to Politico in early October showed recommendations from an EU convened meeting of technologists on how to monitor chat applications for child exploitative material. Ideas ranged from avoiding E2E encryption entirely to sending hashes of attached images and documents to a centralized database for screening.
“Client-side scanning has a few issues. While any sort of moderation of content can be automated, automated scanning of hashes can only take you so far. There will always need to be humans with access for oversight,” said Mallory Knodel, chief technology officer for the Center for Democracy & Technology, which opposes encryption backdoors.
Regulating encrypted chat becomes a chief information security officer issue, said Knodel, when it potentially interferes with communications between clients and vendors, patients and doctors, or other situations where an organization needs to provide privacy to an outside party. It also puts companies designing products at a competitive disadvantage: given the choice, consumers in a global economy will often pick the product not designed for eavesdropping.
If the resolution will eventually grows into EU rule, it probably will not be the mad dash some people fear.
“The EU is not an agile player and is not meant to be one,” said Liisa Paast, who held multiple top cybersecurity posts for the government of Estonia, but now heads cybersecurity business development for Cybernetica.
Still, efforts by lawmakers to legislate a secure method for extraordinary access to encrypted data is a concern, she added.
“It’s a mistake to think you can break encryption without breaking encryption,” she said. “Once it’s broken it’s broken.”