Table of Contents
In this Help Net Security interview, Bart Preneel, Full Professor at University of Leuven, unpacks the European Commission’s encryption agenda, urging a balanced, technically informed approach to lawful access that safeguards privacy, security, and fundamental rights across the EU.
Given the European Commission’s aim to enable lawful access to encrypted data, how can we reconcile this with the technical consensus that introducing such access points inherently weakens encryption?
While “lawful access to encrypted data based on a warrant” sounds very reasonable, this is a very hard problem to crack. Everyone understands how warrants have been used in the past to open physical mail sent to a person or to search specific offices or the house of a suspect. But shifting the same powers to the digital domain in a proportional way is really difficult.
First, our complete lives are now online, hence any interception yields much more data on a specific individual; second, people share much more data hence any interception necessarily involves many citizens; third, it is much easier to expand the geographic scope – consider as an example the UK that requested access to encrypted data in the cloud from Apple users inside and outside the UK, which made the US quite upset; fourth, the cost of intercepting and analysing data has dropped substantially which means that there is a high risk that many more warrants will be issued; and fifth the implication is that service providers will have to respond to potentially thousands of law enforcement agencies which brings high complexity and cost.
In addition, a more technical argument can be put forward: access to encrypted data means that an additional party (apart from sender and receiver) needs to get access to the key and/or the plaintext – this means that an additional interface needs to be created that makes the system more complex and thus more vulnerable; this interface immediately becomes an highly-prized target for organized crime, intelligence services and other nation states, making everyone less secure.
The open letter to Commissioner Virkkunen emphasizes the need for expert involvement in the roadmap’s development. What are the potential consequences of excluding technical and civil society experts from this process?
The problem is that as the world becomes more digital and end-to-end encryption becomes more wide-spread, law enforcement can no long use some traditional methods such as intercepting phone calls and chats. On the other hand, law enforcement has access to much more data than they ever had: there are probably as many cameras as citizens in Europe, everyone carries a mobile phone that regularly contacts a base station, service providers store metadata for years and every modern car has several mobile data interfaces and stores location data.
In addition, law enforcement has now access to powerful hacking tools from commercial companies such as zero-click malware that gives them remote full access to smartphones of suspects. But some law enforcement teams do not have the resources or budgets for modern crime fighting, and others focus on their crime solving problem without perhaps fully understanding the global security and privacy picture. In view of this it is essential that experts from civil society, industry and academia are present when a roadmap for accessing encrypted data is developed, that will indicate when law enforcement can have access and when it cannot.
Are there existing EU legal instruments that could be leveraged to safeguard against potential overreach in accessing encrypted data?
The strongest safeguards are provided by the European Convention on Human Rights and the Charter of Fundamental Rights of the EU that both protect the right to respect for private life, the home and correspondence. It is important that these high-level principles are translated to concrete technologies. In several cases the European Court of Human Rights and the European Court of Justice have defended citizens whose right to privacy was violated.
How might the EU’s approach to encryption influence global standards and practices, particularly in regions with differing views on privacy and surveillance?
The EU has been striving to be a model democratic society with strong protection for its citizens. If the EU deliberately weakens the protection offered by encryption, for example by imposing the development of disproportionate access methods to encrypted data, the very same technology will be widely deployed by other nations that have much weaker supervision regimes.
While GDPR has helped to develop global minimum standards for personal data protection, any legal initiative that undermines the protection offered by encryption will have the opposite effect. Not only will it make EU citizens and EU society less secure, but it will put at risk vulnerable populations all across the globe.
What steps should EU policymakers take to ensure that the Technology Roadmap on encryption aligns with both security needs and the protection of fundamental rights?
EU policymakers should enter a dialogue with all the stakeholders and should understand that – in spite of the claims by some law enforcement officials – there are no silver bullets. It is important that law enforcement can protect society, without enabling mass surveillance and without making the digital society and individual citizens more vulnerable to unfriendly actors. This requires a careful analysis of the complex problems and a case-by-case study of what is technically possible and what is not. It is important to not think in simplistic slogans and to fully consider the broader implications of any decision.
