Four European apps which secure user data via end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint-statement warning over recent moves by EU institutions that they say are setting lawmakers on a dangerous path to backdooring encryption.
End-to-end encryption refers to a form of encryption where the service provider does not hold keys to decrypt the data, thereby enhancing user privacy — as there’s no third party in the loop with the technical capability to access data in a decrypted form.
E2e encryption also boosts security by reducing the attack surface area around people’s data.
However growth in access to e2e encrypted services has, for some half decade or more, been flagged as an issue of concern for law enforcement. This is because it makes it harder for agencies to access decrypted data. Service providers served with a warrant for e2e encrypted user data will only be able to provide it in an unreadable form.
Last month the EU Council passed a resolution on encryption that’s riven with contradiction — calling for “security through encryption and security despite encryption” — which the four e2e app makers believe is a thinly veiled call to backdoor encryption.
The European Commission has also talked about seeking “improved access” to encrypted information, writing in a wide-ranging counter-terrorism agenda also published in December that it will “work with Member States to identify possible legal, operational, and technical solutions for lawful access” [emphasis its].
Simultaneously, the Commission has said it will “promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism”. And it has made it clear there will be no ‘one silver bullet’ as regards the e2e encryption security ‘challenge’.
But such caveats are doing nothing to alleviate the concerns of e2e encrypted app makers — who are convinced proposals from the Council of the EU, which is involved in adopting the bloc’s laws (though the Commission usually drafts legislation), sums to an push toward backdoors.
“While it’s not explicitly stated in the resolution, it’s widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors,” the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain.
“The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn’t, users have privacy or they don’t,” they go on. “The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen’s home and might begin a slippery slope towards greater violations of personal privacy.”
They point out that any move to break e2e encryption in Europe would run counter to the global rise in interest in robustly encrypted services — pointing to the recent surge in sign-ups for apps like Signal as a result of mainstream privacy concerns attached to Facebook-owned WhatsApp.
Europe has also been ahead of the curve globally in legislating to protect privacy and security. So it would be quite the U-turn for EU lawmakers to line up to poke holes in e2e encryption. (Which, for example, EU data protection regulators are simultaneously recommending be used in order to legally secure transfers of personal data out of the bloc to third countries where it might be at risk).
To say there are ideological contradictions in the EU pushing in an anti-encryption direction is a massive understatement. Even as the contents of current communiques coming out of Brussels on this topic read as if they’re inherently conflicted — which may in fact be a recognition that squaring this circle is no simple policy proposition.
The app makers also pick up on that. “People around the world are taking back control of their privacy, and often it’s European companies helping them do it. It seems illogical that policy makers in the EU would now push for laws that fly in the face of public opinion and undermine a growing European technology sector,” they write.
In an individual quotation from the joint-statement, Andy Yen, CEO and founder of ProtonMail, a Swiss end-to-end encrypted email service, warns against complacency in the face of the latest seeming push for a legal framework to perforate encryption.
“This is not the first time we’ve seen anti-encryption rhetoric emanating from some parts of Europe, and I doubt it will be the last. But that does not mean we should be complacent,” he said. “Put simply, the resolution is no different from the previous proposals which generated a wide backlash from privacy conscious companies, civil society members, experts and MEPs.
“The difference this time is that the Council has taken a more subtle approach and avoided explicitly using words like ‘ban’ or ‘backdoor’. But make no mistake, this is the intention. It’s important that steps are taken now to prevent these proposals going too far and keep European’s rights to privacy intact.”
Martin Blatter, CEO of end-to-end encrypted instant messaging app Threema, also argues that EU lawmakers risk kneecapping homegrown startups if they seek to push ahead with legislation to force European vendors to bypass or deliberately weaken e2e encryption.
“[It] would not only destroy the European IT startup economy, it would also fail to provide even one bit of additional security,” he warned. “Joining the ranks of the most notorious surveillance states in this world, Europe would recklessly abandon its unique competitive advantage and become a privacy wasteland.”
Also chipping in, Istvan Lam, co-founder and CEO of Tresorit, an e2e encrypted file sync & sharing service, argues that any moves to weaken encryption would seriously undermine trust in services — as well as being “irreconcilable with the EU’s current stance on data privacy”.
“We find this resolution especially alarming given the EU’s previously progressive views on data protection. The General Data Protection Regulation (GDPR), the EU’s globally recognized model for data protection legislation, explicitly advocates for strong encryption as a fundamental technology to ensure citizens’ privacy,” he said, adding: “The current and proposed approaches are at complete odds with each other, as it is impossible to guarantee the integrity of encryption while providing any kind of targeted access to the encrypted data.”
While Arne Möhle, co-founder of Tutanota, a German e2e encrypted email provider, says any push to backdoor encryption would be a disaster for security — which actually risks helping criminals.
“Every EU citizen needs encryption to keep their data safe on the web and to protect themselves from malicious attackers,” he said. “With the latest attempt to backdoor encryption, politicians want an easier way to prevent crimes such as terrorist attacks while disregarding an entire range of other crimes that encryption protects us from: End-to-end encryption protects our data and communication against eavesdroppers such as hackers, (foreign) governments, and terrorists.”
“By demanding encryption backdoors, politicians are not asking us to choose between security and privacy. They are asking us to choose no security,” he added.
A fight looks to be brewing in Europe over what exactly the Council’s contradictory edict on ensuring “security through encryption and security despite encryption” will shake out to. But it seems clear that any push toward backdoors would mobilize major regional opposition — as well as being an unattractive option for EU policymakers because it would face legal challenge under the region’s jurisprudence.
The Commission recognizes this complexity. Its counter-terrorism agenda is also notably wide-ranging. There’s certainly no suggestion that it believes e2e encryption is a sole nut that must be cracked. EU institutions are pushing across a number of fronts here, not least because a bunch of fundamental red lines limit wiggle room for non-targeted interventions.
What comes out of the Council’s resolution may therefore be a concerted push to upskill police in areas relevant to investigations (such as digital forensics and metadata analysis). And perhaps create structures for local or state level forces across the bloc to access more powerful security service technical competences for furthering targeted investigations (e.g. device hacking). Rather than an EU-level order blasted at e2e encryption vendors to mandate a universal key escrow ‘solution’ (or similar) — indiscriminately risking everyone’s security and privacy.
But it’s certainly one to watch.