On encryption and counter-terrorism, EU lawmakers say they’ll work for ‘lawful’ data access

EU lawmakers have just unveiled a wide-ranging counter-terrorism agenda as they set out plans to beef up regional security.

The plan touches on some key tech topics — the most keenly watched of which is encryption.

Here, concerns have been mounting that the bloc could be moving toward legislating against end-to-end encryption — in response to pressure from some Member States over law enforcement and security services’ access to encrypted data.

At the same time, such pressure isn’t exactly new. Albeit, the rule of crypto wars history is the access issue must roll around afresh again and again. And last month a draft resolution from the Council of the European Union triggered a fresh wave of anxiety that an EU ban on e2e encryption might be in the works.

Today’s Commission agenda is unlikely to lay such fears to rest entirely.

Perhaps mostly for its tortured language — with oxymoronical talk of “‘improved access” to encrypted information in a text that’s simultaneously peppered with caveats about “respecting the right to privacy”.

Here’s how the Commission answers its own impossible question [emphasis its]:

Encryption technology is one of the main building blocks in setting up and maintaining the Digital Single Market and in safeguarding fundamental rights, privacy and data protection of citizens. However, when used for criminal purposes, it masks the identity of criminals and hides the content of their communications. Today, a substantial part of investigations against all forms of crime and terrorism involve encrypted information. The Commission will work with Member States to identify possible legal, operational, and technical solutions for lawful access and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism.

Talk of EU lawmakers helping in a search for possible “technical solutions” for “lawful access” to encrypted data probably won’t reassure those worried the EU is headed on a dangerous path toward mandatory backdoors.

But it’s worth emphasizing that “lawful access” under EU law has been shown time and again to mean targeted access. (To wit: In October the CJEU made it clear that national security concerns do not exclude EU Member States from the need to comply with general legal principles — such as proportionality and respect for fundamental rights to privacy, data protection and freedom of expression.)

Simply put: There’s no such thing as a targeted backdoor.

A backdoor is naturally a bulk intervention. It’s inherently disproportionate. There’s no one-time, single-user “backdoor”*. At that point you’re basically talking about legally sanctioned hacking of a target suspect. Which is a whole other kettle of security fish.

It’s also worth noting the Commission agenda commits EU lawmakers to maintaining “the effectiveness of encryption in protecting privacy and security of communications”.

Though, again, their tortuous need to display balance over seemingly opposing objectives, by giving a simultaneous pledge of “providing an effective response to crime and terrorism”, might slightly haze the quality of the reassurance. Except of course an effective response to crime and terrorism can be achieved in myriad ways — proper resourcing and training of agents, say, better knowledge sharing across EU borders and so on — all of which have nothing at all to do with breaking encryption.

And, indeed, the Commission’s agenda offers plenty such (non-encryption breaking) ideas for beefing up the bloc’s counter-terrorism response — such as an “EU police cooperation code” to enhance cooperation between law enforcement authorities; strengthening Europol; and stepping up engagement with international organizations, to name a few.

Encryption is often a handy scapegoat for governments’ security failures. The Commission’s agenda looks alive to that risk — just without wanting to give a too-direct slap-down to any culpable Member States. Ergo “we’ll work to identify possibilities” looks like a diplomatically way of saying “we won’t achieve the impossible”.

Elsewhere on the tech front, the Commission agenda is very keen that its 2018 legislative proposal to accelerate terrorism content takedowns is swiftly taken up by the other EU institutions so it can start being applied to platforms.

The proposal has attracted some controversy and concern — such as over its impact on smaller websites, and how terrorism content will be defined.

“To counter the spread of extremist ideologies online, it is important that the European Parliament and the Council adopt the rules on removing terrorist content online as a matter of urgency,” the Commission writes on this.

The EU Internet Forum will be tasked with developing “guidance on moderation for publicly available content for extremist material online”, it adds.

*Setting aside theoretical NOBUS security vulnerabilities.