EU Seeks Mandatory End-to-End Encrypted Communications
The EU wants messaging systems – including apps such as Facebook Messenger, Telegram and WhatsApp – to have mandatory end-to-end encryption, and to prohibit any attempt by governments to create backdoors in such messaging systems.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Those proposals are part of a number of changes being put forward to update a 2002 EU electronic privacy directive, transforming it into a regulation that would take effect at the same time as the EU General Data Protection Regulation in May 2018.
Officials say the timing is not coincidence, and that the changes are meant to modernize EU e-privacy rights, in line with the stronger data privacy protections guaranteed by GDPR.
The e-privacy change from being a directive to a regulation – specifically, the Regulation on Privacy and Electronic Communications – is also significant. Directives get transposed by EU member states into national laws. But a regulation, once it takes effect, becomes immediately enforceable as law in all EU member states.
Push to Modernize Protections
A report on the e-privacy regulation released this month by the European Parliament’s committee on civil liberties, justice and home affairs – updating proposals made by the European Commission in January – says people’s communications and metadata must be protected, and related rights modernized.
The proposals in the regulation would enshrine protections that apply broadly to communications – not just, for example, relating to payments – and prohibit governments from undercutting the data security offered to Europeans, noting that to do so would have profound repercussions for their fundamental rights and freedoms.
“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorized access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data,” one of the proposed amendments reads. “Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.”
The proposals, backed by European MPs, also specifically prohibit crypto backdoors. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services,” the report reads.
Many security experts have applauded the move to outlaw backdoors and ensure individuals have access to end-to-end encrypted communications, for their own security and safety.
“If this passes, it could be the best security news of the year,” says Jake Williams, a cybersecurity consultant, exploit development instructor for SANS Institute and former National Security Agency employee.
Others, however, are more circumspect. “It’ll be interesting to see if this EU mandatory testing encryption goes anywhere,” says Alan Woodward, a computer science professor at the University of Surrey and cybersecurity adviser to the EU’s law enforcement intelligence agency, Europol.
Crypto Debates Rage in Europe
The European Parliament’s proposal belies the contentious crypto debates happening in many parts of Europe. Both Germany and the Netherlands, for example, have promised that they will not weaken crypto, or force crypto backdoors, saying that to do so would compromise the security and privacy of law-abiding individuals.
Government ministers in other countries, however, including Britain and France, have been pursuing the opposite course. Last year Britain, for example, passed the contentious Investigatory Powers Act 2016. Derided as being a “Snooper’s Charter,” the law gives the government the power to compel any technology provider to crack any end-to-end encryption they provide, upon demand, while prohibiting them from telling anyone that they have done so (see Britain’s New Mass Surveillance Law Presages Crypto Fight).
The European Parliament’s proposal flies in the face of such legislation, perhaps purposefully.
Could be a shot across the bows for those national governments now talking about E2EE as something that must be stopped to fight terrorism.
— Alan Woodward (@ProfWoodward) June 16, 2017
“Seems at odds with statements coming from a number of national governments. Quite an extraordinary draft in many ways,” Woodward tells Information Security Media Group via Twitter. “Could be a shot across the bows for those national governments now talking about E2EE as something that must be stopped to fight terrorism.”
In Great Britain, the anti-crypto rhetoric has continued to be cranked up following the London Bridge and Borough Market attacks earlier this month. Prime Minister Theresa May, in her first public remarks following the attacks, attempted to deflect blame for the attacks onto “the big companies that provide internet-based services.”
May has also alleged that social networks have been creating “safe spaces online” for extremists and their recruitment activities (see London Bridge Attack Sparks Call for ‘Cyberspace Regulation’).
Critics, however, have noted that her Conservative party has significantly reduced the size of the country’s police force in recent years, which might have otherwise been tasked with increased monitoring of extremists as well as extremism-related intelligence gathering and sharing.
Many security experts, including Thomas Rid, a professor of war studies at King’s College London, have dismissed May’s assertions and rhetoric. Rid, for example, says the “safe spaces” trope is a mistaken view of the internet that misunderstands its ubiquity in everyday life, and notes that any attempt to undercut secure communications will compromise the security of everyone – not just terrorists.
In addition, not all communications need happen using popular apps built by big players. “[The] focus on ‘big companies’ is misleading,” Rid says via Twitter. “A range of secure comms channels will remain available to militants no matter what big firms do.”
Indeed, security experts have also long warned that there is simply no way to keep encryption out of the hands of criminals or extremists, or to provide police with a “golden key” that only they – and not criminals or hostile nation states – can use to crack crypto. Scientifically speaking, that’s simply not how encryption works (see Crypto Review: Backdoors Won’t Help).
Furthermore, Rid asserts, potentially suspending people’s security in the name of terrorism only serves to further extremists’ aims.
But were the new EU e-privacy regulation to pass with the backdoor ban and mandatory requirement that users have end-to-end encrypted communications, Britain could potentially sidestep the law, thanks to its pending “Brexit” from the EU.
Golden Age of Surveillance
The anti-encryption rhetoric from some governments belies what many security experts say is a golden age of surveillance. People lay bare their thoughts, feelings, emotions and political leanings via posts – and viewing histories – associated with social networks, and governments have granted themselves increasing leeway to monitor this data.
“So-called ‘social apps,’ none of which existed a decade ago, have provided the state with visibility into the thinking of the citizen that not even Orwell could have imagined,” says information security veteran William Hugh Murray.