France Pushes for Law Enforcement Access to Signal, WhatsApp and Encrypted Email

France Pushes for Law Enforcement Access to Signal, WhatsApp and Encrypted Email

France is proposing a law that would require encrypted messaging applications, including Signal and WhatsApp, and encrypted email services such as Proton Mail to provide law enforcement with decrypted data on request. The proposed law aims to give French law enforcement stronger powers to combat drug trafficking, but it has raised concerns among tech companies and civil society groups that it will lead to the creation of "backdoors" in encrypted services that will be exploited by cyber criminals and hostile nation-states.

The law, which is currently being debated in the National Assembly, would require tech companies to hand over decrypted chat messages of suspected criminals within 72 hours. The fine for non-compliance ranges from €1.5m for individuals to up to 2% of their annual global turnover for legal entities.

Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said it was not possible to introduce backdoors into encrypted services without fundamentally weakening their security. "A backdoor for the good guys only is a dangerous illusion," he said. "Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cyber criminals and hostile foreign actors."

Matthew Hodgeson, CEO of Element, a secure communications platform used by governments, said the proposal was a threat to digital security requirements. "End-to-end encryption is designed so that companies themselves do not have access to messages," he added. "Introducing access (a backdoor) would weaken the level of protection of all communications and this is not provided for anywhere in the world."

The European Data Protection Supervisor has stated that any new measure restricting encryption must pass the test of necessity and proportionality, based on substantiated evidence.

Civil society groups, cryptography experts, and the French Cyber Security Agency ANSSI have been warning for years that accessing encrypted communications is not only technically impossible but contravenes digital security requirements. "End-to-end encryption is designed so that companies themselves do not have access to messages," it said. "Introducing access (a backdoor) would weaken the level of protection of all communications and this is not provided for anywhere in the world."

The Observatory of Liberties and Digital Technology (OLN), a coalition representing the French lawyers' union, the magistrates' union and human rights groups, has also called for Parliamentarians to reject the bill. It has raised concerns that the bill prevents information about surveillance operations from being disclosed to defendants, making it impossible for them to challenge.

The proposal would allow access to encrypted messages and email data only if specific authorisation is given by the Intelligence Techniques Control Commission (CNCTR). To ensure compliance with these cooperation requirements, it is proposed to strengthen the criminal sanctions applicable to individuals and legal entities who refuse to fulfill their obligations: a fine of €1.5m for individuals who habitually commit these offences and a fine of up to 2% of annual global turnover excluding tax for legal entities in the same situation.