EU resolution could target end-to-end encryption

End-to-end encryption (E2EE) prevents any party other than the sender and recipient from reading messages; even Facebook cannot read messages exchanged via WhatsApp as only the end users have the key to decrypt them.

Platforms offering E2EE have been put under pressure by world leaders – including the leaders of the 'Five Eyes' security alliance – to implement 'backdoors' to allow security services and law enforcement access to communications.

The draft resolution does not amount to a full-fledged assault on E2EE, but could set in course a chipping away of privacy protections. The resolution states that E2EE presents an obstacle to authorities working to prevent serious crime.

“Law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes,” the draft states. “For competent authorities, access to electronic evidence is not only essential to conduct successful investigations and therefore bring criminals to justice, but also to protect victims and help ensure security.”

The resolution acknowledged the importance of protecting privacy and secure communications, stating: “The [EU] continues to support strong encryption. Encryption is an anchor of confidence in digitisation and in protection of fundamental rights and should be promoted and developed”.

However, it also said that – in moving forward – there must be discussion about how to strike the right balance between protecting privacy and ensuring that security services can fight organised crime and terrorism effectively. Although no potential technical solutions are specified in the document, this may involve permitting backdoor access in limited circumstances, such as in cases of suspected conspiracy to commit terrorist acts.

According to Austrian broadcaster ORF, which acquired the leaked document, there are similarities between the resolution and the most recent statement from the Five Eyes demanding weakening of E2EE; for instance, in emphasising the importance of allowing law enforcement access to communications in a readable format. So far, companies such as Facebook have strongly resisted political pressure to compromise user security.

The draft resolution will be presented later this month to a European Council decision-making body to approve. If approved, this represents an expression of political interest in potentially compromising E2EE although, it will be left to the European Commission to draft any legislation based on the resolution.

Cyber-security experts and privacy campaigners have consistently argued that platforms cannot build backdoors only for select authorities while maintaining robust E2EE, as these purpose-built vulnerabilities could be exploited by any bad actors with sufficient technical capacity.

Speaking to Euractiv Germany, data protection activist Thomas Lohninger commented: “It is not possible to out-lever encryption only for bad intentions. This is not a legal problem, but a technological reality.”