The European Commission believes that backdoors should not be introduced to encrypted communications and that encryption software should not be weakened. The Commission clarified this in an emailed response to MediaNama’s queries about its stance on developing backdoors to end-to-end encrypted platforms. Last week, it was reported that the European Union is deliberating on how to give law enforcement agencies access to end-to-end encrypted communications.
The Commission’s previous response had suggested that as long as a law exists, backdoors may be on the table. The latest response clarifies the Commission’s anti-backdoor position. The Commission has been discussing the role of encryption in criminal investigations since December 2016.
The Commission, which is the executive branch of the European Union, supports Europol (the EU law enforcement agency) and ENISA’s (the European Union Agency for Cybersecurity that contributes to the EU cyber policy) statement from 2016 that said that backdoors allow more opportunities for abuse, the spokesperson told us. As per the statement, backdoors are worse for society at large as they “weaken protection against criminals as well”. Once these encrypted communication channels are weakened, criminals can easily circumvent them and develop or buy their own solutions without backdoors or key escrow, the statement had said.
The Europol-ENISA statement stressed on the importance of proportionality. It said, while “intercepting encrypted communication or breaking into a digital service might be considered a proportional response with respect to an individual suspect”, breaking the cryptographic mechanism itself may cause collateral damage. The confidential Commission note that FT had reported on also mentioned that any access to encrypted electronic communication should be proportionate and targeted at specific people.
Why is this important?
Access to end-to-end encrypted communications has become a major policy and law enforcement issue around the world. The nature of this technology, which is offered by WhatsApp and Signal by default, is such that interception of messages is impossible. Only the devices used to send and receive the messages can read them. This means that law enforcement agencies cannot intercept potentially criminal communications except when they get physical access to the device.
The stance of European Commission is considerably different from other governments that are hankering for an end to end-to-end encrypted platforms, at least without backdoors. We had earlier reported that the Commission encourages the use of E2E encryption “where appropriate”. The key concern for the EU is making electronic evidence available to courts, irrespective of whether or not it is encrypted, especially when encryption had affected law enforcement and judiciary’s ability to gain lawful access to electronic evidence in between a quarter and all of their cases, depending on the crime area.
Encryption is crucial for security, privacy: Commission
Stressing on the importance of encryption, the spokesperson wrote, “Encryption can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. Identification systems are based on encryption and trust in such identification schemes should not be undermined.”
The Europol-ENISA statement also acknowledged that it is “good news for all the legitimate users” that cryptographers are currently miles ahead of criminals who constantly seek to circumvent encrypted platforms even though it means that law enforcement agencies can often not access necessary information.
The Commission wants to ensure that “digital products and services are developed according to ‘security-by-design’ and ‘privacy-by-design’ principles”, the spokesperson said. This is in line with EU’s larger commitment to privacy.
‘Give us backdoor access,’ other governments say
Unlike the EU, which is firmly against backdoors, other countries, including India, are all for them:
- India: The Supreme Court is hearing a case that may come to define the legal status of encrypted communications in India and the extent of platforms’ liability. There, the Indian government has demanded that services like WhatsApp must decrypt messages to assist investigations, and aid agencies in tracing the originator of a violative message. In another instance, an ad hoc Rajya Sabha Committee recommended that law enforcement agencies be permitted to break end-to-end encryption to trace child abusers and people who create and distribute child sexual abuse material.
- Five Eyes: In 2019, the Five Eyes intelligence alliance, which consists of USA, UK, Canada, Australia and New Zealand, had asked technology companies to build backdoors in their encrypted products for access to law enforcement agencies. In an open letter to Facebook CEO Mark Zuckerberg, USA, UK and Australia asked him to not implement end-to-end encryption on its messaging services without backdoors for government. WhatsApp and Facebook had replied with a firm no, citing privacy and cybersecurity.
- USA: There are at least two Republican-backed bills in the US that want backdoor access to E2E encrypted communications for law enforcement agencies.
- Brazil: The Latin American nation is deliberating on a bill that wants platforms to redesign their platforms so that they can trace individual messages, a move that will mean putting an end to end-to-end encryption. The stated aim of the bill is to fight disinformation.
What alternatives are possible?
The Europol-ENISA 2016 statement said that the focus should be on getting access to the communication of information, “not on breaking the protection mechanism”. Since communication needs to be unencrypted “at some point” to be useful to criminals, undercover operations, infiltrating groups, and getting access to the devices via live forensics on seized devices or lawful interception when those devices are viable alternatives.
These alternatives were put into action when a Franco-Dutch police investigation took down criminal networks on EncroChat earlier this year. In this case, criminals were using EncroChat and crypto telephones to plan and execute their crimes. Police finally brought them down by infiltrating their groups and then sending them spear phishing messages that planted tracking tools in their devices to bring down the network. No backdoors or vulnerabilities, except human ones, were exploited in the process. Until July, 800 people had been arrested across Europe as a result of this operation. This particular case was cited in the internal note that FT had reported on.
European Commission’s response to MediaNama:
“On this issue [European Commission’s stance on developing backdoors to end-to-end encrypted platforms for law enforcement], the Commission supports the statement issued by Europol and ENISA on 20 May 2016, laying out the disadvantages of backdoors.
“Encryption can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. Identification systems are based on encryption and trust in such identification schemes should not be undermined.
“This means that encryption software should not be weakened or be made vulnerable. The Commission does not support the development or mandatory introduction of backdoors (i.e. code that would allow one party alone to access encrypted content sent by other parties, without the knowledge of these parties).
“The European Commission is working to ensure that digital products and services are developed according to ‘security-by-design’ and ‘privacy-by-design’ principles.” — European Commission Spokesperson
- Now, EU is deliberating on law enforcement access to end-to-end encrypted communications
- ‘Don’t introduce end-to-end encryption,’ UK, US and Australia ask Facebook in an open letter
- Read about the WhatsApp traceability case in the Indian Supreme Court here.
***Update (September 30, 2020 11:38 am): Updated with complete response from the European Commission. Originally published on September 29, 2020 at 3:35 pm.