An Austrian media report incorrectly concluded that the Council of the European Union, one of the three legislative bodies of the European Union, is discussing a resolution to ban end-to-end encryption. The draft resolution in question, in fact, states, “Encryption is an anchor of confidence in digitalisation and in protection of fundamental rights and should be promoted and developed”. It sees the increasing adoption of end-to-end encryption by messaging platforms as a “positive[e] reflect[ion]”.
The draft resolution acknowledges the problems that law enforcement agencies face when access to encrypted communication as electronic evidence is “practically impossible” even when such access would be lawful. However, it states multiple times that the EU supports strong encryption, and that encryption is necessary for cybersecurity and protection of fundamental rights. The draft resolution considers this conundrum of balancing privacy and security through encryption and lawful access to encrypted data without suggesting any concrete solutions.
The aim of the draft resolution is for the government to work with industry, research and academia to solve the conundrum of lawful access to encrypted communications while adhering to “principles of legality, transparency, necessity and proportionality”. Any technical solutions that are considered must also “preserv[e] the advantages of encryption”.
Member states can submit their comments by November 12. The German Presidency, which currently chairs the Council of the European Union (CoEU), “intends” to present this resolution to the Standing Committee on Operational Cooperation on Internal Security on November 19, and to the Committee of the Permanent Representatives of the Governments of the Member States to the EU (COREPER). This will be followed by adoption of the resolution by the CoEU.
“The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline” — The draft resolution
This draft resolution does not want backdoors or a ban on end-to-end encryption or a way to undermine encryption, a conclusion that organisations such as Committee to Protect Journalists, European Digital Rights (EDRi) and Access Now have incorrectly come to. If anything, it is a draft of a problem statement — “End-to-end encryption is a hurdle for law enforcement agencies. What do we do about it without undermining it?” No solution has been proposed at all.
Despite presenting no concrete solutions, the draft resolution has clearly ringfenced any potential solution that may be considered — any solution that allows “competent authorities” access to encrypted data must be lawful, targeted, respect fundamental rights and the data protection regime, uphold cybersecurity, and uphold the principles of legality, transparency, necessity and proportionality.
EU doesn’t want backdoors but other countries do
The European Commission, the executive branch of the EU, has maintained that backdoors should not be introduced to encrypted communications and that encryption software should not be weakened. It actually supports Europol (the EU law enforcement agency) and ENISA’s (the European Union Agency for Cybersecurity that contributes to the EU cyber policy) statement from 2016 that said that backdoors allow more opportunities for abuse. As per the statement, backdoors are worse for society at large as they “weaken protection against criminals as well”. Once these encrypted communication channels are weakened, criminals can easily circumvent them and develop or buy their own solutions without backdoors or key escrow, the statement had said.
The EU, through its different bodies, has been looking at “the role of encryption in criminal investigations” since December 2016. While end-to-end encryption has affected the law enforcement and the judiciary’s ability to gain lawful access to electronic evidence, “No conclusions as to how to solve this problem were drawn so far”, a Commission spokesperson had told us earlier.
While the European Commission has categorically denied wanting backdoors, other governments haven’t thought so. The Five Eyes intelligence alliance — comprising of the US, the UK, Australia, Canada, and New Zealand —, India and Japan have repeatedly asked companies to build backdoors to end-to-end encrypted platforms for access to law enforcement agencies.