No, the EU is not banning encryption. But should they?

On the 6th of November 2020, the Council of European Union published a resolution on Encryption. The leaked document, that follows after the terrorist attacks in Vienna and Nice, sparked a lot of debate in terms of online security. Should we be worried about our online privacy, or should we embrace such steps in order to prevent future terrorist attacks?

The document

The document got leaked by the Austrian press ORF. Due to the unfortunate events of 2nd November, a report linking the ban of end-to-end encryption and the terrorist attack received a lot of sensation. The reality of the document is, however, in contrast. In the full report, the council recognizes the importance of encryption, yet, it calls for a better balance in order for the criminal justice authorities to access the encrypted information. The proposal is not particularly clear about how to achieve that, highlighting that the competent forces should do so in a “lawful and targeted manner” whilst respecting individuals’ rights, notably the protection of personal data.

In light of recent terrorist attacks in Nice and Vienna, France and Germany are pushing for tighter EU borders [1]

Instead of banning end-to-end encryption and allowing governments to issue backdoors in the apps, the resolution proposes a wider discussion in regards to tools that can be used to serve criminal justice and ruin criminal’s anonymity on the internet. The document calls for discussion within the industry as well as the research and academic representatives.

What is E2EE and why is it important?

End-to-end encryption is a method of encryption that allows safe data transmission between two endpoints. After sending a WhatsApp message to your friend, you are guaranteed that only you and the receiver are able to decrypt and read the message. This is possible because of a public/private key encryption method, which uses complex mathematical functions to encrypt and decrypt messages. E2EE is special as not even the internet service provider or application service provider can read the data. Both Instagram and Facebook Messenger, do not use this type of encryption — meaning that while the data is encrypted against potential hackers when being sent across the internet, your internet service provider or Facebook itself is able to access the messages.

The most well-known end-to-end encrypted messaging apps include WhatsApp, Viber, and Threema. Such apps can therefore be exploited by criminals for unlawful activities.

Snowden 2.0

Edward Snowden (37), by some named as a national hero, by others as a traitor, was an NSA operative and became famous after the 2013 whistleblowing scandal. That year he leaked highly confidential documents from NSA, describing how the American agency used a variety of surveillant programs to target potential national security threats. The most prominent one was PRISM, which included the collection of data directly from providers (Microsoft, Google, Facebook, Apple, and others)

Timeline of companies participating in the PRISM Collection Program [2]

The documents furthermore revealed that the NSA was collecting data from the Upstream channel, that is straight from the fiber-optic network, and that the data was actively shared between the Five Eyes members (the USA, the UK, Australia, New Zealand, and Canada) as well as the NATO members at a lower scale.

What data was PRISM collecting? [3]

In order to avoid the abuse of power, the United States Foreign Intelligence Surveillance Court (FISC), which was established in 1978, was in charge of overseeing the requests for surveillance warrants. As the leaked documents suggest, in 2012, 1856 applications were filed to FISC. Out of those, 1789 applications included a request for authority to conduct electronic surveillance. The FISC did not deny any applications in whole or in part. This may raise concerns about whether the FISC did adhere to the rule of law and supervised the legality of applications, or whether it was just a legal tool without any power. Due to its non-transparent and totalitarian nature, such a drastic solution should not be requested from the EU Council.

Final thoughts

The document caught on an inappropriate amount of attention, or even panic. One of the reasons might be that the media distributed this information in a sensational way with statements such as “EU closer to banning encryption”. This is simply not true, as the evidence shows that the EU Council demands to initiate a discussion regarding this matter.

The discussion is another privacy vs security dilemma. After presenting the case of the NSA, we can deduce that state surveillance is not optimal for solid security, and may only undermine the trust in privacy and government. We must learn the lesson from our NATO allies and find a more effective approach especially in consideration of the recent attacks and religious radicalization. Ultimately, this may bring the EU countries stronger together and finally lead to the formation of an EU army.

[4]

Image sources:

[1] https://uk.reuters.com/article/us-europe-security-merkel/germanys-merkel-urges-european-border-reform-after-terrorist-attacks-idUSKBN27Q2F7

[2] By National Security Agency — original image | source, Public Domain, https://commons.wikimedia.org/w/index.php?curid=26530973

[3] By National Security Agency — original image | source, Public Domain, https://commons.wikimedia.org/w/index.php?curid=26526602

[4] by harakir from pixabay: https://pixabay.com/illustrations/europe-united-europe-flag-united-2021308/