A press report emerged over the weekend claiming European lawmakers who are worried about terrorism are speeding towards a ban on end-to-end encryption. Spoiler: It's a little more nuanced than that. Read on for our break down of what's actually going on...
Is Europe about to ban E2E Encryption?
A report in the Austrian press yesterday appeared to suggest a ban incoming on end-to-end encryption which the headline linked to a recent terror attack in the country. In fact there have been discussions ongoing between Member States on the topic of encryption -- and whether/how to regulate it -- for several years now.
The report is based on a draft resolution of the Council of the European Union (CoEU), dated November 6. Per the draft document a final text, which could incorporate further amendments, is due to be presented to the Council on November 19 for adoption.
The CoEU decision-making body is comprised of representatives of Member States' governments. It's responsible for setting the political direction for the bloc however it's the European Commission which is responsible for drafting legislation. So this is not in any way 'draft EU legislation'.
One Commission insider we spoke to who's involved in cyber security strategy couched the resolution as a "political gesture" -- and most likely an empty one.
What does the CoEU draft resolution actually say?
It starts by asserting the EU's full support for "the development, implementation and use of strong encryption" -- which would be a very odd position to hold if you also intended to ban E2EE.
Then it discusses "challenges" to public security that flow from criminals having easy access to the same technologies that are used to protect vital civic infrastructure -- suggesting criminals can use E2EE to make "lawful" access to their communications "extremely challenging" or "practically impossible".
This is of course a very familiar discussion in security circles -- regularly fuelled by the 'Five Eyes' nations' push for greater surveillance powers -- and one which recurs repeatedly in relation to the technology industry owing to developments in communications tech. But note the CoEU does not say access to encrypted data is actually impossible.
Instead the resolution moves on to call for discussion of how to ensure the powers of competent security and criminal justice authorities can be preserved -- while ensuring full respect for due legal process and EU rights and freedoms such as (notably the right to respect for private life and communications; and the right to the protection of personal data).
The document suggests a "better" balance should be created between these competing interests. "The principle of security through encryption and security despite encryption must be upheld in its entirety," is how it's phrased.
The specific call is for "governments, industry, research and academia... to work together to strategically create this balance".
Does the draft resolution call for encryption to be backdoored?
Indeed, the Council of Ministers specifically writes [emphasis ours]: "Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality."
So the push here -- beyond the overarching political push to be seen to be doing something 'pro-security' -- is for ways to improve targeted access to data but also that such targeting respect key EU principles that link to fundamental rights (like privacy of communications).
That doesn't sum to an E2EE ban or backdoor.
But what does the resolution say about the legal framework?
The Council of Ministers want the Commission to carry out a review of relevant existing regulations with relevance to ensure it's all pulling in the same direction and therefore contributing to law enforcement being able to operate as efficiently as possible.
There is a mention of "potential technical solutions" at this point -- but again the emphasis is on any such law enforcement aids supporting the use of their investigatory powers within domestic frameworks that comply with EU law -- and a further emphasis on "upholding fundamental rights and preserving the advantages of encryption". Security of information is a vital advantage of encryption previously discussed in the document so it's essentially calling for preserving security without literally spelling that out.
This portion of the draft document has several strike-throughs so looks most likely to be subject to wording changes. But for a signal of the direction of travel one bit of rewording emphasises the need for transparency should there be joint working with comms services providers on developing any "solutions". (And a backdoor that everyone is told about obviously wouldn't be a backdoor.)
Another suggestion in the draft calls for upskilling relevant authorities to boost their technical and operational expertise -- aka more cyber training for police.
In a final section, joint working to improve relevant co-ordination and expertise across the EU is again highlighted by the CoEU as key to bolstering authorities' investigative capabilities.
There is also talk of developing "innovative approaches in view of new technologies" -- but the conclusion makes a point of stating clearly: "there should be no single prescribed technical solution to provide access to encrypted data". Aka no golden key/universal backdoor.
So there's nothing to be worried about then?
Well, the Commission may feel some pressure over the issue as it works on its new cyber strategy so it could get some political push on specific policy ideas -- although we're unlikely to see anything much on this front before next year. The CoEU isn't setting out any policy ideas yet. At most it's asking for help formulating some.
TechCrunch spoke to Dr Lukasz Olejnik, an independent cybersecurity researcher and consultant based in Europe, to get his thoughts on the draft resolution. He agreed there's no broadside against E2EE in the draft, nor any near-term prospect of legislation flowing from it. Indeed, he suggested the CoEU appears not to know what to do -- hence looking to outside experts in academic and industry for help.
"First, there is no talk of backdoors. The message sets things clearly with respect to encryption being important for cybersecurity and privacy," he told us. "As for the topic of this document, it is a long-term process in the exploratory phase now. Problems and ideas are identified. Nothing will happen immediately.
"It's not getting even near to banning E2EE. It appears they do not know what to do exactly. So among the ideas is to perhaps set up a 'high level expert group' -- the document speaks about engaging 'academia'. This process is sometimes initiated by the Commission to identify 'recommendations' which may or may not be used in the policy process. It would then revolve around who would get to be admitted to such a group, and this varies a lot.
"For example the AI group was seen as quite reasonable, while the other dedicated one on disinformation was in fact geared towards the EU media figures rather than researchers or concrete expertise. We do not know where all this will lead."
Olejnik expressed doubt that the Council could drive legislation on its own in this case, given the complexity involved. "It's too premature to speak of any legislation," he said. "Legislative process in the EU can be quite complex to understand but the EU Council would be unable to pull such a complex thing on their own."
But he did highlight the CoEU's coining of the phrase 'security despite encryption' as a noteworthy development -- suggesting it's unclear where this novel framing might lead in policy terms. So, as ever, the security debate around encryption demands a close eye.
"What I find of particular importance is coining the term 'security despite encryption'. It is both unfortunate and ingenious. But the problem with this technology policy term is that it may consciously blend policy understanding of (physical?) security with technology security, as guaranteed today by encryption. This puts the two in direct opposition," he said, adding: "Where the fallout would lead is anyone's guess. I believe this process is far from over."
But couldn't there be a push to introduce some kind of 'lawful intercept mechanism' across the EU?
There would be huge challenges to such a step given all the EU legal principles and rights that any mechanism would need to respect.
The CoEU's draft resolution reiterates this multiple times -- highlighting the need for security activity to respect fundamental rights like privacy of communications and principles of legality, transparency, necessity and proportionality, for example.
Domestic surveillance laws in several EU Member States have also recently been found falling short in this regard by Europe's highest court -- so there would be a clear path to challenging any security overreach in the courts.
That means that even if some kind of intercept mechanism could be pushed through an EU legislative process, via enough political will to drive it, there's no doubt it would face fierce legal challenge and the prospect of being unpicked by the courts.
Asked for a view on the notion put forward in the draft resolution -- of seeking a "better" balance between security and privacy -- and whether it might be a push towards something like the 'ghost protocol' advocated by GCHQ in recent years as an "exceptional access mechanism" (but which critics argue would both undermine user trust and introduce a blanket security risk that's all but equivalent to a backdoor) -- Olejnik told us: "Undermining encryption is a tricky territory because modern technology goes in a direction of more security, not less. In modern security ecosystems it would be hard to imagine a lawful intercept functionality known from the telecommunication infrastructure. For private business it's also a question of trust. Can the individual users freely move their social interactions online even further? It's a question measured in billions of dollars."
What does the Commission say?
The Commission declined to comment on the CoEU draft resolution -- but a spokesperson sent us some general comments on encryption, describing the technology as "an important tool to enhance cyber security and for the protection of fundamental rights, such as privacy, including the confidentiality of communications, and personal data".
The executive body also noted the concern being raised by the Council, writing: "At the same time, it can also be used by perpetrators seeking a secure channel to hide their actions from law enforcement and the judiciary, making it difficult to investigate, detect and prosecute criminal offences."
"Member States have on a number of occasions, in different forums in the Council, discussed the challenges linked to the use of encryption for criminal purposes. They have called for solutions that allow law enforcement and other competent authorities to gain lawful access to digital evidence, without prohibiting or weakening encryption directly or indirectly, and in full respect of privacy and fair trial guarantees consistent with applicable law," it also said.
The executive body added that following its Security Union Strategy, presented in July -- which talks about working to "further strengthen cooperation and information exchange, with all the necessary safeguards" as a strategy for fighting crime in the digital age -- it will "explore and support balanced technical, operational and legal solutions, and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to serious crime and terrorism".
This report was updated with comment from the Commission once we'd received it