Encryption Policy Issues in the EU
In light of increasing discussion about the public policy implications of encryption, opinions among EU Member States on how best to tackle the issue are split. Certain Member States, such as the UK, have repeatedly called for uninhibited access by national authorities to encrypted messages for national security purposes. Others recognize the legitimate security interests of users.
The EU has recognized the importance of this issue. The European Commission has therefore published a series of Communications and legislative proposals addressing encryption and access to data during criminal investigations.
The conclusions drawn from a public expert consultation launched by the Commission were presented in a Communication on October 18, 2017, which laid out a number of technical measures aimed at supporting the activities of Member States on encryption.
The technical measures proposed include the following:
- Strengthening Europol’s technical capabilities, in particular its decryption capabilities;
- Developing a “toolbox” of both legal and technical instruments aimed at obtaining information encrypted by criminals in a facilitated manner;
- Establishing a network of centers of expertise;
- Establishing an observatory for future developments;
- Providing training for law enforcement and judicial authorities, supported by EUR 500,000 from the Internal Security Fund in 2018;
- Leading structured dialogue and collaboration with industry and civil society, and with internet service providers in particular, to help develop appropriate solutions while maintaining strong encryption.
On April 17, 2018, the European Commission published a Communication on the Fourteenth progress report towards an effective and genuine Security Union and two legislative proposals: a proposal for a Regulation on European Production and Preservation Orders for electronic evidence (“e-evidence”) in criminal matters and a proposal for a Directive laying down harmonized rules on the appointment of legal representatives when gathering evidence in criminal proceedings. Both proposals intend to facilitate EU cross-border access to data by law enforcement authorities in criminal investigations.
The proposed Regulation introduces the concept of binding European Production and Preservation Orders, which are requests made by law enforcement authorities to either provide or retain certain data necessary to the criminal investigation when the evidence is stored in another EU Member State. Under the proposal, both Orders will need to be issued or validated by a judicial authority, and could be served on digital service providers, including electronic communication service providers, social networks, online marketplaces, online hosting services, or domain registries.
Four types of data are specified in the Regulation: subscriber data, which relates to the identity of the user or customer; access data, which relates to the commencement and termination of a user’s access session; transactional data, which relates to data that provides context or additional information about the service; and content data, which relates to digitally stored data, including text, voice, videos, images, and sound. Companies would have a standard deadline of ten days to provide the requested data, or six hours in emergency situations, where “there is an imminent threat to life or physical integrity of a person or to a critical infrastructure” (see here, Article 9).
The Regulation comes with certain safeguards, however. European Production Orders for subscriber and access data may be issued for any criminal offence, whereas transactional or content data may only be requested for criminal offences with a maximum sentence of at least three years, or for specific offences listed in the proposal, including various cyber-dependent, cyber-enabled or terrorism-related crimes.
If passed, the Orders provided for in the Regulation would be legally enforceable, and companies would face sanctions for non-compliance.
Interestingly, the proposed Regulation mentions encryption only once: recital 19 states that “data should be provided regardless of whether it is encrypted or not.”
For further detail on the Commission’s legislative proposals, see Lauren Moxley’s Inside Privacy blog post.
The Commission has indicated on a number of occasions that it does not aim to undermine or weaken encryption. European Commission Vice-President Andrus Ansip has repeatedly stated that he is against implementing “backdoors” to encrypted systems, as they erode trust. The aforementioned Communication from October 2017 proposed technical measures that do not prohibit, limit or weaken encryption. Any technical measures that could weaken encryption were not considered (see here, at pages 9 and 10). The Commission has recognized the challenge of preserving strong encryption for cybersecurity, data protection and privacy reasons, while simultaneously enabling legitimate access to encrypted data by law enforcement authorities (see here, for example).
Complementary Action in the Field of Decryption
In parallel, the Commission appears to be exploring alternative approaches, including investing in decryption. In its Communication published on January 24, 2018, the Commission agreed to amend Europol’s 2018 budget to include an additional EUR 5 million to enhance the agency’s decryption capabilities of lawfully obtained encrypted data in criminal investigations.
Additionally, over the course of four years (from January 1, 2018 to December 31, 2020), the EU will contribute over EUR 4.2 million to FENTEC, a Horizon 2020 project developing “functional encryption” (“FE”) technology. FE aims to “overcome the all-or-nothing limitations of classical encryption” by making it possible to process the data and obtain a partial view of the message in plaintext, thereby attempting to strike a balance between digital privacy and cybersecurity, and public safety.
Whether this technology will meet the legislators’ objectives and service providers’ needs in the EU remains to be seen.