After India, USA, United Kingdom and Australia, it appears that end-to-end encryption is under threat from the European Union. The European Commission, the EU’s executive branch, is contemplating ways to give law enforcement agencies access to end-to-end encrypted communications so that they can crack down on child abuse networks and other organised crimes, the Financial Times reported citing an internal, “need to know” note from the Commission. “The objective here is to enable the intelligence community to track WhatsApp messages,” an unnamed official at the Commission told FT.

This note is reportedly not the official position of the European Commission, the executive branch of the EU. In response to our question about the Commission’s official stance, a spokesperson said,

European Commission’s official stance on law enforcement agencies’ access to E2E encrypted communications:
“E2EE [end-to-end encryption] is an important tool to enhance privacy and security of communications. The European Electronic Communications Code encourages the use of E2EE where appropriate. This should be without prejudice to the powers of Member States to ensure that electronic evidence is made available to courts, in accordance with an appropriate legal framework, independent of whether it is encrypted or not.” — European Commission spokesperson to MediaNama

This suggests that the Commission is of the view that as long as a law exists, backdoors may be on the table. In response to our question about if access to end-to-end encrypted communications would be in compliance with the European General Data Protection Guidelines, the spokesperson wrote, “Like any other seizure of electronic evidence, the access to E2E encrypted communication will  take place in line with all the necessary safeguards and in compliance with relevant legal framework.”

The note also reportedly said that any official orders to access encrypted electronic communication should be proportionate and targeted at specific people in relation to the investigation of a specific crime. Technical solutions should be engaged only when they are effective and “less intrusive measures are not available”, the FT reported.

The next steps would probably be discussed next month at a meeting of the member states’ justice and home affairs meeting, as per FT.

European Commission has been looking at encryption since December 2016

The European Commission has been discussing “the role of encryption in criminal investigations” since December 2016, at the behest of the Justice and Home Affairs Council in December 2016 and the European Council in June 2017, the Commission spokesperson told us. The European Council, that is the heads of state of member nations, “specifically mentioned end-to-end encryption”, the spokesperson said. This discussion has involved law enforcement, judiciary and private parties such as industry players and NGOs.

The Commission’s Home Affairs department reportedly aims to “stimulate a discussion” among the 27 EU member states “on the issues posed by end-to-end encryption” for the ability to “advance investigations and prosecute criminals”. It further said that criminals make use of “readily available, off-the-shelf solutions” that were conceived for legitimate purposes. The note reportedly wants the EU members to find solutions to allow “law enforcement and other competent authorities to gain lawful access to digital evidence”, without weakening privacy guaranteed by end-to-end encryption.

The note reportedly cited a workshop held in 2019 in which members of the law enforcement and the judiciary said that using encryption had affected their ability to gain lawful access to electronic evidence in between a quarter and all of their cases, depending on the crime area. The experts at this workshop, as per this reported internal note, said that criminal use of end-to-end encrypted technology would “continue to increase”. The Commission spokesperson confirmed this to MediaNama and said, “No conclusions as to how to solve this problem were drawn so far”.

Criminals have moved beyond E2E encryption, use crypto telephones

The internal note reportedly talked about how the takedown of the EncroChat criminal network earlier this ear showed how criminals were using services such as crypto telephones, “which go well beyond publicly available end-to-end encrypted services”. EncroChat was a messaging service provider that was primarily used by criminals and members of organized crime for communications. It ceased operations in June this year after a Franco-Dutch police investigation infiltrated their networks and planted a surveillance tool to monitor the users’ investigations. Motherboard has detailed the operation here. Until July, 800 people had been arrested across Europe as a result of  this operation.

End-to-end encryption is a communication technology that allows messages, voice calls and video calls to be encrypted in such a way that it can be decoded only on the intended recipient’s device. Thus, even if law enforcement agencies were to somehow intercept the communication in transit, or seize the service provider’s servers, they would only get access to encrypted hashes that they wouldn’t be able to decrypt. The issue, at least for the companies, is that the technology doesn’t have a universal or specific decryption key. The message can only be decrypted on the intended recipient’s device/account. Thus, it is only if the end point, that is the mobile device or the computer, is compromised that end-to-end encrypted communication is compromised.

Government voices against end-to-end encryption are getting louder

India and the Five Eyes alliance (USA, UK, Canada, Australia and New Zealand) have led the clarion call against end-to-end encryption or at least building backdoors for law enforcement agencies.

In India, fighting terrorism, child abusers and disinformation campaigns have been the main reasons for the government’s call to access end-to-end encrypted communications. The government wants to trace the originator of messages that cause these problems and has primarily targeted Facebook-owned WhatsApp, the country’s most used end-to-end encrypted platform. WhatsApp, however, has maintained that traceability is not technologically possible. With more than 400 million users in India, India is WhatsApp’s largest market.

In a case that may come to define the legal status of encrypted communications in India and the extend of platforms’ liability, that is currently pending before the Supreme Court, the Indian government demanded that services like WhatsApp must decrypt messages to assist investigations. In another instance, an ad hoc Rajya Sabha Committee recommended that law enforcement agencies be permitted to break end-to-end encryption to trace child abusers and people who create and distribute child sexual abuse material.

The Five Eyes intelligence alliance, in 2019, had asked technology companies to “include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format”. In an open letter to Facebook CEO Mark Zuckerberg, USA, UK and Australia asked him to not implement end-to-end encryption on its messaging services without including a way for the governments to access this content for the protection of citizens. They cited loss of access to content that has helped them nab terrorists, paedophiles, and other serious criminals. WhatsApp and Facebook had replied with a firm no, citing privacy and cybersecurity.

In October 2019, Will Cathcart, the head of WhatsApp, had said, “We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves.” He had called backdoors “a horrible idea”.

There are at least two bills, proposed by Republicans, against encryption in the US — Lawful Access to Encrypted Data (LAED) Act, and the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act. Both essentially want backdoor access to end-to-end encrypted communications for law enforcement agencies. Brazil, too, is deliberating on a bill to fight disinformation that wants platforms to redesign their platforms so that they can trace individual messages, a move that will mean putting an end to end-to-end encryption.

Read more:

***Update (4:14 pm): Updated with responses from the European Commission spokesperson along with two subheadings, and updated headline accordingly. Originally published on September 16 at 12:20 pm.