No sooner has the threat from the UK Government to end-to-end encryption died down, then some else steps up to take their place.
This time it is the EU who are the threat after comments this week for the EU Justice Commissioner that they were considering forcing tech companies to enable law enforcement bodies to access encrypted communications.
The Commissioner in question is Věra Jourová, a Czech lawyer and politician who was appointed (not elected) to the role of Commissioner for Justice, Consumers and Gender Equality in 2014.
According to the website, Euractiv, Jourová has confirmed that the EU is planning to acquiesce to demands from interior ministers within the EU, and will bring forward legislation later this year which will include “three or four options” for providers.
Echoing the statements of UK Home Secretary Amber Rudd after the London terrorist attack, Jourová said, “At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action.”
The legislation she plans to bring forward is intended to make it easier for law enforcement bodies across the EU to make requests and gain access to data which is not held within their national jurisdiction. This seems likely to include encrypted communications. It is not yet clear how they intend the laws to apply to companies which are not based in the EU.
Pressure from the big powers
It is thought that the new approach from the EU has come about at the behest of France and Germany as well as the UK, which is soon to leave the EU but will retain close security cooperation with the group.
Just after Rudd’s comments in London, the German Interior Minister Thomas de Maizière and the French Minister of the Interior Matthias Fekl addressed MEPs saying that “Germany and France have asked the European Commission to study the possibility of making internet operators subject to the same requirements as telephone operators.”
Fekl went on to say that voice-over-internet calling services, of which Skype is the most well-known, should fall under the same legal framework as regular telephone calls.
These comments are essentially saying that whether a communication is encrypted or not, law enforcement bodies should have the power to listen in. And, of course, the only way to achieve this would be to introduce a backdoor, which undermines the very premise of encryption in the first place.
Fundamental failure to understand encryption
The comments from all of these politicians betray their failure to understand the concept of encryption. Encryption is not just used to hide bad guys conversations, but rather is at the heart of much modern technology such as online financial services.
It is also fundamentally different to wiretapping a phone. If a backdoor is introduced to an encrypted communication, that backdoor is a weakness that any hacker can kick in once he finds it. It is creating a weakness in the security process, which undermines the very reason most people are using encryption in the first place.
It is also impossible to roll back encryption everywhere. Even if the EU bans it, there will be companies based elsewhere using it. Unless the EU wants to try and go down China’s ludicrous “internet sovereignty” route, a global internet will make such regional laws impossible to enforce effectively.
As Andy Patel, a security advisor to F-Secure told Info-Security Magazine, “If end-to-end encryption were to be banned in one app, people would simply move to another one. Even if it were possible to eradicate all privacy-enabling services, ‘terrorism’ would still exist.”
It is, as the EU’s anti-terrorism coordinator, Gilles de Kerchove, has acknowledged “a tricky issue”. But as the political momentum for legislation to undermine encryption builds, it is looking increasingly likely that politicians will not accept the impossibility of what they want until they see it for themselves.