The EU has fallen for the myth that it’s possible to keep us safer by weakening the very thing that protects us.
BY:
Antonio Greco
Cyber/Data Science Analyst
PROJECT COUNSEL MEDIA
25 October 2022 (Brussels, Belgium) – As cybersecurity issues continue to rule the headlines, the world’s focus is on data privacy. It has always been critical; it’s just finally becoming a more nuanced public discussion. And that conversation inevitably involves encryption. With all the misconceptions about encryption come misunderstandings about how and when to use it.
When you make a purchase online, send a text message, or email another person, the information involved — your credit card and address, photo or text, and whatever is in your email — is considered to be “in transit”. During this period, a hacker can drop in and swoop your data up for themselves more easily than trying to break into secure networks. Since grabbing data in transit is so attractive, encryption is used to scramble your data with a sophisticated mathematical algorithm to make it readable only by the authorized parties involved. Encryption does not prevent the hacking attempt, but it makes it a waste of time for the hacker by creating an unintelligible combination of your data that can be incredibly difficult and near impossible to decipher.
In simpler terms, think of the difference between invisible ink versus a decoder ring. As kids, we all learned how to use lemon juice and a little water to “encrypt” our notes or drawings with invisible ink. After using it and letting it dry, no one could see the “data.” But anyone who applied light or heat to the paper would see the data appear. It was hidden, but not encrypted.
A decoder ring on the other hand (if you’ll pardon the pun), allows a person to send coded messages that can only be read by others with the decoder ring and proper cipher. Encryption is more like using a very sophisticated decoder ring.
I do not have the space to get into the finer details but there are basically different types of encryption, primarily symmetric and asymmetric. Symmetric encryption involves a single key to encrypt and decrypt information. It’s usually faster, but with companies managing such massive amounts of data and keys nowadays, asymmetric has become more common. Asymmetric encryption involves both a public and private key. Asymmetric encryption is often used for messaging, and the decryption process only takes place after the private key gives permission to the public key. A more detailed history and explanation of this, including descriptive graphics.
The encryption debate in the European Union has continued to evolve, with new drivers, stronger tools, and increasingly higher stakes. The debate among policymakers and experts is maturing, but there is a widening knowledge gap between political elites and the public around encryption. In Europe, encryption is perceived in two conflicting ways:
1. It is a tool for privacy and security and therefore is an essential component of Europe’s open societies and markets.
2. But it is also argued to be a shroud for criminal activity and therefore an obstacle to law enforcement. Efforts to weaken or break encryption to combat crime also undermines European privacy and security.
Europe’s encryption debate was sparked in 2016 by a string of terror attacks that exposed flaws in Europe’s collective ability to counter terrorism. In the wake of these attacks, Europol and national law enforcement authorities pointed to encryption as a key threat and serious impediment to the detection, investigation, and prosecution of such criminal activity. With this, member states demanded a European policy solution to encryption, igniting the current EU-wide encryption debate.
There have been a series of provisional, non-legislative measures to study the issue and expand training and resources for law enforcement. The measures focused on data “at rest” — data stored on encrypted devices — but also included informal discussions on end-to-end encryption with experts from law enforcement and the judiciary, academia, nongovernmental organizations (NGOs), over-the-top service providers, telecommunication providers, and the security industry.
But to many it has taken a wrong turn. At a meeting held yesterday at the Open Governance Network for Europe (which tries to maintain an even hand in all of this), many participants said child sexual abuse online has fueled and conflated the EU encryption debate, further driving political support for legislation to get around encryption. With this new driver, the current EU debate is departing from previous iterations in the sophistication of its technical proposals, which go beyond previous law enforcement calls for mere “backdoors” and may set a dangerous precedent for other global debates to include technical solutions.
Markéta Gregorová is a Czech politician who was elected as a Member of the European Parliament in the 2019 election, representing the Czech Pirate Party. The party is quite intriguing. It was founded as a student-driven grassroots movement campaigning for political transparency, civil rights and direct democracy and has probably done the most in the EU to bring attention to safeguarding civil liberties from state or corporate power via government transparency. It’s sessions and events on political accountability, anti-corruption, lobbying transparency, tax avoidance prevention, etc. are quite “must attend” events for these subjects.
Gregorová addressed the encryption issue and her statement follows:
The Commission’s gross violation of privacy — endangering encryption
Markéta Gregorová
Strong end-to-end encryption is an essential part of a secure and trustworthy Internet. It protects us every time we make an online transaction, when we share medical information or when we interact with friends and family.
Strong encryption also protects children — it allows them to communicate with trusted friends and family members in confidence, and allows others to report online abuse and harassment confidentially. It keeps our personal data personal, and our private conversations private.
But now that fundamental technology is being threatened by the European Commission.
The European Union’s new regulation intending to fight child sexual abuse online will require Internet platforms — including end-to-end encrypted messaging apps like Signal and WhatsApp — to “detect, report and remove” images of child sexual abuse shared on their platforms. In order to do this, however, platforms would have to automatically scan every single message — a process known as “client-side scanning.”
But not only is this a gross violation of privacy, there’s no evidence that the technology exists to do this effectively and safely, without undermining the security provided by end-to-end encryption. And while the proposed regulation is well-intentioned, it will result in weakening encryption and making the Internet less secure.
Only two months ago, the New York Times reported that Google had flagged medical images that a man in San Francisco had taken of his son’s groin as child sexual abuse material. He had sent the images to his doctor seeking medical advice for his child, only to have his account shut down and become the subject of a police investigation.
The current regulations would create such mandatory measures for platforms, enforcing them with significant fines of up to 6 percent of an offender’s global turnover — meaning tech companies would be forced to be overzealous for fear of falling foul of the rules. This greatly increases the possibility of such false-positives being flagged, and the potential consequences could be devastating to the lives of innocent people.
The EU also relies on encryption to protect the security of its member countries and the bloc as a whole.
Immediately following Russian President Vladimir Putin’s invasion, secure messaging apps dominated the download charts, as people in Ukraine began downloading end-to-end encrypted messaging services to communicate with friends and family in private. Similarly, the European Commission itself has called on its staff to use Signal to protect their communications. And with an increasingly aggressive and unpredictable Russian government on our doorstep, weakening encryption could be catastrophic for EU security.
The European Pirate Party agrees that more needs to be done to tackle the sexual abuse of children online, but this regulation is not the answer. The EU’s proposals have already been criticized by privacy watchdogs — the European Data Protection Board and the European Data Protection Supervisor — which issued a joint statement calling for the regulations to be amended.
The bodies described the proposals as “highly intrusive and disproportionate,” arguing that by requiring platforms to weaken encryption, the regulations violate Articles 7 and 8 of the Charter of Fundamental Rights of the European Union — namely, the right to respect for private and family life, as well as the right to protection of personal data.
And these regulations are just the latest in a string of efforts by governments to weaken end-to-end encryption. We’ve already seen calls for platforms to create “backdoors” for law enforcement, which would allow them to access private communications. Now, they’re asking platforms to spy on users.
The EU has fallen for the myth that it’s possible to keep us safer by weakening the very thing that protects us. But if you create backdoors for law enforcement, you create weaknesses in the system for everyone. Criminal gangs or other malicious actors can exploit these weaknesses to access private data that could threaten national security or undermine financial institutions. They could commit fraud and access personal information that could be used to blackmail and harass innocent people around the world.
Meanwhile, it’s also impossible for platforms to weaken encryption only for users within the EU — any reduction in security would affect users of those platforms around the world. In the U.K., for example, where similar legislation has been proposed, WhatsApp has already indicated its willingness to withdraw from that market if they’re required to weaken encryption. The same could happen across Europe — we could become a digital desert, with no major platforms willing to follow the bloc’s rules, creating a new hurdle for European companies trying to compete in foreign markets.
Just a few days ago, on October 21, a coalition of civil society organizations, business leaders, security experts and Internet advocates came together to mark the second annual Global Encryption Day, standing up for encryption in places where it is under threat — from Brazil and India to the U.K. and right at home in the EU. And we must do the same.
We all want the Internet to be a safe place for everyone. But weakening encryption won’t make us safer, and it won’t protect children from abuse. It will, however, make us all more vulnerable.