Belgium: 50 organisations and cybersecurity experts call on the government to halt attack on encryption

An open letter signed by 50 organisations and individuals, including Statewatch, calls on the Belgian government to halt its plan to introduce legislation that would introduce backdoors into encrypted communications, undermining the privacy, confidentiality and security of all users.


The proposals are contained in the 'Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities', which would require operators of encrypted systems to grant the possibility for law enforcement to access content from specific users on request.

This would oblige providers of encrypted systemsto implement backdoors into their systems on request by Belgian law enforcement authorities, fatally undermining the privacy and security of all users of those systems.

As the letter makes clear:

"The consensus among cybersecurity experts is clear: there is no way to provide third party access to end-to-end encrypted communications without also creating encryption backdoors and vulnerabilities that can be exploited by anyone that finds them... Creating encryption backdoors weakens the security of the whole system and puts all its users at risk. Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments."

The law is expected to pass its second reading within the Belgian government early in October, before being sent to the parliament with the intention of having it approved in December - unless it can be stopped.

Full-text of the letter (originally published here)

29 September 2021

Deputy Prime Minister and Minister of Public Administration, Public Enterprises, Telecommunication and the Postal Services Mrs. Petra De Sutter

Deputy Prime Minister and Minister of Justice and the North Sea Mr. Vincent Van Quickenborne,

Minister of Defense, Mrs. Ludivine Dedonder

Dear Ministers De Sutter, Van Quickenborne, and Dedonder,

End-to-end encryption keeps Belgium safe. 

Encryption protects everyday activities, like handling bank accounts online, securing confidential data like salary slips or tax information, and communicating with your friends and family. End-to-end encryption also protects vulnerable communities and professions where private communications are essential, such as for journalists, lawyers, and medical professionals. 

The Belgian government is considering new legislation, the most dangerous being considered among European Union Member States, that would undermine the security and privacy provided by end-to-end encryption.

The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities,1 or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users. There is no way to simply “turn off” encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.

Far from making Belgians safer, these requirements would undermine the use of end-to-end encryption in Belgium and, as the Belgian Data Protection Authority wrote in its opinion against the Data Retention Legislation, would force companies to create a “de facto backdoor.”2 The consensus among cybersecurity experts is clear: there is no way to provide third party access to end-to-end encrypted communications without also creating encryption backdoors and vulnerabilities that can be exploited by anyone that finds them.3 In other words, there is no way for only law enforcement to have access to backdoors, without risking bad actors from gaining access to the same. Creating encryption backdoors weakens the security of the whole system and puts all its users at risk.4 Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.

Beyond introducing backdoors into existing end-to-end encrypted systems, the Data Retention Legislation would also discourage companies from offering new end-to-end encrypted products. As seen in other countries that have passed similar legislation,5 the legislation will have a negative impact on trust in Belgian technology companies and damage their ability to compete in the international and European markets. Further, the legislation also threatens to have a wider impact on the European Digital Single Market, as companies in other Member States may be forced to consider these new requirements if they want to offer their products in the Belgian market. 

If the Data Retention Legislation is supposed to make Belgians safer, it cannot do so by undermining the strong protections we all rely on to live our lives; end-to-end encryption should not be threatened or undermined by this legislation.

  1. https://ibpt.be/index.php/operateurs/publication/annexe-1-dispositif
  2. https://www.autoriteprotectiondonnees.be/publications/avis-n-108-2021.pdf
  3. https://academic.oup.com/cybersecurity/article/1/1/69/2367066
  4. https://www.globalencryption.org/2020/11/breaking-encryption-myths/
  5. https://www.internetsociety.org/news/press-releases/2021/new-study-finds-australias-tola-law-poses-long-term-risks-to-australian-economy/

Signatories

Access Now

Africa Media and Information Technology Initiative (AfriMITI)

AP2SI – Associação Portuguesa para a Promoção da Segurança da Informação

Bart Preneel, Prod. dr. ir., University of Leuven

Big Brother Watch

Blacknight Internet Solutions Ltd

Centre for Democracy and Technology

Citizen D/Državljan D 

Collaboration on International ICT Policy for East and Southern Africa (CIPESA)

Cranium

Cybersecurity Advisors Network (CyAN)

Digital Infrastructure Association NL

Encryption Europe

European Digital Rights (EDRi)

Global Partners Digital

Global Voices

Homo Digitalis

Instituto Beta: Internet & Democracia (Brasil)

Internet Freedom Foundation (IFF)

Internet Society

Internet Society Belgium Chapter

Internet Society Catalunya Chapter 

Internet Society Ghana Chapter

​​Internet Society Netherlands Chapter

Internet Society Portugal Chapter

ISOC India Delhi Chapter

Internet Society India Hyderabad Chapter

IP.rec – Law and Technology Research Institute of Recife

IT-Pol Denmark

JCA-NET

Jens Finkhäuser, Interpeer Project

José Legatheaux Martins, Professor, Faculty of Sciences of NOVA University of Lisbon

Kijiji Yeetu

Liga voor Mensenrechten

Mário Gaspar da Silva, Professor, Instituto Superior Técnico, Universidade de Lisboa, Portugal

Mega Limited

Milton Mueller, Professor, Internet Governance Project, Georgia Institute of Technology

Netwerk Democratie

Open Governance Network for Europe

OpenMedia

Privacy & Access Council of Canada

Ranking Digital Rights

RESPONSUM

Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory

SFLC.in

Statewatch

Suomen Internet-yhdistys – Internet Society Finland Chapter

The Electronic Privacy Information Center (EPIC)

Tresorit

Tutanota

Youth Forum for Social Justice

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error