Julia Milis // 8 December 2020

In light of the recent terrorist attacks in mainland Europe, the Council of the European Union has released a draft resolution to reconsider encryption legislation. The title of the resolution, “security through encryption and security despite encryption” illustrates the perceived trade-off between data privacy and improvements in terrorism prosecution. The document outlines law enforcement’s need for improved access to sensitive data protected under End-to-End encryption (E2EE) to effectively fight terrorism. As E2EE is nowadays the standard in messaging platforms, being granted speedy access to app content during criminal investigations is rare. Thus, having a special “backdoor” access to encrypted conversations could help law enforcement to prevent criminal activities. Despite the importance of tackling terrorism, this proposal cannot legitimately be considered due to multiple rule of law issues arising from its vague language and the failure to consider human rights misconducts.

Like many EU draft documents, the resolution on encryption is imprecise, vague and open to multiple interpretations. The problem here, however, is greater than usual. Having open-ended wording in a document about citizens’ rights may cause the solution’s applications to be further-reaching than anticipated. Linguistic issues include the specification that backdoor access would be “targeted”, or the channel will only be used by named authorities and for specified purposes (such as seeking information on terrorists’ communications). However, this statement entails a profound misunderstanding of E2EE technology. Once this backdoor has been built into messaging platforms, it is impossible to guarantee which content is being acquired. Moreover, having a backdoor implies that there will always be a way for malicious hackers to infiltrate communications. “Targeted access” is nothing more than a meaningless assurance that users’ data will not be misused. Another major source of vagueness is the introduction of the term “competent authorities” to refer to intelligence offices, police and other law enforcement entities, whereas previous encryption-related documents used the term “law enforcement”. The question, however, remains who decides which bodies constitute competent authorities and whether this can change over time. Either way, this wording leaves room for substantial offenses to data privacy rights.

Unfortunately, even if the linguistic challenges of the resolution have been tackled there is another potential source of infringement on the rule of law. Anyone protective of their constitutionally secured rights recognizes that special access to communications could be used and abused. There is a significant risk of state surveillance and the breach of basic rights. Additional worry emerges from the consequences for the legitimacy of EU elections. How can we guarantee that private conversations will not be used to produce a certain electoral outcome? The EU has a responsibility to be an exemplar for upholding democratic values. Once there is a system which can view citizens’ private conversations, this could lead to very troubling ideas in authoritarian regimes. Even if backdoor access will not be exploited in the EU, its possibility gives rise to freedom of speech concerns in less liberal countries.

Considering the substantial issues with the proposal at hand solutions with a lower social cost are more desirable. These include improving the cooperation between the private and public sector. Through mutual support, law enforcement could receive the required data faster as well as benefit from companies’ technological know-how. Furthermore, advancing communication between EU member states’ judicial bodies is another helpful avenue to pursue. By reducing discrepancies in national legislation and simplifying procedures for legal assistance to other member states, European law enforcement could share best practices. Both solutions speed up the process of governments being granted access to sensitive content without putting individuals’ data at risk. Of course, the strong collaboration needed to effectively and efficiently identify malicious actors will take time to develop. The effort required, however, is not reason enough to pursue anti-democratic answers.

To conclude, the trade-off between individuals’ data privacy and tackling terrorism does not appear to be a fair compromise. Given the rule of law issues we have raised, backdoor access is not justified by the need to facilitate criminal investigations. Thus, the benefits of “security through encryption” exceeds the costs of this solution to “security despite encryption”. An alternative approach, such as strengthened mutual support of firms, governments and EU member states, is more appropriate.