EUROPE AT HOME AND ABROAD

Will Europe keep your encrypted messages secret?

Despite resistance from industry leaders, civil society organizations and many in the European Parliament, a proposed EU regulation that would enable surveillance of private communications remains on the agenda. If adopted, the right to privacy - a core European value - will be seriously threatened

2770 views 0 comment(s)
Photo: Shutterstock
Photo: Shutterstock
Disclaimer: The translations are mostly done through AI translator and might not be 100% accurate.

In recent years, civil society organizations and industry players have joined forces to protect encrypted communications from the authorities. As the former Commissioner of the Council of Europe for Human Rights (Dunja Mijatović, editor's note) notes, in the current era of digital surveillance, encryption is "a key tool for the protection of human rights". Since, as a member of the European Parliament, I worked on issues of security and foreign policy, I personally convinced myself that this is true. Activists, journalists, defenders of human rights and ordinary citizens count on the right to privacy as an essential European principle that supports freedom of speech and democracy itself.

Encryption is one of the most important privacy technologies in the modern world and is therefore used in most key online services (messengers, voice calls, e-mail, file sharing, payments, and so on). In its most powerful form, end-to-end encryption, this technology ensures that only the parties to the communication can decrypt and see the content and that unauthorized access is impossible (as with Signal or WhatsApp, for example).

But governments and law enforcement agencies increasingly want access to encrypted communications, even though it threatens to undermine public confidence that the privacy of online communications is protected. Under the pretext of fighting terrorism and other crimes, the governments of many European Union countries want to weaken the use of encryption technology.

The message is clear: many governments and authorities see encryption not as a means of protecting human rights, but as an obstacle. The European Commission formed a high-level working group on "access to data for effective law enforcement". The group, made up of law enforcement representatives, recommended a "lawful design approach" to en clair data, meaning communications services would be required to install "backdoors" allowing criminal investigators access to unencrypted data.

The push to weaken encryption peaked in 2022 when the European Commission proposed the Child Sexual Abuse Regulation (CSAR), dubbed "Chat Control." The regulation would give authorities the right to order the scanning of private messages, including those on end-to-end encrypted services, to uncover material related to child sexual abuse.

Even if implemented with the best of intentions, such measures would inevitably create vulnerabilities that malicious actors could exploit. IT professionals claim that it is impossible to securely break encryption; backdoors always create exploitable security gaps. Just a few weeks ago, it was reported that several major Internet service providers in the United States had been hacked by Chinese hackers through legally permitted data access channels.

Intelligence agencies (including the Netherlands) rightly warn that breaches of encryption technologies pose an unmanageable risk to cybersecurity. And during the current discussions in the Council of the EU, the possibility of scanning orders considered important for national security was excluded, which shows an obvious double standard.

But the problem is not only cyber security. The mentioned regulation could cause lawsuits. The EU Charter of Fundamental Rights explicitly protects the privacy of one's communications, and the European Court of Justice has made it clear that indiscriminate and comprehensive scanning of private communications constitutes a disproportionate violation of this right. Independent assessments commissioned by the Council of the EU and the European Parliament reach similar conclusions, while the European Data Protection Board and the European Data Protection Supervisor have raised privacy and efficiency concerns about the bill. After all, criminals could easily bypass detection systems.

The European Commission has also failed to address the wider implications of intercepting encrypted messages under the pretext of combating child sexual abuse. With their virtually limitless appetite for data, law enforcement agencies are likely to seek to expand the surveillance regime into other domains. Europol, the EU's police agency, has already recommended it. And, contrary to the Commission's assurances, significant doubts remain about the reliability and effectiveness of software that detects child abuse.

For all these reasons, the European Parliament opted for a more balanced approach, eliminating the scanning of encrypted services and limiting surveillance to targeted suspects or groups of suspects.

Meanwhile, the Council of the EU is debating an approach known as "client-side scanning". In this case, messages are intercepted before they are sent. This method is presented as a compromise between privacy, security and child protection, but in reality it also compromises encryption technology, raising the same privacy and cybersecurity concerns.

Adopting this approach would not be good for privacy protection in Europe. However, the new European Commissioner for Home Affairs and Migration, Magnus Bruner, said he was "convinced of the necessity and urgency of adopting the proposed regulation." During a hearing before the European Parliament, he refused to commit to encryption protections and avoided answering questions about EU governments' use of spyware, another deeply invasive way to circumvent encryption.

Encryption is not just technical protection; it is the cornerstone of our digital rights and democratic freedoms. As the debate on the CSAR regulation continues, we must remain vigilant against policies that undermine these values ​​under the guise of security. The weakening of encryption threatens not only individual privacy, but also the digital ecosystem as a whole.

Instead of eroding encryption, the EU should push for strong privacy protections that balance security needs with basic human rights. With this in mind, I signed a pledge to protect encryption. This is not only about defending technology, it is also about defending the principles that define us as a society.

The author is a member of the European Parliament

Copyright: Project Syndicate 2024. (prevod: N. R.)

Bonus video:

(Opinions and views published in the "Columns" section are not necessarily the views of the "Vijesti" editorial office.)