The EU is often at the forefront of consumer protection when it comes to privacy laws like the GDPR. But now it looks like the Council of the European Union might undermine all of this with a move to cancel secure end-to-end encryption as we know it, the ORF (Austrian Broadcasting Corporation) reports.
The ORF obtained an internal draft in which the Council argues that the motion is meant as a counteract against terrorism, pointing to last week's Vienna shooting. However, it's becoming increasingly clear that the terror attack could've been prevented without further surveillance powers if it wasn't for egregious mistakes in the Austrian counterterrorism office. It seems like the attack is used as a pretense to gain public support.
According to further information on the ORF's hands, the Council is looking to ask platforms to implement the "exceptional access" surveillance method. It would force companies that use E2E encryption to create extra general decryption keys, which they would have to surrender to authorities when asked. To be blunt: this would introduce a middle man and thus break end-to-end encryption in services like WhatsApp, Facebook Messenger, Signal, and Telegram.
The publicly leaked document itself doesn't include these details, though. There isn't any language revolving around abolishing end-to-end encryption. However, an expert TechCrunch talked to, Lukasz Olejnik, says that there is a concerning new term in the paper: "security despite encryption." It looks like the Council "blends two meanings of security, technical and non-technical" at the same time, meaning that they could want reversible encryption systems to guarantee a state's security. That would be in line with the ORF's reporting.
New strategic approach (?): "security despite encryption", the policy term blends two meanings of security, technical and non-technical ad the same time, showing that reversible encryption systems are means to guarantee security. pic.twitter.com/CcEZHVIAzZ
— Lukasz Olejnik (@lukOlejnik) November 8, 2020
It's also odd that the draft specifically speaks of "competent authorities" that could surpass encryption. Normally, drafts like these only let law enforcement agencies bypass security measures. The new wording could allow local intelligence services equivalent to the FBI or CIA to get around the encryption.
However, we're only seeing a proposal right now. The European Agency usually doesn't have the power to just push a law like this on its own, so it still has to pass through the other organs of the EU. That includes the Parliament and the Commission that have proven to be very consumer-friendly in the past.
If the EU goes ahead with breaking E2E encryption, it might not take long until other legislators copy or adapt these rules (Russia long has). It's also unclear how Facebook or Signal should act when chats involve people from other countries where a public decryption key isn't mandatory. And in any case, once backdoors exist, it's only a question of time until hackers find and exploit them.
It pretty much adds insult to injury that the European Commission is recommending employees to use the popular end-to-end encrypted messaging service Signal as the preferred app for public instant messaging. But this also shows that there are different organizations within the EU government (Parliament, Commission, Council, and many more) that have different goals and priorities.