The EU has long led the way when it comes to protecting online freedoms. Their excellent reputation in this field is well founded. But after a year which has seen a spate of deadly terrorist’s attacks all across the continent, commentators have been musing about how long this might last.
Sadly, it seems that the moment when the EU decides to sacrifice privacy in the name of ‘security’ might be upon us.
A report in the Financial Times (£) newspaper has highlighted a forthcoming meeting between the French Interior Minister, Bernard Cazeneuve and his German equivalent Thomas de Maizere. In this meeting, one of the key topics of discussion will apparently be the idea of regulating against the use of encrypted communications across the EU.
Why Regulate Now?
The French position on this issue has been longstanding. They have already proposed a raft of intrusive surveillance laws which have come under sustained attack from privacy advocates. And speaking ahead of this meeting, Cazeneuve has told reporters that encryption is “a central issue in the fight against terrorism.”
Their stance is driven by claims over the recent terror attacks in Paris and Brussels. Both of these incidents were carried out by perpetrators from the same cell. These men were in constant contact with each other and according to French Homeland Security supremo Patrick Calvar, security services have collected several gigabytes of data about or from them.
He claimed in the FT that much of this data was “often encrypted, and impossible to decipher”. But no-one knows for sure precisely how much of the data gathered was encrypted, and of that which was, how much of it was useful.
The problem for the EU up to this point has been how to categorise the encrypted online messaging services, such as WhatsApp and Apple’s iMessage. Because they send data via the internet, they are not currently covered by the EU laws which permit interception of communications. Yet currently, they do not fall under the EU’s ePrivacy guidelines either.
This later piece of legislation is currently under review and about to be updated, but the extent to which this might close that loophole is still unclear.
Which brings the debate back around to the issue of encrypted communications and whether intelligence and law enforcement services should be permitted to require tech companies to provide a backdoor to access it. Currently, accessing encrypted communications data is somewhere between very difficult and impossible. And of course, this is precisely as it should be.
Numerous IT security experts have argued that introducing such as weakness into encrypted communications would leave it vulnerable to being hacked by other outside bodies, and weaken the data security for millions of innocent individuals in an attempt to gather evidence on a handful of terrorist suspects.
Speaking exclusively about the proposals which the French and German ministers will be discussing, Jacob Ginsberg, senior director at encryption company Echoworx made that argument and argued strongly against the systemic bulk collection of data which so many Governments are turning to these days.
He notes that to tap a phone, authorities need to provide enough evidence to persuade a judge to issue them with a court order. “They should not be allowed to circumvent existing laws based on the type of media under surveillance,” he added.
His logic is flawless, but of course, does not carry too much sway with those intelligence agencies eager to gather as much data as possible.
It will not be easy for the EU laws to be changed in the way that the French and German Ministers are considering. All EU laws must be approved by the EU Commission and pass the EU Parliament. It is a long bureaucratic process which can take many years.
It also requires the agreement of all 28 member states, and it seems unlikely that liberal countries like the Netherlands would sign up to such a law. Of course, France and Germany may choose to take some steps unilaterally and internet users in those countries will be warier than ever of their online privacy in light of this news.
Currently, the number of VPN subscribers in both countries is well below the global average, with users putting their faith in the EU’s laws to protect them. It seems likely that this statistic will change in the coming months, especially if the French and German Governments do get their way.
It would certain seem sensible for online users who value their privacy to make use of a VPN based outside their local jurisdiction if they want to be sure their online communications will remain private and secure.