Good news on the privacy front: no more EU demands for crypto backdoors

Posted on Oct 20, 2017 by Glyn Moody

Governments all around the world hate encryption. Unless they are being incredibly cunning by pretending they can’t break strong encryption when they can, this seems to be because crypto really does keep messages and data safe from prying governmental eyes. Banning strong encryption is clearly a non-starter – even the most clueless politician knows by now that e-commerce would collapse without it. As a result, the favorite approach has been the backdoor – that magical weakness that somehow is only available to those operating lawfully, and not criminals or hostile governments. That’s despite the fact that every top security expert has explained that it is simply not possible to add backdoors to encryption while retaining the protection it is meant to offer.

It finally seems that the message is getting through – in the European Union, at least. Announcing a range of new measures to boost security in the EU, the Commissioner responsible for this area, Julian King, is reported by Politico.eu as saying:

“We are not in favor of so-called backdoors – that is, systemic vulnerabilities … What we’re trying to do today is move beyond the sometimes sterile debate of backdoors [versus] no backdoors”

That’s confirmed by a comment in the latest EU report on “building an effective and genuine Security Union”, where we read: “the Commission is proposing a range of measures to support Member State authorities, without prohibiting, limiting or weakening encryption.” Instead, King said that the European Commission would be offering EU law enforcement and judicial authorities “a set of techniques, technical support and financial support” to help them obtain information from encrypted sources. A fact sheet provides a few more details. The EU would be providing support to Europol, the European police organization, “to further develop its decryption capability.” It’s not clear what exactly that capability might be. Since it seems unlikely that it is a general ability to decrypt the strongest crypto in use today, it’s more likely to be techniques to access physical devices such as smartphones, perhaps with the help of manufacturers. The most interesting aspect of the latest measures is a plan “to create a toolbox for legal and technical instruments”. According to Politico.eu:

“The proposed ‘toolbox for legal and technical instruments’ is inspired by recent publications that outline different ways intelligence agencies and law enforcement can get around encryption.”

Those “recent publications” include one this blog has mentioned previously: “Encryption Workarounds“, by Bruce Schneier and Orin Kerr. As they point out, even with the strongest encryption in place, there are several alternatives methods for obtaining the information in question. Assuming the European Commission really has understood that fact, it represents a major advance over the “sterile debate” that King mentioned. Another recent EU document seems to confirm the approach. It says: “there is a need for familiarity with the present state of the art in encryption technology and to study weaknesses in algorithms and implementations, including in order to take advantage of possible errors”.

Although the latest announcements by the EU are welcome, it doesn’t mean the backdooring crypto movement is dead in Europe. Some national governments – notably the UK authorities, which have consistently been some of the worst offenders when it comes to unbridled and illegal surveillance – are still keen to gain easy access to end-to-end encrypted messages. However, on the same day as Julian King’s speech signaling that the European Commission would no longer by pushing for backdoors, further support for dropping the idea came from a different part of the EU’s political machine.

One of the European Parliament’s important bodies, the LIBE Committee on Civil Liberties, Justice, and Home Affairs, has just voted on privacy legislation that is currently working its way through the EU legislative process. As Privacy News Online reported back in June, the LIBE committee had previously proposed important amendments to the basic text of a new ePrivacy law, which now also includes the following (unofficial version):

“In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of ‘backdoors’.”

It was widely feared that protection against backdoors would be dropped in the committee’s vote, but instead it was passed. However, that is not the end of the story. A full vote of the European Parliament could change the text, by removing or watering down sections. Even if that doesn’t happen, before it can become law other parts of the EU’s legislative machinery will still need to accept the text as agreed by the European Parliament. That means that there are opportunities for good ideas to be dropped, and bad ideas to be slipped in.

That said, taking together the two events – new security measures from the Commission and the LIBE committee vote – show that things are finally moving on the backdoor issue. They indicate that even hardened opponents of end-to-end encryption are coming around to the idea that breaking security is not the way to go, and that it is possible for law enforcement to apply other tools and methods in order to obtain the information they need to keep the public safe. Assuming that shift is maintained, the hope has to be that other jurisdictions – notably the US – will take note and follow suit in due course.

Featured image by European Union.