End-to-end encryption and ‘backdoors’ ban demanded as mandatory by EU committee
Image credit: Dreamstime
Security services in European Union member states would be prohibited from cracking into messages sent by people on terrorism watchlists if proposed new privacy legislation becomes law.
End-to-end encryption would become mandatory for all forms of electronic communication under a proposed amendment to Article 7 of the Charter of Fundamental Rights tabled by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs.
The committee wants to ensure all “current and future” forms of communication – including phone calls, WhatsApp messages, Skype calls and messages via Facebook and Twitter - are shielded from prying eyes.
Private manufacturers would not be allowed to provide workarounds to aid police because of concerns this would undermine people’s fundamental human rights.
The content of communications may reveal “highly sensitive” information ranging from “personal experiences and emotions” to “medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment”, according to the committee.
Metadata may allow “precise conclusions” to be drawn about people’s “habits and activities” as well as their “interests” and “tastes”, its draft report declared.
This uncompromising focus on privacy would be likely to clash with emergency powers which French President Emmanuel Macron would like to see introduced to combat the terror threat facing his country.
Macron has said internet firms should be forced to introduce measures – often known as ‘backdoors’ - allowing the authorities to decode encrypted messages where there was deemed to be a threat to life.
Macron held talks on security last week with British Prime Minister Theresa May, who has herself appeared to suggest similar measures are now necessary in the UK.
Telegram, a cloud-based encrypted messaging service founded by a Russian entrepreneur and based in Berlin, has reportedly been used often by jihadi terror cells planning attacks in London and Paris.
Germany, where the public has historically been hostile to surveillance because of its associations with the Stasi, is yet another EU country that is seen as becoming increasingly belligerent in its attitude towards encryption – meaning the committee’s proposals are unlikely to be approved when they go before the European Council in the coming months.
Some tech industry insiders and civil liberties campaigners, as well as figures from the libertarian right, have warned vulnerabilities introduced to aid the police and spy agencies could equally be leveraged by criminals or hostile states to snoop on EU citizens.
Even if governments succeeded in weakening the power of encryption on some platforms, users wishing to keep their exchanges secret might just switch to using alternatives abroad.
Old fashioned intelligence-gathering techniques such as infiltrating terror cells using human operatives - or accessing and reading messages before they were encrypted - would be obvious ways for spies to get around any new barriers introduced by the EU.
The strength of encryption currently varies widely depending on the software used, meaning it is often potentially possible for codes to be cracked by anyone with sufficient computing power.
Richard Moulds, general manager at Whitewood, a company that uses quantum mechanics to generate random numbers for both private and public sector organisations, said: “People tend to think encryption is either ‘on’ or ‘off’ - either my data is encrypted or it’s not encrypted. It’s sort of presumed that encryption is binary, but it’s not that simple. There’s a difference between good and bad encryption. There’s a difference between weak and strong encryption. A big part of that comes down to how un-guessable the keys are. Software in and of its own isn’t very good at generating random numbers because there isn’t anything very random in it.”
Under new EU data protection regulations set to come into force in May 2018, organisations are already being incentivised to encrypt all personal data.
“All IT security depends on cryptography,” Moulds told E&T. “Encryption is a mandated data protection mechanism and people are trying to move away from passwords to digital credentials and things called digital certificates.
“The European data protection directive says you’ve got to encrypt personal data. Better still, if you suffer a data breach and you can show that the data was encrypted, you don’t have to tell anybody about it. Encryption basically gives organisations a get out of jail card.”
Professor Giovanni Vigna, who researches cybersecurity, said: “The standard algorithm you use for encryption is pretty secure. The problems usually are born when people say, 'OK, I’m going to roll out my own encryption', because getting encryption right in terms of the algorithm is extremely hard.”
UK-based human rights organisation Privacy International recently wrote to the Austrian government to complain about proposed moves to legalise “Bundestrojaner” spyware.
Their letter stated: “Encryption is an enabler of privacy and freedom of expression, and in turn, keeps individuals safe, by securing their data. Encryption protects individuals most vulnerable from reprisal – from the state, their fellow countrymen or other would-be oppressors – such as journalists, researches, lawyers and civil society... The digital economy would be impossible without the use of encryption as it ensures that online transactions remain secure and personal data is not captured and exploited.”