On 11 April 2018 the EU’s authority on data protection – the Article 29 Working Party, or WP29 – released new guidance on encryption standards, providing an important indication of the EU’s approach to data protection.
The ubiquity of mobile devices – and the large amount of personal data collected and stored by them – has led many tech firms to implement powerful encryption techniques in an effort to protect user privacy. However, this approach has faced criticism from governments when it appears to be in the public interest to decrypt and read such private data.
Following the terrorist attack on Westminster in March 2017, UK Home Secretary Amber Rudd called on the technology companies behind popular messaging and social media apps to provide a so-called “back door” to the law enforcement agencies investigating the incident, describing unbreakable encryption as “completely unacceptable” and a “place for terrorists to hide.” Rudd’s comments echoed those in the wake of the San Bernardino attack by U.S. authorities, who sought the manufacturer’s help unlocking a smartphone used by one of the attackers. While the Home Secretary’s sentiments will resonate with many, tech firms and experts have warned that encryption platforms designed with a “master key” have critical vulnerabilities.
WP29 was faced with the difficult task of balancing these competing – and potentially divisive – public interests. Interestingly, their three main findings do not shy away from definite conclusions, setting a clear precedent for legislative and regulatory development in the EU.
Finding 1: Strong encryption is required to ensure a secure, free flow of data between citizens, businesses and governments.
The report emphasised that effective encryption is vital for maintaining public trust in online retail and banking services, as well as for other private online interactions such as filing a tax return or scheduling a doctor’s appointment. WP29 argued that less certainty around encryption could undermine the digital infrastructure underpinning the modern economy and affect the migration of government services to the internet.
Finding 2: Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner.
WP29’s technical assessment of plans to compromise end-to-end encryption with back doors and master keys reflected the position taken by the tech industry and computer security experts. While the report noted that encryption can be used to “conceal criminal activities” and represents a major barrier for law enforcement, the very existence of such loopholes undermines the integrity of the entire encryption ecosystem. According to WP29, past experience suggests that the concept of a secure back door is unrealistic. For example, the foundational code of the “WannaCry” cryptolocker virus, which infected over 200,000 computer systems (including Britain’s National Health Service) in May 2017, was developed by the U.S. National Security Agency but stolen and exploited by criminals.
Finding 3: Law enforcement agencies already have a number of legal powers and targeted tools to investigate and prosecute criminals.
The report found that law enforcement agencies in the EU already had methods of accessing some encrypted and personal data, including International Mobile Subscriber Identity (“IMSI”) catchers (which can tap mobile phone calls), keystroke recorders (which can access data before or after encryption), and legal powers to compel suspects to surrender encryption keys. WP29 came to the conclusion that, while less effective than master keys and back doors, these strategies were more proportionate and posed less of a threat to personal data and internet infrastructure.
Conclusions and recommendations
Overall, the WP29 report presents a strong defence of the status quo, concluding that the continuing use of end-to-end encryption “contributes in an irreplaceable way to our privacy and to the secure and safe functioning of our societies.” As policymakers shape the law of encryption in the EU, they will need to balance a growing body of expert evidence against political pressure to bypass encryption and bring criminals and terrorists to justice.
