The right to use strong encryption technology—like the encryption that secures your iPhone or protects your Whatsapp messages—isn’t only under political attack in the United States. Governments in the United Kingdom, Germany, France, and other European countries have recently taken steps toward undermining encryption. In particular, a range of government stakeholders have been pressing for service providers to re-engineer their encrypted products so that they always hold a key to their users’ data—often referred to as a “key escrow” scheme, or “exceptional access,” or a “backdoor”—or to simply not offer such products at all.
Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies,
they’ve been taking place largely in isolation from each other, with limited sharing of information, arguments, and
advocacy tactics between those countries’ policy communities. These papers will fill in some of those gaps by mapping
the legal landscape and political dynamics around encryption in various European capitals.
The United Kingdom is no stranger to policy debates over encryption. Since the early 2000s, U.K. lawmakers have debated encryption’s privacy and cybersecurity benefits, as well as the obstacles it can create for law enforcement and intelligence investigators. January 2015 saw the escalation of the encryption fight in a number of nations around the world, including the U.K. In this climate of increased attention to encrypted communications, the bill that would eventually become the Investigatory Powers Act (IPA) was introduced in Parliament in late 2015. The Investigatory Powers Bill (as it was called before it was passed into law) sought to authorize sweeping new surveillance powers while forcing internet service providers (ISPs) to retain their customers’ records for 12 months.
The IPA came into force on December 30, 2016, despite strong criticism from some of the world’s biggest tech companies, a large number of civil society organizations, and three United Nations special rapporteurs. Confusion over this law remains, primarily because it is still unclear whether, when, or how the government may use the IPA to compel providers to redesign their encrypted services to facilitate government access. Meanwhile, new domestic terrorist incidents, such as the March 2017 attack outside of the Houses of Parliament, prompted renewed statements against encryption from Home Secretary Amber Rudd, even before it was known if encryption played a role in the attacks. Theresa May, who was the IPA’s primary champion when she served as Home Secretary, is now Prime Minister, and her party’s manifesto for the recent election vowed to end safe spaces for terrorists online, which some have interpreted as referring to the use of encryption. Suffice to say, end-to-end messaging services and device encryption tools are likely to face resistance from government officials in the U.K. for the foreseeable future.
Click here to read report.
Germany has a unique relationship with encryption that stands in stark contrast with that of the U.K. and France. The country doesn’t have any existing laws that prohibit the use of encryption, compel users to disclose their keys, or require mandatory decryption of encrypted data. In fact, encryption has been strongly endorsed by the German government for many years. A recent series of joint letters to the European Commission from the German and French interior ministers calling for encryption controls through legislation may signify the beginning of a shift in national policy, following the trend we have seen in the U.S. and other parts of Europe. Or, it may simply signify a divergence of opinion on the issue between law enforcement and other parts of the German government that have long championed encryption as an important tool for data privacy and security, similar to the U.S. government’s own internal disagreements on the issue.
The legal and political landscape of surveillance in Germany, with its history of Nazi and Stasi repression, is quite unlike that of the U.S., the U.K., or France. In contemporary Germany, data privacy laws are among the strongest in the world, government surveillance is strictly regulated, and the right to privacy is especially strong. The German government explicitly encourages its citizens to use encryption, including end-to-end encryption systems in which only the sender and recipient can decrypt the message. However, at the same time that it supports the use of strong encryption, the government conducts widespread investigatory hacking to gain access to encrypted evidence and intelligence. To govern that activity, Germany has a complex legal regime that regulates the use of hacking to access data before it is encrypted—a framework that was amended just last month to sharply expand the government’s hacking authorities.
Click here to read the report.
The political landscape in France is worrisomely ripe for the enactment of new laws or policies that could undermine the security of encrypted products and services in the name of national security. Since the tragic November 2015 terrorist attacks in Paris, France has been in a state of emergency that has been renewed five times in the face of continuing terror incidents. During this period, in 2015 and 2016, the French Parliament aggressively expanded the government’s surveillance and lawful hacking authorities, expanded penalties for failure to comply with an existing law allowing for compelled key disclosure in criminal investigations, and created a new mandatory key disclosure and decryption authority for use in intelligence investigations. However, French lawmakers have not (yet) passed any law that would clearly require providers of encrypted products and services to redesign their secure services to ensure government access on demand, which would effectively ban strong encryption products without “backdoors” for surveillance.
However, the French Parliament came dangerously close to passing a backdoor mandate in 2016 as it debated a range of anti-encryption proposals, including one that failed by only one vote in the National Assembly. Bills that could have mandated backdoors—supported by a David vs. Goliath narrative where France stands up to the massive Silicon Valley companies that put their profits ahead of France’s security—were headed off in part by the interventions of key leaders in the Socialist Party which controlled the government at the time. But times are changing. Now, France has a new president, Emmanuel Macron, who has taken an aggressive stance on encryption and allied himself with U.K. Prime Minister Theresa May, another hawk on the issue. Meanwhile, French law enforcement officials continue their multi-year push—including in the New York Times and at the EU level—for legislation that would ensure that they can always obtain the encrypted data they seek. Under these conditions, it seems that the encryption debate in France is just beginning—and could end abruptly in favor of backdoors in the face of another major terror attack.
Click here to read the report.