Four European apps that secure user data through end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint warning statement regarding recent initiatives by EU institutions which they say put the lawmakers on a dangerous path to backdoor encryption.
End-to-end encryption refers to a form of encryption in which the service provider does not hold keys to decrypt data, thus improving user privacy – because there is no third party in the loop. with the technical ability to access data in a decrypted form.
E2e encryption also boosts security by reducing the attack surface around people’s data.
However, the growth in access to e2e encrypted services has, for half a decade or more, been reported as a concern for law enforcement. Indeed, it is more difficult for agencies to access decrypted data. Service providers with a mandate for e2e encrypted user data will only be able to provide it in an unreadable form.
Last month, the EU Council passed a conflicting resolution on encryption – calling for ‘security through encryption and security despite encryption’ – which the four e2e app makers see as a call barely veiled to backdoor encryption.
The European Commission also spoke of the search for “improved access” to encrypted information, writing in a broad counterterrorism program also published in December that it “will work with member states to identify possible legal, operational and technical solutions for legal access” [emphasis its].
At the same time, the Commission declared that it “will promote an approach which both preserves the effectiveness of encryption to protect privacy and security of communications, while providing an effective response to crime and terrorism”. And he made it clear that there will be no “silver bullet” when it comes to the “challenge” of e2e encryption security.
But such warnings do nothing to alleviate the concerns of makers of e2e encrypted applications – which are persuasive proposals from the EU Council, which is involved in passing the bloc’s laws (though the Commission is drafting usually legislation), boils down to a push towards back doors. .
“Although not explicitly stated in the resolution, it is widely accepted that the proposal aims to allow law enforcement to access encrypted platforms via backdoors,” write the four app makers. , warning then that such a decision would inevitably underline the security of the European institutions. also claim to want to maintain.
“The resolution creates a fundamental misunderstanding: encryption is an absolute, data is encrypted or not, users have privacy or not,” they continue. “The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen’s home and could start a slippery slope toward greater privacy breaches.
They point out that any move to break e2e encryption in Europe would run counter to the global surge in interest in solidly encrypted services – highlighting the recent surge in signups for apps like Signal due to major concerns. privacy policies related to Facebook. owned WhatsApp.
Europe has also been ahead of the curve globally in legislating to protect privacy and security. So it would be a real U-turn for EU lawmakers to line up to punch holes in e2e encryption. (For example, EU data protection regulators simultaneously recommend being used to legally secure transfers of personal data out of the bloc to third countries where it could be at risk).
To say that there are ideological contradictions in the EU pushing in an anti-encryption direction is a massive understatement. Even though the content of the current communiques coming out of Brussels on this topic reads as if it is inherently confrontational – which may in fact be an acknowledgment that squaring this circle is not just a political proposition.
App makers are also noticing. “People all over the world are taking back control of their privacy, and it is often European companies that help them to do so. It seems illogical that EU policymakers are now pushing for laws that run counter to public opinion and undermine a growing European tech sector, ”they write.
In an individual quote from the joint statement, Andy Yen, CEO and founder of ProtonMail, a Swiss end-to-end encrypted email service, warns of complacency in the face of the latest apparent push for a legal framework for puncture encryption.
“This isn’t the first time we’ve seen anti-encryption rhetoric emanating from parts of Europe, and I doubt this will be the last. But that doesn’t mean we should be complacent, ”he said. “Simply put, the resolution is no different from previous proposals which have generated a broad response from privacy-conscious businesses, members of civil society, experts and MEPs .
“The difference this time is that the Council has taken a more subtle approach and avoided the explicit use of words like ‘ban’ or ‘backdoor’. But make no mistake, that is the intention. It is important that action is taken now to ensure that these proposals do not go too far and that Europeans’ rights to privacy remain intact. “
Martin Blatter, CEO of end-to-end encrypted instant messaging app Threema, also argues that EU lawmakers risk harming local startups if they seek to push legislation forward to force EU providers to bypass or deliberately weaken the e2e encryption.
“[It] not only would destroy the European IT startup economy, but wouldn’t even provide a little extra security, ”he warned. “Joining the ranks of the world’s most notorious surveillance states, Europe would recklessly give up its unique competitive advantage and become a wasteland for privacy.”
Further, Istvan Lam, co-founder and CEO of Tresorit, an e2e encrypted file sync and sharing service, argues that any move to weaken encryption would seriously undermine trust in the services – as well as being ” irreconcilable with the current EU position on data privacy “.
“We find this resolution particularly alarming given the EU’s previously progressive views on data protection. The General Data Protection Regulation (GDPR), the EU’s globally recognized model for data protection law, explicitly calls for strong encryption as a fundamental technology to ensure citizens’ privacy, ”said he declared, adding: “The current and proposed approaches are totally contrary. with each other because it is impossible to ensure the integrity of the encryption while providing any kind of targeted access to the encrypted data. “
While Arne Möhle, co-founder of Tutanota, a German e2e encrypted email provider, argues that any push towards backdoor encryption would be a security disaster – which in fact risks portion the criminals.
“Every citizen of the EU needs encryption to protect their data on the web and protect themselves from malicious attackers,” he said. “With the latest backdoor encryption attempt, politicians want an easier way to prevent crimes such as terrorist attacks while ignoring a whole range of other crimes that encryption protects us from: end-to-end encryption protects our data and communications from eavesdropping such as hackers, (foreign) governments and terrorists. “
“By demanding encryption backdoors, politicians are not asking us to choose between security and privacy. They ask us not to choose any security, ”he added.
A battle seems to be brewing in Europe on what will fail the contradictory edict of the Council on the guarantee of “security through encryption and security despite encryption”. But it seems clear that any backdoor push would mobilize major regional opposition – aside from being an unappealing option for EU policymakers, as it would face legal challenge under EU case law. region.
The Commission recognizes this complexity. Its counterterrorism program is also very broad. There is certainly no suggestion that he thinks e2e encryption is a single nut to crack. The EU institutions are pushing on a number of fronts here, not least because a bunch of fundamental red lines limit the room for maneuver for untargeted interventions.
What emerges from the Council resolution may therefore be a concerted push to improve police skills in areas relevant to investigations (such as digital forensics and metadata analysis). And perhaps create structures for local or state-level forces across the bloc to access more powerful technical skills from the security services to deepen targeted investigations (eg, device hacking). Rather than an EU-level order blasted to e2e crypto providers for mandating a universal key escrow (or similar) “ solution ” – indiscriminately risking everyone’s security and privacy.
But it is certainly one to watch.