The European Commission (EC) announced this week a package of counter-terrorism measures as part of its European Agenda on Security initiative. These include, among other things, “measures to support law enforcement and judicial authorities when they encounter the use of encryption in criminal investigations”.
It is heartening that the EC restates its recognition of encryption as a crucial element in ensuring both cybersecurity and the right level of security for processing personal data. We welcome the explicit realisation that backdoors, or any form of weakening online security, would have disastrous consequences for online communications and commerce. These are points we and others have stressed repeatedly during the ongoing debates on encryption since the mid-1990s. Mandated backdoors and other forms of “exceptional access” to communications expose citizens and businesses to the serious risk of hacking and interference with sensitive business and personal data. We recognise that law enforcement agencies encounter situations where they are unable to access data that would be useful in criminal investigations, but attempting to decrypt such data is only one of several alternatives open to law enforcement professionals. Of course, this information was previously not available, and the increasing digitization and networking of everyday life through technology has created a “golden age” of surveillance for government entities. That is, the volumes and types of data generated in the digital environment open up far more sources of information to access by law enforcement agencies.
CDT has been engaged throughout the stakeholder discussions led by the EC’s Directorate-General for Migration and Home Affairs (DG HOME) leading up to the package. We briefed officials and provided technical and legal expertise, both bilaterally and during the roundtables with industry and civil society organisations.
We commend the EC for its rational and deliberative approach in these discussions. It contrasts with some poorly thought through statements by various Member State leaders. Most notably, this spring, the UK Government called for what seemed to amount to a ban on end-to-end encryption. In a joint letter to the EC, the French and German governments asked for EU legislation by October 2017 to impose ‘new obligations on communications providers’, but did not specify what those obligations would be. The EC has, to its credit, declined to deliver on these requests, but nothing in the EC’s conclusions restrains Member States from taking drastic and counter-productive initiatives in this vein. Arguably, competencies are split between Member States and the EU in this field, but the EC could have used this occasion to caution against such moves, along the lines of previous statements issued by the European Police Office (EUROPOL) and the European Network and Information Security Agency (ENISA).
The EC proposes a set of practical measures to deal with encryption in the context of criminal investigations: (1) supporting Europol to further develop its decryption capability, (2) establishing a network of expertise at the national level, (3) creating a toolbox of alternative investigative techniques for Member States, (4) increasing collaboration with service providers and other industry partners in providing technical assistance in accessing data, (5) training programmes for law enforcement and judicial authorities and (6) assessing continually the technical and legal aspects of the role of encryption in criminal investigations. The EC stresses that the abovementioned precludes any measure that could “weaken encryption or could have an impact on a larger or indiscriminate number of people”.
It is clear that a set of legal and policy issues on “government hacking” remain open. Law enforcement agencies engage in these practices, using their respective “toolboxes”, and under different legal frameworks. (Some Member States have laws in place, some do not). It is also clear that (public and private) pressure from law enforcement agencies and politicians on communications and technology providers for assistance with access to encrypted data will continue. Some such requests probably cross the line and “could have an impact on a larger or indiscriminate number of people”. The proposal for a “structured dialogue” with industry is in a sense a reflection of the current reality. Such a dialogue could perhaps help bring clarity and consensus on when demands made by law enforcement have broad consequences for data privacy, cybersecurity and online business and enterprise that outweigh any immediate benefits to a concrete investigation. It is essential that the dialogue reflects the public interest in a digital economy and society that is trusted by citizens and companies. The best way to ensure this is to include civil society groups and technical expert communities. We are ready to engage in this discussion going forward.