European Union seeks to ban backdoors for encrypted communications
A European Parliament committee has published a draft report proposing that the ability for citizens to protect their data with encryption should be protected, including banning any possibility of government sanctioned backdoors to encryption protocols that could be used by law enforcement officials.
The draft proposal from the Committee on Civil Liberties, Justice, and Home Affairs seeks to modernize data protection rules introduced in previous years, with privacy protection in the 2002 Regulation on Privacy and Electronic Communications not providing sufficient protections across the board. Under the proposal, the regulation will be amended to even out these protections across the board.
The 2002 regulations also doesn't cover newer services and systems, including apps using end-to-end encryption and the machine-to-machine communication systems used for the "Internet of Things," something the proposal seeks to rectify.
Stressing the confidentiality of personal electronic communications, and the long-standing fundamental right for privacy for individuals, the amendments note that the member states of the European Union are largely prevented from interfering with any encryption-related protections. Any interference "must be limited to what is strictly necessary and proportionate in a democratic society."
The proposed amendments also specifically rule out the possibility of government-mandated insertion of backdoors or weakening of such systems entirely.
"When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited," reads one amendment. "Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."
Some governments and their agencies have called for backdoors and weaker encryption for messaging services, including WhatsApp and iMessage, under the belief these systems protect criminal organizations and terrorists. In March, U.K. Home Secretary Amber Rudd called the use of end-to-end encryption by tech companies a "completely unacceptable situation," claiming intelligence services should have access to encrypted services to intercept secretive terrorist communications.
Despite the use of encryption in their products, tech companies have offered their assistance during major events. Earlier this month, Apple CEO Tim Cook confirmed Apple was working with the U.K. government to aid law enforcement investigations into recent terrorist attacks, though didn't go into detail about what was provided.
Due to Apple's extensive use of encryption in its products, the company would not have been able to provide conversations between terrorists or other explicit data, but Cook advised "It doesn't mean no information" is being provided. "Metadata exists and that's very important for building a profile."
Metadata is effectively all the information surrounding data, and is largely viewable regardless of whether the core data itself is encrypted or not. This information can include details about the sender and recipient, timestamps, and other logs, which can be put together to establish the identities of people involved, and possibly the intent of the encrypted message itself.
The report also suggests increased protection of metadata, with the proposed changes expected to keep existing rules in the General Data Protection Regulation (GDPR) the same or improve them. The GDPR itself was adopted by the EU in 2016, as a replacement for existing data protection directives dating back to 1995, and will be in force from May 2018.
"Communications data (both content and metadata) are extremely sensitive as they reveal sensitive aspects of the private life of individuals (sexual orientation, philosophical or political beliefs, freedom of expression and information, financial situation, health condition), therefore they deserve a high level of protection," the report states.
The most well known use of metadata is through PRISM, the US National Security Agency's data mining project that extracted data from documents, media, and other potential sources of logs to track individuals and contacts in real time.
The amendments that relate to the GDPR also cover location tracking of equipment via Bluetooth or Wi-Fi, such as through iBeacons, as well as the privacy settings of devices regarding Do Not Track mechanisms, including web browser tracking and the functionality of cookies.
Due to being a draft proposal, the suggestions provided by the committee will still need to be approved by the European Parliament itself, then put under review by the EU Council, before being used to amend directives. As such, there is a possibility for the proposals to be changed or removed before being accepted.
If the proposals pass through in their current state, it could give tech companies a clear mandate to use end-to-end encryption across the board, even in areas outside of Europe. Companies that encrypt communications would have more of an incentive to keep their apps secure and not weaken encryption in certain markets.
For the UK, such changes would make laws such as the Investigatory Powers Act difficult to enforce, such as the provision that requires communication providers to assist with targeted interception of data, including the requirement for UK firms to strip away any encryption they apply to data by request.
A previous version of the Investigatory Powers Act had elements in place that would force firms to weaken encryption or install backdoors into their products for law enforcement officials to use. This was successfully challenged by privacy advocates and tech companies, including Apple, with these elements removed from the bill before passing the House of Commons.
Once the UK leaves the EU, an event expected to take place in March 2019, the country won't be subject to the EU's rules, and could therefore put in place legislation forcing such backdoors to exist. Even so, it is unlikely for a tech company to make a hampered version of an app specifically for the UK market that would also be able to communicate with users in other markets, due to the need to keep EU traffic encrypted.
The draft proposal from the Committee on Civil Liberties, Justice, and Home Affairs seeks to modernize data protection rules introduced in previous years, with privacy protection in the 2002 Regulation on Privacy and Electronic Communications not providing sufficient protections across the board. Under the proposal, the regulation will be amended to even out these protections across the board.
The 2002 regulations also doesn't cover newer services and systems, including apps using end-to-end encryption and the machine-to-machine communication systems used for the "Internet of Things," something the proposal seeks to rectify.
Stressing the confidentiality of personal electronic communications, and the long-standing fundamental right for privacy for individuals, the amendments note that the member states of the European Union are largely prevented from interfering with any encryption-related protections. Any interference "must be limited to what is strictly necessary and proportionate in a democratic society."
The proposed amendments also specifically rule out the possibility of government-mandated insertion of backdoors or weakening of such systems entirely.
"When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited," reads one amendment. "Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."
Some governments and their agencies have called for backdoors and weaker encryption for messaging services, including WhatsApp and iMessage, under the belief these systems protect criminal organizations and terrorists. In March, U.K. Home Secretary Amber Rudd called the use of end-to-end encryption by tech companies a "completely unacceptable situation," claiming intelligence services should have access to encrypted services to intercept secretive terrorist communications.
Despite the use of encryption in their products, tech companies have offered their assistance during major events. Earlier this month, Apple CEO Tim Cook confirmed Apple was working with the U.K. government to aid law enforcement investigations into recent terrorist attacks, though didn't go into detail about what was provided.
Due to Apple's extensive use of encryption in its products, the company would not have been able to provide conversations between terrorists or other explicit data, but Cook advised "It doesn't mean no information" is being provided. "Metadata exists and that's very important for building a profile."
Metadata is effectively all the information surrounding data, and is largely viewable regardless of whether the core data itself is encrypted or not. This information can include details about the sender and recipient, timestamps, and other logs, which can be put together to establish the identities of people involved, and possibly the intent of the encrypted message itself.
The report also suggests increased protection of metadata, with the proposed changes expected to keep existing rules in the General Data Protection Regulation (GDPR) the same or improve them. The GDPR itself was adopted by the EU in 2016, as a replacement for existing data protection directives dating back to 1995, and will be in force from May 2018.
"Communications data (both content and metadata) are extremely sensitive as they reveal sensitive aspects of the private life of individuals (sexual orientation, philosophical or political beliefs, freedom of expression and information, financial situation, health condition), therefore they deserve a high level of protection," the report states.
The most well known use of metadata is through PRISM, the US National Security Agency's data mining project that extracted data from documents, media, and other potential sources of logs to track individuals and contacts in real time.
The amendments that relate to the GDPR also cover location tracking of equipment via Bluetooth or Wi-Fi, such as through iBeacons, as well as the privacy settings of devices regarding Do Not Track mechanisms, including web browser tracking and the functionality of cookies.
Due to being a draft proposal, the suggestions provided by the committee will still need to be approved by the European Parliament itself, then put under review by the EU Council, before being used to amend directives. As such, there is a possibility for the proposals to be changed or removed before being accepted.
If the proposals pass through in their current state, it could give tech companies a clear mandate to use end-to-end encryption across the board, even in areas outside of Europe. Companies that encrypt communications would have more of an incentive to keep their apps secure and not weaken encryption in certain markets.
For the UK, such changes would make laws such as the Investigatory Powers Act difficult to enforce, such as the provision that requires communication providers to assist with targeted interception of data, including the requirement for UK firms to strip away any encryption they apply to data by request.
A previous version of the Investigatory Powers Act had elements in place that would force firms to weaken encryption or install backdoors into their products for law enforcement officials to use. This was successfully challenged by privacy advocates and tech companies, including Apple, with these elements removed from the bill before passing the House of Commons.
Once the UK leaves the EU, an event expected to take place in March 2019, the country won't be subject to the EU's rules, and could therefore put in place legislation forcing such backdoors to exist. Even so, it is unlikely for a tech company to make a hampered version of an app specifically for the UK market that would also be able to communicate with users in other markets, due to the need to keep EU traffic encrypted.
Comments
Trying to keep encryption from terrorists is a hopeless activity since there are already strong encryption techniques in the open source. They're just a side-loaded android app away from using strong encryption for messaging even if all the official apps were neutered.
This is very true, even with computers and machine learning, the systems could never analysis communications in real time and find the one person who is hell bent on destruction and who happen to communicated his planned actions ahead of time via the systems the government happens to be listening to. People have to understand, police and government never prevents a crime, they only clean up the mess. Just look what happen in London, The UK had 23,000 people on their watch list, 3,000 were of high concerns and this guy who drove over people was in the 3,000 and People were calling the authorities on this guy because he was doing things which concern people and the government failed to act. Why, you can not arrest people for what they think, only on their actions. The government is more upset not only can they not dig into your mind and have you tell them what you did and use it against you, they do not like the fact they can not get into your digital communication and use those against you as well.
You want to see government control just read 1984.
You know what he meant. Guns in the hands of private citizens rather than the police or military. Personally, I'm strongly pro-gun rights, but let's not beat people up over every little word choice. Firearms discussions are where the conservatives get as "politically correct" as the left ever does.
Anyhow, I thought Europeans were generally ok with going in the backdoor.
Fnar Fnar.