Why EU Encryption Policy Needs Technical and Civil Society Input

As the European Union continues to navigate the complex issue of encryption policy, it's clear that a balanced approach is needed to protect both security and fundamental rights. In this article, we'll explore why technical and civil society input are essential for developing an effective encryption policy.

Bart Preneel, Full Professor at University of Leuven, emphasizes the need for a technically informed approach to lawful access that safeguards privacy, security, and fundamental rights across the EU. "The European Commission's aim to enable lawful access to encrypted data is a challenging problem," he notes. "While 'lawful access to encrypted data based on a warrant' sounds reasonable, it's difficult to crack."

So, what are the challenges of introducing such access points? First, our complete lives are now online, making any interception yield much more data on a specific individual. Second, people share much more data, so any interception necessarily involves many citizens. Third, it's much easier to expand the geographic scope, as demonstrated by the UK's request for access to encrypted data in the cloud from Apple users inside and outside the UK. Fourth, the cost of intercepting and analyzing data has dropped substantially, making it a high-risk proposition that many more warrants will be issued. Fifth, service providers will have to respond to potentially thousands of law enforcement agencies, bringing complexity and cost.

A more technical argument can be put forward: access to encrypted data means an additional party needs to get access to the key and/or plaintext. This creates an interface that makes the system more complex and vulnerable. "This interface immediately becomes an highly-prized target for organized crime, intelligence services, and other nation states, making everyone less secure," Preneel warns.

The open letter to Commissioner Virkkunen emphasizes the need for expert involvement in the roadmap's development. The problem is that as the world becomes more digital and end-to-end encryption becomes more widespread, law enforcement can no longer use traditional methods like intercepting phone calls and chats. On the other hand, law enforcement has access to much more data than ever before, including cameras, mobile phones, service providers' metadata, and location data.

Excluding technical and civil society experts from this process could have severe consequences. Law enforcement teams may not have the resources or budgets for modern crime-fighting methods, while others may focus on solving their own crimes without fully understanding the global security and privacy picture.

The strongest safeguards are provided by the European Convention on Human Rights and the Charter of Fundamental Rights of the EU, which protect the right to respect private life, the home, and correspondence. It's essential that these high-level principles are translated into concrete technologies. The European Court of Human Rights and the European Court of Justice have already defended citizens whose rights were violated.

The EU's approach to encryption could influence global standards and practices, particularly in regions with differing views on privacy and surveillance. If the EU weakens the protection offered by encryption, other nations with weaker supervision regimes may adopt similar measures, putting vulnerable populations at risk worldwide.

EU policymakers must take steps to ensure that the Technology Roadmap on encryption aligns with both security needs and the protection of fundamental rights. This requires entering into dialogue with all stakeholders, analyzing complex problems, and considering case-by-case studies of what is technically possible and what is not.

A Balanced Approach to Encryption Policy

In conclusion, the European Union's encryption policy must balance security needs with the protection of fundamental rights. Technical and civil society input are essential for developing an effective approach that safeguards privacy, security, and individual freedoms across the EU. By working together, policymakers can create a robust and balanced policy that protects both citizens and society as a whole.