Consumer Electronics Daily was a Warren News publication.
No Crypto Key Grab?

EU Encryption, Decryption Plans Leave Privacy Stakeholders Wary

October 31, 2017 by Dugie Standeford|Top News

Privacy advocates are monitoring European Commission plans for dealing with encryption in the fight against terrorism. The EC anti-terrorism package, announced Oct. 18, includes measures to support law enforcement and judicial authorities when they encounter encrypted information, including a proposal, due next year, to make it easier to access electronic evidence across borders, and technical tools to support EU governments. The Security Union progress report stressed encryption won't be barred, limited or weakened. Digital rights and privacy experts and tech companies said they will be watching.

Encryption is essential for cybersecurity and personal data protection, the report said. Law enforcement and judicial bodies are increasingly running into challenges posed by criminals' use of encryption, which affects the ability to obtain the information needed as evidence in investigations and prosecutions, it said. After talks with stakeholders, the EC concluded there must be laws to ease access to encrypted evidence and technical measures to boost decryption capabilities. The EC said it will support Europol in further developing decryption capabilities, and ensure national authorities have alternative investigation techniques for obtaining needed encrypted information. It urged more dialogue among authorities, service providers and other businesses.

The EC approach "aligns with how the European Union sees the difference between, on the one hand, the protection of personal data in general, and, on the other hand, the specific protection of personal data by law enforcement and judicial authorities," said Crowell & Moring (Brussels) privacy attorney Maarten Stassen. Personal data protection will be regulated as of May 25 by the general data protection regulation, while personal data in the law enforcement context will fall under a directive that EU countries will have to adopt into national law by May 6, he said.

The EU vision is that "protection techniques such as encryption should be promoted" to protect privacy but that privacy can never be so absolute that it would bar law enforcement and courts from fighting serious crime, Stassen said. These parties could use decryption if their activities are in line with EU data protection principles such as necessity and proportionality, he said. Independent national data protection authorities will supervise such activities and there will be judicial remedies, he said. The EU "is certainly aware that not only European citizens are watching to ensure that their fundamental rights are duly protected, but also that many stakeholders outside of the European Union might be eager to keep an eye on it too," Stassen said.

The EC position "is very ... coded," said European Digital Rights Executive Director Joe McNamee. Apart from explicitly ruling out weakening encryption, which EDRi welcomed, the "continuum of possible measures being contemplated under these headlines is very long -- ranging from the simplest to the most complex and dangerous methods/workarounds," he said. McNamee faulted the EC for confusing initiatives and policy areas on terrorism and cross-border access to data in a way that "is not conducive to targeted effective policy decisions."

The EC feels the need to "do something," said Ross Anderson, security engineering professor at the University of Cambridge Computer Lab. Thankfully, he said, it seems to be wringing its "hands ineffectually rather than actually trying to grab everyone's crypto keys." The European Court of Justice ruled unequivocally that bulk collection of traffic data without warrant or suspicion is unlawful, he noted. "Perhaps there will be a directive or regulation that tries to nibble around the edges."

"We trust the EU will remain mindful of the widespread support for encryption" expressed by European commissioners, the European Network and Information Security Agency, data protection authorities, industry and civil society, said Computer & Communications Industry Association Europe Vice President Christian Borggreen. CCIA will monitor how the EC intends to support both encryption and decryption, he added.