The European Commission plans to unveil “three or four” approaches give law enforcement access to encrypted messaging application data in June. Those options will range from voluntary cooperation to enacting laws to require messaging providers to open encryption backdoors to law enforcement authorities.
EU Justice Commissioner for Human Rights Věra Jourová said that while there currently are various mechanisms available for gaining access to data for law enforcement purposes, none of them provide the “necessary legal certainty” of access to encrypted communications — which is why, in June, she will offer options that will “introduce clear, simple rules into the European legislation which will enable the law enforcement authorities ask for the evidence from clouds and from cyberspace… and to do this with swift, reliable response.”
Jourová made the comments while addressing the 3528th meeting of the Justice and Home Affairs Council configuration of the Council of the EU.
“Don’t ask me about those concrete solutions, because I can only tell you there will be three or four options which will be combining non-legislative and probable legislative proposal,” Jourová said, and added the non-legislative options are necessary to produce provisional measures for a “quick solution, because you know that with legislation we have to wait years before this is in force.”
“We should come [up] with some rules which will oblige the IT providers to do what they have to do according to the legislation. Because at this moment, the prosecutors and the judges, also the police, the law enforcement authorities, are dependent on whether the IT providers will voluntarily provide the access and the evidence. And this is not the way we can facilitate and ensure security of Europeans, being dependent on some voluntary action,” Jourova added.
The possibility of government-mandated encryption backdoors in the EU comes at an odd time: government officials in France and Germany in August 2016 called on the European Commission to consider legislating government access to encrypted data, while FBI Director James Comey has called on the tech industry to find ways to maintain data privacy for law-abiding citizens but making plaintext available when asked to do so by law enforcement authorities. And UK home secretary Amber Rudd, who had been arguing for government access to encrypted data in the wake of the March 22 Westminster terror attack, has apparently backed down from those demands.
Adding another complication is the EU’s strict new General Data Privacy Regulation, which protects the personal information of EU residents, is set to begin enforcement in a little more than a year.
Experts were dubious that the EU would — or even could — legislate encryption backdoors; Jourová noted that the path to legislation could take years.
John Spencer, chief product officer at Veridium, told SearchSecurity the EU was not likely to enact any laws requiring encryption backdoors.
“Whilst the European Commission may demand ‘backdoor,’ I think in reality they will aim high but fully expect that backdoor access is unlikely to become law,” Spencer said. “This is a complex legal issue where arguments will come in from many sides. I expect the European Court of Human Rights will have huge input into this issue and historically, they have been successful in protecting individuals’ privacy. They are heavyweights in the legal system and overcoming their objections on this subject will be a long, drawn on process all in itself.”
As for what kind of law the EU could enact, Spencer said: “This really depends on what the ask is. I find it hugely unlikely the EU could force ‘backdoor’ access to encrypted systems. That effectively makes their offering insecure and … the EHCR will fight long and hard on this issue. A lesser law offering ‘metadata’ to law enforcement agencies is a much more likely scenario.”
“It’s an unrealistic undertaking,” said Paul Hennin, senior director EMEA marketing, channels and alliances at Netskope, of potential encryption backdoor legislation in the EU. “Whether the EU decides to push for encryption backdoor legislation almost isn’t the issue; it’s not realistic to expect a weaker and less secure version of an application like WhatsApp for certain countries only. The idea is reactionary and has serious privacy implications, which is not something people actually want.”
“I think it’s unlikely that the Commission would go as far as an explicit backdoor to encryption legislation,” Richard Anstey, CTO, enterprise, at Synchronoss, said. “Apart from the enormous difficulties in policing such a policy, the optics of implementing draconian EU spying powers would not play well in the current political environment.”
“Encryption is fundamentally just an algorithm. The knowledge of these strong encryption algorithms is in the public domain — it may be possible to introduce legislation but in practice, banning the use of a known algorithm is impossible. It is relatively trivial for a technically capable individual anywhere on the planet to create software that implements an encryption algorithm with no backdoor. This software can cross geographical and legislative boundaries with ease.”