|
EU debate on encryption and law enforcement
On 19 November, the Internet Society organised a webinar on the future of encryption in Europe. This virtual event gathered speakers from the European Commission, the European Parliament, civil society and industry.
Wojciech Wiewiórowski, European Data Protection Supervisor, introduced the webinar. He stressed that there is an increased number of cybersecurity incidents and personal data breaches due to the pandemic crisis.
He underlined that encryption is part of an effective data protection policy. GDPR explicitly refers to encryption in three articles. In many other articles, encryption is not mentioned explicitly but it is one of the appropriate technical measures to put in place as a safeguard. European data controllers recommend using encryption when possible and if efficient.
Following the Schrems II decision on the Privacy Shield, the European Commission published a new guidance which states that strong encryption can help provide the adequate level of data protection in the context of data transfers to third countries. However, cryptographic keys must be retained by the data exporters in the EU (or countries covered by adequacy decisions). The guidance is open for consultation until December.
Regarding law enforcement, Wojciech Wiewiórowski explained that the problem with backdoors is manipulation, including use by malicious actors. Some argue that we need to circumvent encryption when the data is still clear. Wojciech Wiewiórowski advocated for a differentiated approach. There is no single approach for lawful access that would apply to all technologies. At the same time, law enforcement forces need to be able to work. Legislation must indicate in what circumstances and under which conditions measures to access data can be provided.
He concluded by stating that encryption is as critical for the digital world as the physical lock for the physical world. “It is the future we want for our children”.
MEP Sophie in’t Veld (Renew, The Netherlands) remembered that the push to ban encryption had been very strong for a very long time in Europe. There is always such a push after a security incident (e.g. terrorist attack). She stressed that nobody would accept a proposal giving to the police a free entry to all homes. She lamented the lack of awareness in the public opinion. The public opinion is mostly triggered by “privacy-by-disaster” (privacy scandals).
She underlined the need for a proper legal framework when it comes to law enforcement. However, she doubted that safeguards could be enough to protect citizens, as “secret services are grossly abusing their access to data”. She pointed out that this area is poorly scrutinised.
Klaus Landefeld (Association of the Internet Industry) explained that 75% of internet traffic is encrypted today. Almost all communication tools are encrypted. The problem remains: encryption is either strong or weak. You cannot just ensure access to a few ones.
The Council proposal is not to weaken encryption per se but to add more recipients to encryption. Is it an invitation to weaken the products and have backdoors? How can access to backdoors be secure? Who is supposedly allowed to use this backdoor or master key? His association calculated that hundreds of actors across the EU would request this master key. He concluded: “no secret can be kept by hundreds of people. An exceptional access basically means losing all control on who can access.”
Diego Naranjo (EDRi) stressed that civil servants use encryption, for instance in the course of trade negotiations. Encryption is also key for democracy (human rights defenders in dictatorships, journalists etc.).
Encryption does not mean that suspects cannot be caught. Police forces can take the laptops while it is being used and hence access plain text. There are successful stories.
Cathrin Bauer-Bulst, Head of the Cybercrime Unit at DG HOME, European Commission, highlighted that encryption is supported by the European Commission. However, 75-80% of legal cases would be negatively affected by encryption. The EU can neither ban encryption nor ban lawful access. A more sophisticated approach is needed. There are different segments of encryption: encryption on the device, encryption in transit etc. There is not one solution that works for all.
The Commission’s principles are the following ones:
-any orders to access encrypted data must be targeted, proportionate and validated by a judicial authority;
-the Commission does not intend to support technical solutions that would weaken or ban encryption;
-solutions should be used only when necessary. There are other solutions like gaining important information from meta-data (location, browser used etc.) or accessing the laptop when data is not encrypted;
-there is no silver bullet. The Commission should never prescribe one technical solution;
-industry, civil society and academia need to come together.
Paul Nemitz, Principal Adviser at DG JUST, European Commission, lamented that less and less people with technical backgrounds get elected in parliaments and contribute to the democratic debate. The European Commission relies on the truthfulness of what industry and academia say. Unfortunately, the entire truth is not often said.
The European Commission does not want to see encryption weakened. At the same time, law enforcement forces need to be able -on an individual order by a judge- to get access to the communications of a targeted person.
Paul Nemitz explained that historically law enforcement forces have always been able to access communications (reading letters, tapping phones etc.). How should the police work now if this is not the case anymore?
The European Commission is willing to talk to stakeholders, especially those familiar with the technologies.
MEP Karen Melchior (Renew, Denmark) pointed out that she does not understand how you can have encryption with exceptions. There must be other ways for law enforcement to get the needed information. In Denmark, authorities have been illegally logging telephone data for a number of years and refuse to stop. Europe needs to look for other options.
Patrick Penninckx, Council of Europe, underlined that law enforcement forces need to be closely associated to the debate. It is crucial to understand their factual needs. Encryption concerns the extremely important content data. For law enforcement, the most important is user data and traffic data. Content data is usually needed in later rounds of further investigation.
Iverna McGowan, Center for Democracy & Technology, explained that her organisation created the Coalition for Encryption because they see that encryption is under threats at a global level. From a human rights perspective, measures undermining encryption are deeply problematic. There is an increased killing of human rights defenders and journalists are under threat in numerous countries (e.g. Belarus). If you are under the threat of a government, you need proper safeguards. There are currently conversations about the rule of law in some EU Member States [Poland and Hungary]. We have to ask ourselves what is at stake at the moment?
Jean-Christophe Le Toquin, Encryption Europe Coalition (industry association of nine SMEs providing products to encrypt data) explained that it is difficult to find companies willing to talk on this topic, due to the specificities of this industry. He mentioned a question asked to the French Minister of Interior nine months ago on access to encrypted data. There are currently discussions between French authorities and telecommunication companies to give access to data. In a French document, the word “backdoor” was explicitly written. There was no discussion on this in France. The Global Encryption Coalition is very important.
|
