29 September 2021
An open letter signed by 50 organisations and individuals, including Statewatch, calls on the Belgian government to halt its plan to introduce legislation that would introduce backdoors into encrypted communications, undermining the privacy, confidentiality and security of all users.
The proposals are contained in the 'Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities', which would require operators of encrypted systems to grant the possibility for law enforcement to access content from specific users on request.
This would oblige providers of encrypted systemsto implement backdoors into their systems on request by Belgian law enforcement authorities, fatally undermining the privacy and security of all users of those systems.
As the letter makes clear:
"The consensus among cybersecurity experts is clear: there is no way to provide third party access to end-to-end encrypted communications without also creating encryption backdoors and vulnerabilities that can be exploited by anyone that finds them... Creating encryption backdoors weakens the security of the whole system and puts all its users at risk. Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments."
The law is expected to pass its second reading within the Belgian government early in October, before being sent to the parliament with the intention of having it approved in December - unless it can be stopped.
Full-text of the letter (originally published here)
29 September 2021
Deputy Prime Minister and Minister of Public Administration, Public Enterprises, Telecommunication and the Postal Services Mrs. Petra De Sutter
Deputy Prime Minister and Minister of Justice and the North Sea Mr. Vincent Van Quickenborne,
Minister of Defense, Mrs. Ludivine Dedonder
Dear Ministers De Sutter, Van Quickenborne, and Dedonder,
End-to-end encryption keeps Belgium safe.
Encryption protects everyday activities, like handling bank accounts online, securing confidential data like salary slips or tax information, and communicating with your friends and family. End-to-end encryption also protects vulnerable communities and professions where private communications are essential, such as for journalists, lawyers, and medical professionals.
The Belgian government is considering new legislation, the most dangerous being considered among European Union Member States, that would undermine the security and privacy provided by end-to-end encryption.
The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities,1 or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users. There is no way to simply “turn off” encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.
Far from making Belgians safer, these requirements would undermine the use of end-to-end encryption in Belgium and, as the Belgian Data Protection Authority wrote in its opinion against the Data Retention Legislation, would force companies to create a “de facto backdoor.”2 The consensus among cybersecurity experts is clear: there is no way to provide third party access to end-to-end encrypted communications without also creating encryption backdoors and vulnerabilities that can be exploited by anyone that finds them.3 In other words, there is no way for only law enforcement to have access to backdoors, without risking bad actors from gaining access to the same. Creating encryption backdoors weakens the security of the whole system and puts all its users at risk.4 Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.
Beyond introducing backdoors into existing end-to-end encrypted systems, the Data Retention Legislation would also discourage companies from offering new end-to-end encrypted products. As seen in other countries that have passed similar legislation,5 the legislation will have a negative impact on trust in Belgian technology companies and damage their ability to compete in the international and European markets. Further, the legislation also threatens to have a wider impact on the European Digital Single Market, as companies in other Member States may be forced to consider these new requirements if they want to offer their products in the Belgian market.
If the Data Retention Legislation is supposed to make Belgians safer, it cannot do so by undermining the strong protections we all rely on to live our lives; end-to-end encryption should not be threatened or undermined by this legislation.
Africa Media and Information Technology Initiative (AfriMITI)
AP2SI – Associação Portuguesa para a Promoção da Segurança da Informação
Bart Preneel, Prod. dr. ir., University of Leuven
Big Brother Watch
Blacknight Internet Solutions Ltd
Centre for Democracy and Technology
Citizen D/Državljan D
Collaboration on International ICT Policy for East and Southern Africa (CIPESA)
Cybersecurity Advisors Network (CyAN)
Digital Infrastructure Association NL
European Digital Rights (EDRi)
Global Partners Digital
Instituto Beta: Internet & Democracia (Brasil)
Internet Freedom Foundation (IFF)
Internet Society Belgium Chapter
Internet Society Catalunya Chapter
Internet Society Ghana Chapter
Internet Society Netherlands Chapter
Internet Society Portugal Chapter
ISOC India Delhi Chapter
Internet Society India Hyderabad Chapter
IP.rec – Law and Technology Research Institute of Recife
Jens Finkhäuser, Interpeer Project
José Legatheaux Martins, Professor, Faculty of Sciences of NOVA University of Lisbon
Liga voor Mensenrechten
Mário Gaspar da Silva, Professor, Instituto Superior Técnico, Universidade de Lisboa, Portugal
Milton Mueller, Professor, Internet Governance Project, Georgia Institute of Technology
Open Governance Network for Europe
Privacy & Access Council of Canada
Ranking Digital Rights
Riana Pfefferkorn, Research Scholar, Stanford Internet Observatory
Suomen Internet-yhdistys – Internet Society Finland Chapter
The Electronic Privacy Information Center (EPIC)
Youth Forum for Social Justice
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.