Encryption is under attack around the world, and not just by hackers trying to break into systems. Governments continue to call for access to encrypted communications, despite universal warnings from experts that every way of doing so would significantly weaken security and privacy for billions of users. As well as moves by individual countries like the UK, which seems determined to destroy its software industry by undermining encryption technologies in that country, there have been various calls for international collaboration to weaken crypto. For example, back in March, the then FBI Director, James Comey, said:
“I could imagine a community of nations committed to the rule of law developing a set of norms, a framework, for when government access is appropriate”
Around the same time, the European Union also made noises about giving police access to encrypted communications across the EU. Just last week, Australia’s prime minister revealed that the Five Eyes intelligence agency club of the US, UK, Canada, Australia and New Zealand, were also discussing ways of forcing Internet companies to share encrypted data with the authorities. UK and France have even released a formal “action plan“, which states: “When encryption technologies are used by criminal groups, and terrorists, it must be possible to access the content of communications and their metadata.”
Against that depressing background of wilful refusal to recognize the technical impossibility of what is being demanded, the following comes as something of a surprise:
“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data.
Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”
Those words come not from some digital rights organization, but a group of senior politicians who sit on the influential European Parliament LIBE Committee on Civil Liberties, Justice, and Home Affairs. They form part of the committee’s suggested amendments to an important EU directive on privacy that is currently working its way through the legislative system. That is, if the amendment quoted above is adopted, it will be enshrined in EU law, and have a dramatic impact on calls to backdoor encrypted communications.
The proposed amendments are also notable for their constant reference to – and understanding of – metadata. That’s in striking contrast to most government statements, which tend to claim that it’s “only” metadata that they are harvesting when they spy on us, not content. And yet metadata is in many ways more revealing, not least because it is structured, and thus easy to aggregate and cross reference, unlike content. The LIBE committee is also fully aware of the implications of cloud computing and the Internet of Things for privacy and the need for uploads and machine-to-machine datastreams to be fully safeguarded:
“Today electronic communications remain stored with service providers even after receipt. Hence, it is proposed to make it clear that the confidentiality of communications is also ensured with regard communications stored or processed by the terminal equipment or other equipment (e.g. cloud storage) as well as communications in the IoT environment (machine-to-machine), when it is related to a user.”
The draft report from the EU politicians explains that the new privacy directive is a continuation of the work begun with the EU’s General Data Protection Regulation, which was approved last year, and comes into force in May 2018. Even though the GDPR is EU legislation, it will have important ramifications for companies around the world, not least for the following reason:
“it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”
It is extremely likely that the reach of the privacy directive will be similarly global. That means, for example, that any US companies offering services in the EU will be subject to its requirements for end-to-end encryption or equivalent, and its ban on backdoors or other weakening of protection.
It is not yet certain that the LIBE committee’s amendments will be accepted. Indeed, there is likely to be fierce lobbying against them by European governments, who will want exceptions for the usual things like national security and tackling serious crimes. But it is nonetheless significant that at least some politicians understand that it is not possible to undermine an encrypted communication channel without undermining the security and privacy of its users. That’s progress. It’s up to us to support these moves in an attempt to get across to governments around the world that weakening crypto is not the answer, and not an option.
Featured image by Jereme Rauckman.