Peter Sund

Weakening of end-to-end encryption would jeopardize cybersecurity in Europe

|
Peter Sund

The Commission, supported by a significant number of Member States, is proposing to weaken end-to-end encryption (E2EE) in electronic communications services, to enable authorities to scan private communications. If accepted, the proposal would create an unprecedented surveillance apparatus that violates fundamental rights. Such idea is connected to the objective of better prevent and combat Child Sexual Abuse (CSA) which every sensible person obviously supports. The European Commission gave a proposal on May 2022 on new rules to combat such horrendous acts. However, the proposed way to achieve this important objective would be deeply problematic.

End-to-end encryption is the strongest existing encryption practice that is embedded in many communication applications and services, also business applications, that we use in our daily lives, making it a backbone of online privacy for regular people. End-to-end encrypted applications protect their user’s data by encrypting it with the user’s own encryption keys and by sending only an encrypted version of the data to the servers. Because of this, not even service administrators can access the encrypted user information.

End-to-end encryption stands as the foundation of modern digital infrastructure and communications. Maintaining high level of end-to-end encryption is essential for ensuring some of our most fundamental rights, including right to (immaterial) property, respect for private or family life and freedom of speech. Inclusive and sustainable digital economy is built on adequate level of data protection, as well as cybersecurity that prevents crime and protects our global value and supply chains from illegitimate influence, espionage, illicit knowledge leakage, and sabotage. It is simply not possible to weaken end-to-end encryption without compromising on cybersecurity and data protection. This is because weakened encryption means that a solution cannot withstand malicious attempts to decrypt it, including misusing decryption keys that are originally shared for appropriate purposes.

Maintaining high level of end-to-end encryption is essential for ensuring some of our most fundamental rights, including right to (immaterial) property, respect for private or family life and freedom of speech.

The European Union has an ambitious agenda to build better digital life for Europeans, with increased level of cybersecurity as one of its corner stones. Landmark regulatory initiatives, such as NIS2 and Cyber Resilience Act are set to strengthen the security of our digital infrastructure and connected devices as well as services we use every day, while European funding enables development and deployment new technologies to protect us. Unfortunately, the legislative proposal co-regulators are currently processing might undermine these valiant efforts and jeopardize cybersecurity in Europe.

Encryption also plays a crucial role in providing private and secure communications that users, including children, demand and expect to keep them safe online. Even well-intentioned efforts to provide a lawful intercept solution in end-to-end encryption will undermine critical security benefits by making all users of such services more vulnerable to malicious attacks. Creating a backdoor to electronic communications services for authorities would unavoidably mean that the same backdoors could be used for other government purposes that would significantly undermine digital trust and would be available for criminals as well. They would most certainly try to find those. The ones with most to lose from the weakening of end-to-end encryption are ordinary Europeans and businesses, whose privacy would be invaded and who would lose access to secure communications services. Criminals and other malicious actor, however, would most likely find other ways to communicate in secret.

Legal and constitutional concerns regarding the proposal have been raised in many contexts. According to the media sources, the state of Finland clearly stated in its (leaked) position that the draft Regulation does not fulfil the strict necessity and proportionality of the limitations on the relevant fundamental rights (EU Charter) as prescribed in the case law of the European Court of Justice. The Council legal service has also pointed out same issues.

It is essential that most of the Member States reconsider their positions according to the vital concerns regarding European’s fundamental rights and maintaining digital security. Strong encryption is an essential element to provide and maintain trust towards digital services and systems. While developing a policy to fight CSA material, policymakers should not push for any weakening- of E2EE, but instead focus on how to keep children safe effectively and to preserve other fundamental rights. A clear position should be included to the final Regulation not to require any weakening to end-to-end encryption technology.

It is essential that most of the Member States reconsider their positions according to the vital concerns regarding European’s fundamental rights and maintaining digital security.

There is a dozen of other effective ways for platforms to better protect child sexual abuse, such as using age-appropriate design and default settings that minimize data collection for their users, support safe interaction on the platforms, and protect against harmful content and interactions, sexual abuse, and manipulation. Furthermore, the European Union and the United States have proposed high-level principles both on the protection and empowerment of children and youth in the digital environment where both parties call for governments to respect their international law obligations, including international human rights obligations, in their actions and policies regarding the online environment, including legal obligations related to privacy.

For further information:

CEO Peter Sund, Finnish Information Security Cluster (FISC), peter.sund@teknologiateollisuus.fi, +358 50 565 0621