July 31, 2017
The right to use strong encryption technology—like the encryption that secures your iPhone or protects your WhatsApp messages—isn’t only under political attack in the United States. Governments in the United Kingdom, Germany, France, and other European countries have recently taken steps toward undermining encryption. Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies, they’ve been taking place largely in isolation from one another, with limited sharing of information, arguments, and advocacy tactics between those countries’ policy communities. That’s why OTI has begun a series of papers that will fill in some of those gaps by recounting the legal landscape and most recent political rhetoric around encryption in various European capitals. Today we are releasing the final paper in our series on the crypto debate in France. Our first paper, on the United Kingdom, is available here. Our second, on Germany, can be found here.
Of the three countries studied, France’s encryption debate is perhaps the most dynamic. In the United Kingdom, the controversy has mostly settled into a “wait and see” mode: the Investigatory Powers Act, which includes aggressive provisions for demanding companies’ technical assistance in investigations, already became law last year after extended debate—but there are still questions about whether or how those demands might be used to require tech companies to design “backdoors” into their products. In Germany, meanwhile, the government’s pro-encryption stance seems secure—despite some grumblings from the interior minister—with policymakers and investigators leaning hard into targeted investigative hacking an alternative to broad backdoor mandates. In France, however, there is widespread anti-crypto sentiment in both the legislature and the executive branch, fueled in part by a nationalist disdain for U.S. tech companies that are viewed as threatening France’s security and economy in the pursuit of profit.
France has several provisions of law allowing authorities to compel companies to hand over encryption keys in their possession or to decrypt data that they are able to decrypt. However, France does not (yet) have any law that we would characterize as a backdoor mandate—i.e., a requirement that companies design their products to maintain the capability to decrypt users’ data on demand. Meanwhile, although France’s Parliament has recently passed statutes authorizing government hacking in law enforcement and intelligence investigations, investigators and prosecutors still mostly lack the knowledge or resources to take advantage of that authority. Therefore, and unlike in the United States and Germany, France’s policy circles are not focused on targeted hacking of particular devices as an alternative to broad backdoor mandates that would weaken every device.
Instead, the French Parliament has been squarely focused on the possibility of backdoors, and came dangerously close to passing a backdoor mandate in 2016 as a range of anti-encryption proposals were debated—including one that failed by only one vote in the National Assembly. Bills that could have mandated backdoors, supported by a David vs. Goliath narrative where France stands up to the massive Silicon Valley companies that put their profits ahead of France’s security, were headed off in part by the interventions of key leaders in the Socialist Party which controlled the government at the time. But times are changing. Now, France has a new president, Emmanuel Macron, who has taken an aggressive stance on encryption and allied himself with U.K. Prime Minister Theresa May, another hawk on the issue.
Meanwhile, French law enforcement officials continue their multi-year push—including in the New York Times, and at the EU level—for legislation that would ensure that they can always obtain the encrypted data they seek. Thankfully, there are elements of the French government (such as the data protection agency CNIL, which has come out against backdoors) and stakeholders at the EU level (including the a key committee of the European Parliament that recently proposed a law that would prohibit government-mandated backdoors in the EU) that are helping to hold the line at the national and international level. Even with allies like that, it seems that those who seek to defend encryption are facing a perfect storm in France, where the encryption debate could abruptly fall in favor of backdoors in the face of another major terror attack due to a variety of factors:
A persistent terrorist threat;
A high level of nationalist disdain for U.S. tech companies, blunting the impact of any lobbying by that sector;
A modest local internet and tech industry that hasn’t picked up the lobbying slack;
A new president who has aligned himself with anti-encryption voices in the government and internationally;
A relative dearth of native civil society and computer security voices to push back on backdoor proposals;
A similar relative lack of government agencies that have spoken out against backdoors; and
A lack of investigative hacking capacity, such that it is not available as an alternative tactic to lessen the demand for backdoors.
In light of these dire conditions, the encryption debate in France likely requires the most attention of any country we’ve examined before. Therefore, and in order to avoid a French backdoor mandate that could set a dangerous example for the rest of the EU, our paper concludes by recommending:
Intense investment by philanthropic or corporate donors to help support local civil society and tech voices engage in the debate and short-circuit the David and Goliath narrative, and to provide for mutual support between civil society actors across borders;
The development of a Pan-European network of local security and tech sector experts to speak to the cybersecurity and economic costs of backdoors in a way that can’t be dismissed as Silicon Valley lobbying; and
A concerted effort to broaden France’s perspective on the range of lawful access strategies beyond backdoors that are available to French law enforcement and intelligence agencies, as they work to adapt their approach to investigations in the twenty-first century.