European MEPs want to ban states from backdooring encryption

The European parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has put forward a proposal that would amend the EU’s charter of fundamental rights to extend privacy rights to the digital realm and prevent governments of EU Member States from backdooring end-to-end encrypted services.

“This Regulation aims at ensuring an effective and equal protection of end-users when using functionally equivalent services, so as to ensure the protection of confidentiality, irrespective of the technological medium chosen,” they write in the draft eprivacy proposal.

“The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information.”

Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

On encryption the committee amends an earlier text, proposed by the EU’s executive body, the European Commission, to state: “[W]hen encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”

The LIBE’s eprivacy proposal to amend Article Seven of the EU’s Charter of Fundamental Rights — which would need to gain the backing of the EU parliament and the Council if it was to become law — comes at a time when political scapegoating against tech platforms for carrying terrorists communications on encrypted platforms is rising.

In the US there have been fresh calls for decryption legislation from Senator Dianne Feinstein — and supported by James Comey, albeit now the former FBI director.

While, in Europe, UK politicians have been banging an anti-encryption drum for years. The current administration continues to do so, most recently saying it intends to limit the use of end-to-end encryption — via powers set out in domestic surveillance legislation passed at the end of last year.

Justice ministers in other European governments, including France and Germany, have also attacked encryption as a barrier to law enforcement and counter terror efforts in recent years, following a spate of terror attacks across the region.

This month the leaders of the UK and France announced a joint front aimed at tackling online radicalization. After a meeting, France’s Emmanuel Macron said both nations are “committed to improve the means of access to encrypted content in conditions that preserve the confidentiality of messages”.

Macron’s comments sum up the contradictions inherent in this debate — where use of end-to-end encryption means service providers cannot provide access to decrypted data as they do not hold the encryption keys.

(Although, in the case of the UK, the government has already legislated to give itself what has been widely interpreted as decrypt powers, via the 2016 Investigatory Powers Act — hence ministers claiming they will legally force companies to limit their use of e2e encryption.)

European justice ministers are also collectively weighing whether to push for a decrypt law at the pan-EU level — apparently with agreement between them that e2e encryption presents a challenge for counterterrorism and policing, though no accord on what, if any, specific measures to take as yet.

At a meeting earlier this month the ministers discussed proposals to speed up law enforcement requests for data from tech companies (so-called e-evidence). But talks on encryption remain at an early stage, and a spokesman for the European Commission reiterated its support for encryption generally.

Should the LIBE committee gain EU parliament and Council support for banning state-mandated backdoors in encrypted services that would close down any efforts by individual Member States to push for decrypt laws.

MEP and chair of the LIBE, Claude Moraes, told us the eprivacy proposals will be debated by the committee tomorrow — “where we will hear the views of the other [EU] institutions”.

“The Rapporteur will make the case that we need a specific legal tool to protect the right to private life guaranteed by Article 7,” he added.

In the UK’s case there’s a question mark about whether any changes in EU law would apply, given the country is in the process of leaving the bloc. Although last year the UK government lost a legal challenge to prior domestic surveillance legislation under EU law — with Europe’s top court reiterating that state’s cannot legislate for “general and indiscriminate data retention”.

That ruling pertained to DRIPA, but has implications for the IP Act — which imposes a requirement on ISPs to retain web activity data on all their users for 12 months.

Much remains unclear about the UK’s Brexit process, not least as the country now has a minority government, after the prior administration lost seats at the last election.

But back in February the UK government said it intends to mirror a large part of EU data protection law even after Brexit — including harmonizing domestic law with the incoming EU GDPR (General Data Protection Regulation); and aiming to continue current data-sharing activity for law enforcement purposes.

So any future EU ePrivacy regulation may well be something the UK also needs to comply with — assuming it wants to be able to continue trading with the bloc.