The debate on encryption in the EU has followed a familiar path in pitting national security against concerns about civil liberties and privacy. On the one hand, Governments and intelligence agencies have increasingly claimed that the widespread use of encryption could threaten national security. The UK government has gone so far as describing encrypted communication apps as giving “terrorists a place to hide”, while its French and German counterparts have likewise attacked these technologies as a barrier to law enforcement and counter-terror efforts.
On the other hand, privacy advocates and security experts have maintained that “encryption and anonymity, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age”. Beyond, they claim that a weakening of encryption would in itself create new (cyber) security concerns. Many insist that there is no secure way to enable government access to encrypted technology and that any system that attempts to do so is necessarily compromised.
Strong encryption is an essential piece to the future of the world’s economy, and the Internet Society believes that encryption should be the norm for Internet traffic and data storage. It allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and almost everything else.
Encryption is a technical building block for securing infrastructure, communications, and information. It should be made stronger and universal, not weaker.
This is an argument, together with privacy concerns, that seems to have been taken on board by the LIBE committee of the European Parliament. LIBE has proposed a ban on so-called backdoors that would allow law enforcement access to the content of encrypted messaging. As part of ongoing reform of the privacy rules for electronic communications, the LIBE committee parliamentarians have tabled an amendment to the proposed Regulation, which would promote the use of encryption for electronic communications, and prevent Member States from “impos[ing] any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and service”. Should the LIBE committee win the support of the rest of the European Parliament and of the Council, individual Member States would be barred from mandating backdoors.
The Parliament is certainly not alone at EU level in its concerns. The Vice-President of the European Commission Andrus Ansip, who is responsible for of the Digital Single Market, stated that he continues to believe that creating backdoors to encrypted messaging systems would not help combat terrorism. Meanwhile, the EU’s cybersecurity agency, ENISA, also come out strongly against such measures arguing that “undermining the privacy of freely encrypted tools will generate a new market for new private encrypted products to serve the criminal community”.
The argument, however, is far from won. The European Council in a recent statement called for the problem that end-to-end encryption causes for law enforcement and counter-terror efforts to be addressed. Under this continued pressure from Member States, the European Commission is said to be drafting options to provide authorities with access to encrypted applications.
We at the Internet Society recognise the legitimate concerns of law enforcement agencies but we also remain firm in our conviction that encryption is an important technical solution that all Internet users—individuals, governments, businesses, and other communities — should use to protect their communications and data. Weakening encryption might well be an attractive idea, but it is counterproductive in the long-run. What we need instead is to come together in support of a safer Internet and explore better ways to address the concerns of both the law enforcement community and digital users.
We, therefore, applaud the European Parliament LIBE committee’s initiative and invite the Commission and European Council to resist the urge to implement a short-term fix for its security concerns and instead protect this important foundation for trust, privacy, and security.