The Leaked EU Paper
The draft EU paper, leaked by the Austrian news story, has the subject “Security through encryption and security despite encryption”. It is an internal document from the Council of the European Union (CoEU) to EU Council member states. The CoEU consists of government representatives from European Union (EU) member states. It is responsible for setting the political direction of the EU but is not able to draft legislation. Consequently, the leaked EU paper does not represent future EU legislation. The European Commission is the only EU body that can draft legislation. According to the Austrian news story, the EU Council of ministers are calling for platform operators “to create master keys for monitoring E2E-encrypted chats and messages.” The platforms mentioned in the news story include WhatsApp and Signal. However, a close reading of the EU paper suggests that this is not the CoEU’s intent. Nor is the EU looking at banning end-to-end encryption.
Is the Paper Really Calling for an E2EE Ban?
What the paper actually appears to be calling for is discussion. The EU is looking to find a better balance between criminal justice authorities’ need for access to encrypted data to prosecute cybercriminals, and people’s rights to privacy. According to the paper, the EU is looking to conduct “active discussions” with the technology industry in order to achieve this balance. The EU is also seeking help from governments and academia in their attempt to balance these two seemingly opposing interests. The paper goes on to state that the EU fully endorses people’s rights to a private life and private communications. It also endorses the protection of people’s personal data and supports strong encryption. “Encryption is an anchor of confidence in digitalisation and in protection of fundamental rights and should be promoted and developed,” states the paper. Nowhere in the paper does the CoEU mention banning E2EE. Nor does it mention forcing technology companies to provide a backdoor to law enforcement agencies to monitor E2EE data. The paper actually states, “there should be no single prescribed technical solution to provide access to encrypted data.”
EU Not the Only Ones Discussing Encryption
Discussions on providing law enforcement access to encrypted materials have been ongoing for some time. As have discussions around banning end-to-end encryption. In the past the EU has agreed to use EU funds in an attempt to provide a secure communication environment within the EU bloc. For example, the EU has funded research into quantum encryption to ensure cybersecurity into the future. However, the EU has also backed projects looking into how to ensure judicial and law enforcement officers have targeted access to required data. This includes access to encrypted data allegedly needed to fight terrorism and prosecute cybercriminals. Nonetheless, the EU wishes to provide this targeted access, while still respecting key EU principles regarding fundamental human rights. Conversely, in October 2020, the Five Eyes intelligence alliance urged technology manufacturers to include security backdoors in all their products. The alliance, which includes the US, UK, Canada, Australia and New Zealand, last year stated that “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” Similarly, in May this year the US introduced the EARN IT Act of 2020. It is also known as the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020. This Act, if passed, would allegedly allow any state to bring a lawsuit to service providers if they allow E2EE on their service and don’t provide a means for law enforcement agencies to decrypt the material. The Act, however, stops short of banning end-to-end encryption. Opponents of the EARN IT Act have stated that this would likely include the provision of a backdoor for law enforcement agencies into encryption used on sites.