Council of the EU: German Presidency seeking common position on encryption and law enforcement

Efforts are ongoing to establish a common EU position on finding ways around encrypted communications for the purpose of law enforcement. A document circulated by the German Presidency says "the weakening of encryption by any means (including backdoors) is not a desirable option." Instead, the intention is to find "legal and technical solutions" through a dialogue with technology service providers, member states, academic experts and others.


NOTE from: Presidency: Security through encryption and security despite encryption (10728/20, LIMITE, 18 September 2020, pdf):

Following a range of discussions involving the member states, the European Commission, the EU Counter-Terrorism Coordinator, companies and a host of others, the German Presidency is trying to find a way forward to deal with the thorny issue of law enforcement agencies' ability to access encrypted communications.

The document states (emphasis added):

"In view of the Presidency, focus should be placed on the following in particular:

    • Our joint objective is to effectively and efficiently combat terrorism, organised crime, cybercrime, while respecting data protection rules, fundamental rights, states’ obligations under international law, as well as IT-security. New solutions may be required with the support of service providers to achieve this objective. The increasing shift from traditional nationally located services to more online based and internationally located services should be also taken into account.
    • The required legal and technical solutions should benefit from the transparent and legitimate support of service providers and offer improvements that encompass the tactics and technical skills and tools necessary for law enforcement and judicial authorities to face the challenges of digitisation and internationalisation.
    • There is a need for a regulatory framework that safeguards the advantages of end-to-end encryption without compromising the ability of law enforcement agencies and judicial authorities to protect the general public taking into account the legal, technical and political aspects involved.
    • We need to identify solutions that set out the conditions for targeted lawful access for legitimate law enforcement purposes and must find technical solutions to safeguard that access with minimum impact on fundamental rights and data protection."

The aim is to stimulate a discussion amongst member states' representatives on these points:

"Delegations will be invited to present their views on all of the measures above, as well as the key considerations set out in the note of the Commission services note. We also wish to hear delegations' views on:

    • the need to aim for a coordinated, consistent EU position;
    • the need to acknowledge and highlight that encryption presents us with a common challenge when it comes to fighting terrorism, organised crime, child sexual abuse, etc., while at the same time we must protect and safeguard fundamental rights, privacy and the value of encryption as an important technology for the digital life of today;
    • mandating the German Presidency to initiate the preparation of an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption;
    • presenting the results of this process for endorsement by COSI at one of its subsequent meetings."

The 'Commission services note' referred to is: End-to-end encryption in criminal investigations and prosecution (contained in Council document 10730/20, LIMITE, 18 September 2020, pdf)

This says that the Commission has held:

"...informal discussions on end-to-end encryption with experts from law enforcement and the judiciary, academia, non-governmental organisations (NGOs), over-the-top-service providers (OTTs), telecommunication providers, and the security industry.

In those meetings, participants:

    • agreed on the importance of encryption as a tool to protect cybersecurity and fundamental rights;
    • law enforcement and prosecutors confirmed that the issues posed by encryption in criminal investigations and prosecutions will continue to increase, as encryption use becomes more widespread. They pointed out the need to have access to a range of measures, including the right tools and capabilities deployable in full respect of fundamental rights and legal safeguards, together with the necessary training;
    • OTTs confirmed the importance of setting out collaborative channels targeting more constructive communication with law enforcement that facilitates structural and technical assistance and educates law enforcement on the type of assistance companies can provide."

The Commission notes that:

"On the other hand, weakening any part of an encrypted system could lead to weakening the system as a whole with detrimental effects on fundamental rights, including the rights to privacy and protection of personal data. Encryption can indeed ensure a more effective exercise and protection of such rights (e.g. freedom of expression and opinion, data protection), and security of international data transfers."

The note concludes by setting out a number of "key considerations" to support reflection in the Council (emphasis added):

  • "Orders to access encrypted electronic communication must be targeted to specific individuals or groups of individuals in the context of the investigation of a specific crime, and be proportionate. They must be issued or be subject to prior validation by a judiciary authority. Transparent reporting procedures, as well as appropriate review and redress mechanisms are necessary.
  • Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported.
  • Technical solutions to access encrypted information should be used only where necessary, i.e. where they are effective and where other, less intrusive measures are not available. They must be proportionate, used in a targeted and in the least intrusive way.
  • Transmission of data to law enforcement authorities should benefit from state-of-the-art security measures to comply with data protection rules.
  • Given the broad spectrum of encryption solutions that may be concurrently deployed on devices or systems to provide multiple layers of protection, in the opinion of the Commission services there should be no single prescribed technical solution to provide access to the encrypted data (principle of technological neutrality). Companies providing the encryption for their products can contribute to identifying the best solutions.
  • Industry, civil society and academia support, as well as independent expert advice such as by EU bodies mandated to provide cybersecurity and data protection expertise, is indispensable."

In relation to the Commission's note - and in particular the suggestion that companies "can contribute to identifying the best solutions" - Jesper Lund of IT-Pol commented on Twitter:

"The Commission has a clever political solution to solving the impossible problem of LEA access without mandating specific #encryption backdoors: put companies in charge of weakening the security of their own communications services!"

Documentation

Further reading

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error