The Council of the European Union, the body which represents individual EU Member States’ governments, has adopted a resolution on encryption — calling for what they dub “security through encryption and security despite encryption”.
“Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the relevant data protection laws, while upholding cybersecurity,” the Council writes.
Last month a draft Council resolution was reported by some European media outlets as signifying EU political leaders were pushing for a ban on end-to-end encryption, although neither the draft text nor the final document (published today) calls explicitly for that. On the contrary, both express support for “the development, implementation and use of strong encryption”.
In the (non-legally binding) resolution which has just been adopted, the EU body with responsibility for setting the bloc’s policy agenda expresses support for robust encryption whilst arguing that targeted, lawful access to encrypted data is essential in order that electronic evidence can be gathered (to “effectively” fight criminal activity such as terrorism, organised crime, child sexual abuse and other cybercrime and cyber-enabled crimes).
It writes that the “right balance” must be struck between these two facets, while also ensuing that core EU legal principles (such as necessity and proportionality) are taken into consideration — in order that “the principle of security through encryption and security despite encryption [can be] upheld in its entirely”, as the resolution says it must.
The Council also characterizes it as “extremely important” that the privacy and security of comms through encryption is protected — whilst simultaneously “upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organized crimes and terrorism, including in the digital world, and upholding the rule of law”.
“Any actions taken have to balance these interests carefully against the principles of necessity, proportionality and subsidiarity,” the Council also intones, as political priorities once again collide with the hard binaries of secure encryption.
It’s not clear exactly what action the Council wants EU lawmakers to take to achieve the impossible (i.e. of breaking encryption (for cybercriminals) without breaking encryption for everyone).
But they definitely want to involve the technology industry in this latest futile effort to make encryption a malleable oxymoron, as the resolution talks explicitly about “joining forces with the tech industry”. Albeit, there’s no clarity on what exactly the ‘joined forces’ will be doing — beyond seeking the (un)holy ‘balance’ of insecure security (or secure insecurity, if you prefer).
“Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality including protection of personal data by design and by default,” the Council goes on, defining what ‘lawful’ access means in this context (and in so doing making it abundantly clear that mandatory backdoors can’t apply; since they would be disproportionate, unnecessary, underhand and unlawful… ).
Later in the resolution, the Council also spells out explicitly that there can be no mandated, single, pan-EU universal tech solution for breaking encryption under its watch, literally stating: “There should be no single prescribed technical solution to provide access to encrypted data”.
“Since there is no single way of achieving the set goals, governments, industry, research and academia need to work transparently together to strategically create this balance,” it also writes, seemingly leaving no safe space for secret meetings between policymakers and industry (where discussions of a ‘oh-but-go-on-you-can-make-a-targeted-backdoor-just-for-lawful-suspects-can’t-you-?’ type-nature might otherwise take place).
“Possible solutions should be developed in a transparent manner in cooperation with national and international communication service providers and other relevant stakeholders,” the Council writes, again apparently rejecting secret agreements between policymakers and tech providers to serve up the hoped for ‘targeted and lawful’ access — unless they somehow want cooperation to be transparent to policymaker and industry stakeholders (and potentially also relevant academic researchers) but just not to the public/comms service users themselves. Which would go against the ‘transparent working’ spirit of the resolution, if not literally the letter of the text.
This latest salvo in the crypto wars probably won’t reassure all those concerned that EU lawmakers aren’t moving inexorably towards co-opting the tech industry into breaking encryption via mandatory backdoors.
But it’s noteworthy that the otherwise frustratingly ‘cakeist’ Council resolution does reject a single technical solution to achieve its (impossible) aims — merely serving up multiple references to seeking “potential” technical (and operational) solutions, plural.
The resolution thus smacks of a (political) effort to be seen to be doing something; and, at best, a call to bring relevant heads together around tables to get stakeholders up to speed and ensure everyone’s on the same page — thereby avoiding redundant/duplicate effort, with the Council urging coordination and joint working (and the provision of “tailored high quality training”) across the EU’s institutions to interrogate and analyze new technologies, while simultaneously calling on research/academia “to ensure the continued implementation and use of strong encryption technology”.
The Council may also be seeking to avoid the pitfall of any one arm/force within the bloc making itself look stupid by taking a doomed run at e2e encryption. Instead, they hereby throw themselves collectively behind/atop a stupid slogan — “security through encryption and security despite encryption” — so hopefully the stupidity toward encryption stops here.
Last week EU lawmakers also said they’ll work to support ‘lawful’ data access, as part of wide-ranging counter-terrorism agenda — with the Commission committing to “work with Member States to identify possible legal, operational, and technical solutions for lawful access and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism”.
But, again, nothing in that agenda went beyond talk of identifying ‘possible solutions’ for lawful access to encrypted data — even as EU lawmakers committed to maintaining the effectiveness of encryption in the same breath. So round we go again…