In September of this year, the Center for Democracy & Technology — along with more than 100 other organizations and encryption experts — delivered a letter to Belgian officials calling on them to drop a requirement from a draft law for tech companies to build backdoors into their encrypted services.
The Global Encryption Coalition (GEC) was founded in 2020 to combat challenges to the use of encryption. We have responded to several draft policies, existing laws and technical proposals that would build backdoors into encryption and weaken user privacy around the world. Belgium’s attempt to weaken encryption, and the GEC’s pushback, is our latest success story.
Ryan Polk, ISOC Senior Policy Advisor, says, “I am pleased to share that… [t]he Belgian Government has removed the obligation for companies to create encryption backdoors from the revised text of the Belgian Data Retention Legislation.” The open letter, drafted by fellow GEC steering committee member the Internet Society (ISOC), called on the Belgian government to drop law enforcement access requirements in the “Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities.” As the letter’s announcement said, “these requirements would force operators of end-to-end encrypted systems to undermine encryption to provide access to user communications. There is no way to provide third party access to end-to-end encrypted data without undermining the security and privacy of all users.”
Discussing the reversal, the Belgian Justice Ministry admitted that, “at the moment [law enforcement access to end-to-end encrypted communications without breaking the security of all users] appears to be impossible, but technology is evolving rapidly.”
The GEC’s efforts did not simply stall a harmful piece of legislation, they were successful in fully eradicating the parts of the law that would have put a backdoor in encrypted communications. Furthermore, our letter successfully raised awareness among influential policymakers that, indeed, “lawful access” is a myth because it is impossible to implement without undermining the security of all users. Yet, as our colleagues at European Digital Rights (EDRi) pointed out, the bill imposes data retention requirements that are inconsistent with international human rights standards and that threaten the privacy of internet users. While we achieved a victory on the encryption issue in this legislation, there is still more work to do.