German and French interior ministers demand EU discussion on undermining encryption


The latest step in government efforts to give the authorities access to encrypted messages comes in the form of a letter from the German and French interior ministers to EU officials that calls for "solutions that allow for effective investigation into encoded [encrypted] data linked to potential terrorist attacks or organised crime." The letter demands that the issue be put on the agenda of the forthcoming Justice and Home Affairs Council meeting, to be held in Brussels next Friday (18 November).

 

See: German-French letter concerning cooperation between law enforcement agencies and electronic communication service providers (14001/16, 7 November 2016, pdf)

The letter, from Thomas de Maizière and Bernard Cazeneuve and addressed to the Commission Vice-President and Commissioners for Home Affairs, for the Security Union, for the Digital Economy and Society and for the Digital Single Market (amongst others), notes that numerous different communications applications:

"pose practical and legal difficulties for investigators and judicial authorities alike in that they allow for the free exchange of fully encoded messages... Today, competent authorities can face insurmountable obstacles when they request the technical assistance of service providers in analysing the data of messages sent by suspects."

Thus, "solutions that allow for effective investigation into encoded [encrypted] data linked to potential terrorist attacks or organised crime are vital". At the same time:

"it is just as indispensable to protect an individual's right to digital freedom by ensuring the availability of highly secure encrypted systems and by respecting the principles of proportionality and necessity that are inherent to our fundamental rights and the notion of law-abiding states."

Quite how this should be done is not made clear by de Maizière and Cazeneuve. The website Techcrunch (link) is one of many publications that have pointed out:

"The argument that national security is enhanced by perforating secure encryption has been roundly and consistently condemned by the security industry. You don’t enhance the public’s security by making everyone’s information more easily accessible to hackers and other bad actors. Period."

While the letter sets out four objectives for the EU and its Member States regarding access to communications data, it does not specifically mention encryption at any point beyond the introductory paragraphs.

However, given encrypted communications are clearly the major concern of the two ministers, as they have previously declared(link), it would not be surprising if "reinforcing the legal obligation of electronic communication service providers to cooperate with the competent authorities of the Member States" in criminal investigations actually means they want to legislate for "backdoor" access to companies' systems.

As security experty Bruce Schneier pointed out following a call from FBI Director James Comey (link) for backdoors:

"I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible... there's no technical difference between Comey's 'front door' and a 'back door.'"

Discussions between the French and German governments and other EU Member States are not likely to be straightforward. In January (link), the Dutch government:

"released a statement in which it says that 'it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.' It also notes that forcing companies to add backdoors to their products and services would have 'undesirable consequences for the security of communicated and stored information,' since 'digital systems can become vulnerable to criminals, terrorists and foreign intelligence services.'"

The objectives outlined in the letter by de Maizière and Cazeneuve are as follows.

1. Being able to rely more on the responsibility of electronic communication service providers, particularly those that are not based within the Union

The letter identifies a need to "apprehend these operators, notably those that are not governed by a stable administration within the European Union," in order to access data held by them in a swifter and simpler manner:

"The establishment of genuine links between legal authorities and service providers must become the norm. Given the stakes involved, each service provider must have a point of contact who is able to directly respond to legal requisitions from the competent authorities of Member States."

2. Reinforcing the legal obligation of electronic communication service providers to cooperate with the competent authorities of Member States when it comes to criminal investigations

As the letter puts it:

"All too often, Member State authorities are faced with a refusal by service providers to provide information on legal grounds that we must be able to override.

Electronic communication service providers must be able to contribute more to the successful outcome of investigations by being authorised to provide data linked to users or connections; in addition, data for European customers must be stored in a jurisdiction where direct cooperation with competent authorities of Member States is authorized."

3. Ensuring greater speed and reactivity In the processing of requisitions by judicial authorities in order to obtain information from electronic communication service providers

Or: swift judicial procedures to ease the authorities' access to data held by companies, whether in the EU or overseas.

4. Improving the extraction of content that may be linked to terrorism

The letter says:

"Cooperation between law enforcement agencies and electronic communication services providers must also allow for the immediate and permanent removal of public messages promoting terrorism. Where this is not possible, recourse to the EU-IRU [Internet Referral Unit] of Europol could be recommended in addition to national measures."

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error