The European Union is typically great at protecting its citizens’ privacy, but a recently proposed resolution may set a dangerous precedent for removing those protections in the future. The newly drafted resolution was presented to the Council of the European Union in November of 2020, in which they discussed how to “ensure the power of competent security and criminal justice authorities can be preserved -- while ensuring full respect for due legal process and EU rights and freedoms.”
While this all sounds good on the surface, there are some reasons to be concerned about what this resolution means for end-to-end encryption, the law and how this intersection affects the privacy of individuals in the EU.
What is End-to-End Encryption?
The EU is considering banning end-to-end encryption, which is a method used to secure data that is in transit. Even if a connection is interrupted, encrypted data is only able to be viewed by the sender and recipient, and thus unrecognizable to the person that interrupts it. Encryption is especially useful to protect user privacy, and prevent institutions and individuals from “eavesdropping” on the information that is being sent. Often that can mean telecom providers, ISPs and anyone else who might intercept a communication. End-to-end encryption is an essential part of maintaining privacy on the internet.
Why is End-to-End Encryption So Important?
End-to-end encryption is an important part of allowing users the ability to protect themselves and the data they share. Without end-to-end encryption, personal information can be read, changed, collected and in some cases even manipulated. That autonomy is what has made the internet such a revolutionary place, somewhere to connect and share data -- without having to worry that someone with bad intentions is watching you over your shoulder. The EU’s end-to-end encryption bill may put a stop to that.
What Does the EU’s End-to-End Encryption Bill Say?
In a nutshell, the non-legally binding resolution being considered in the EU gives government entities the ability to access encrypted information so that they can “fight criminal activity such as terrorism, organized crime, child sexual abuse, and other cybercrime.” While this sounds good on the surface, in actuality it’s troubling to see the EU trying to willfully erode consumer protections that have been built to safeguard internet users. It isn’t totally clear what the council wants EU lawmakers to do -- how can they only break encryption for cybercriminals while leaving it for everyone else? As we’ve said in the past, an encryption backdoor for law enforcement is also a backdoor for hackers. There are vague phrases in the language about “joining forces with the tech industry,” but how this would work in practice is still up for debate. There has been talk of “client-side scanning” which would give governments targeted - and unprecedented - access to data that is currently unavailable to them.
It seems this is a misguided approach by the EU, who has historically been very strong on privacy protection issues and went to great lengths to implement the GDPR just a few years back. While the internet should be a safe and lawful place, it’s troubling to see freedom sacrificed for the sake of what is essentially a strawman argument. While this end-to-end encryption bill isn’t legally binding, we’re always concerned about efforts to weaken security and will be sure to keep a watchful eye on how this story develops.