Despite ground-breaking reforms, the EU is undermining citizens’ right to privacy by attempting to provide a “front door” to encrypted communications
Since the proposal of the GDPR, the world has seen the European Union as the privacy capital of the world, but the veneer of greatness is beginning to splinter and crack. There is now a document that outlines the Commission’s plans to systematically dismantle end-to-end encryption, in another bout by governments to subvert its people’s digital privacy.
We were distracted, so they were scheming
In July 2020, while the world was distracted by the raging pandemic, the European Commission used that moment to propose a strategy under the guise of combating the spread of child sex abuse material (CSAM). This was not an overtly public proposal by the Commission; they sought as little scrutiny as possible. As this strategy – which purportedly exists for noble reasons – will break end-to-end encryption.
Breaking end-to-end encryption is highly problematic, as it protects people’s lives: journalists, activists, and dissidents worldwide use this technology to protect themselves from authoritarian regimes that would silence them if given the opportunity. Time and time again heavy-handed governments step in and silence those who would speak or act out against them, or in some cases, simply voice an undesirable opinion. This has been true recently in Hong Kong and Turkey.
End-to-end encryption is a way for all people to engage privately in digital spaces. The public actively stands against governments and businesses putting listening devices in homes; tapping phone lines; or generally eavesdropping. Yet in digital spaces — where society now does the bulk of its communicating — the European Commission wants it all.
The proposal has offered many different “technical solutions” for stopping CSAM, and for each solution, they have provided a privacy score. However, the score is not the complete picture as the Commission does not see law enforcement or government as a threat to user privacy. The footnotes state that the privacy score measures the likelihood of others gaining access to the information, failing to recognise themselves as a threat.
As Edward Snowden brought to light in the 2013 revelations, governments and intelligence agencies have limited accountability when handling people’s data. There is no doubt that stopping the spread of CSAM is essential and a worthwhile goal. However, this approach is a rather sinister way of achieving that end. Further, it is potentially not the intended purpose of the overall proposal. The document states explicitly that “encryption is a threat” and must be “immediately addressed.” While it reports wanting to stop CSAM, the ultimate agenda appears to be: dismantle private digital communication.
Encryption is absolute
The great thing about end-to-end encryption, device encryption, file encryption and so on, is that it is absolute; either something is encrypted, or it isn’t. All of the proposed “technical solutions” involve some back-door into encrypted servers or devices. Essentially hijacking messages in transit, screening them, and allowing them on to the receiver. By attacking encryption in this way, end-to-end encryption becomes redundant, it is no longer secure, as someone or some organisation has disrupted the process.
This would be similar to sending a letter by post, and someone other than the intended receiver, reads the contents before forwarding it. That is a crime. It is an offence for postal workers, businesses, couriers, or non-intended recipients to open mail that is not addressed to them (without a warrant). Under this proposal, our digital mail (emails, messages, calls) sent via encrypted services: Proton Mail, Signal, WhatsApp etc. would be opened and read. Many would call this a back-door into encryption. However, an EU counter terrorism coordinator, when commenting on the strategy, called it what it really is: “a front door.”
As if this man-in-the-middle type interception wasn’t odious enough, the proposal offered another strategy that is far more alarming: breaking into users’ physical devices. Under the section “Device related solutions”, they proposed detection on the device. In 2018 the Saudi Prince Mohammad bin Salman used a program known as Pegasus to hack into the phone of known dissident and political refugee Omar Abdulaziz. The information obtained through this tool’s use led to MBS plotting and coordinating the political assassination of journalist and dissident Jamal Khashoggi in the Saudi Arabian embassy in Turkey.
Moreover, the prince was able to use the same program to hack into Amazon CEO Jeff Bezos’s phone. Now, I have no love for Jeff Bezos or Amazon, but it highlights that these tools can be used to attack anyone regardless of wealth and status – indeed no one is safe. Pegasus version 2 was developed by a private cyber arms dealer in Israel named the NSO group. This program can be purchased and is sold to businesses as well as governments throughout the world. The proposed detection on the device seems remarkably similar to Pegasus style attacks. Although it is unlikely the Commission would use such a tool from the NSO group, by walking this road, it will become harder to turn back.
What about targeted surveillance?
Often when the debate around privacy and encryption protection arises, people ask: Why not allow for targeted surveillance and decryption of targeted messages? Sure, that is a brilliant solution and if law enforcement suspected somebody. obtained a warrant and followed the legal process, there would be no need to write this article. The problem with that approach is that it isn’t reflected in what happens in practise; as I said earlier something is either encrypted, or it isn’t. If a company that offers encryption is ordered by police to decrypt the messages of user X on its servers. The only way that would be possible is to create a decryption key that would decrypt all of the messages on its servers.
This is a huge problem, maybe the government/law enforcement only read user X’s messages, as allowed by a warrant, and left everyone else alone. Except now, the server is decrypted, all that would be needed would be a data breach of some kind, either through a targeted attack or coding error and the decrypted messages of all people using that service are out in the wild. This is not an unrealistic possibility, 2020 saw the largest number of records compromised since 2005 totalling 37 billion. Of course, these numbers only indicate reported breaches. No matter what language is used, or how it is jazzed up, targeted decryption, on that scale, is not feasible.
DiEM25 fights for your privacy
DiEM25 understands the realities of technology and the importance of privacy. The DiEM25 Technological Sovereignty Policy explicitly states in section 2.2.3 that “all citizens have a right to strong encryption.”
Specifically, this is to prevent governments and other third parties from eavesdropping and spying. This is clearly different from the European Commissioners stance, who see encryption as a problem. DiEM25 will protect the privacy of all citizens in the European Union. Further, by having such a cogent policy on security, data protection and privacy, the movement shows its understanding of digital technology.
Is this the Europe we want? A Europe with more private spaces or conversations? Even if you are someone who believes you have nothing to hide, or nothing to protect; privacy is universal. Privacy is a right, and privacy speaks to the health of any liberal democracy. We need it, and we must fight for it.
The European Commission plans to draw up legislation and take this matter to a vote in 2021, in the meantime, go loud. If you care about privacy; if you don’t care but know someone who does; if you know journalists, dissidents or activists: go loud. Tell your current sitting government you do not want this. Write to them, email them, call them. The urgency of this cannot be overstated! In the meantime, if you wish to increase your digital privacy (while you still can) research what services you can use to protect yourself.
The views and opinions expressed here are those of the author and do not necessarily reflect DiEM25’s official policies or positions.
Do you want to be informed of DiEM25's actions? Sign up here