EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk

from the question-of-adequacy dept

As a recent post underlines, law enforcement agencies around the world are still trying to argue that things are “going dark“, and that strong encryption is bad and should be made illegal. Techdirt and many others have pointed out what an extremely stupid idea this would be. Here’s a further reason why the US shouldn’t ban strong encryption: it might lead to the EU making data transfers across the Atlantic much harder. The possibility has emerged thanks to some formal questions to the European Commission (pdf) submitted by a Member of the European Parliament, Moritz Körner. They include the following:

According to the news website Politico, the US government is considering a ban on encryption.

1. Would the Commission consider a similar ban in the EU to be useful?

2. Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

The answers from the European Commission have now been published (pdf). The first response is as follows:

Encryption is one of the means of protecting confidentiality as well as privacy and is widely recognised as an essential tool for security and trust in open networks. No ban on encryption is being considered.

That’s good, but:

At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases by the objective of preventing or investigating criminal offences, as long as such measures are necessary, proportionate and respect due process rights.

The boilerplate caveat doesn’t say how the EU aims to provide lawful access to communications data when strong encryption is employed, and so doesn’t really illuminate EU policy here. By contrast, the response to the second question about the impact a US ban on strong encryption might have does provide new information:

Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.

Privacy Shield governs the flow of EU citizens’ personal data to the US — something of vital importance to US Internet companies, and many others. Because of the GDPR‘s requirements, that flow can only take place if the European Commission issues an “adequacy decision” — essentially confirming that a country outside the EU offers a sufficient level of data protection. Without adequacy, US companies would be forced to take additional, more onerous measures to guarantee that EU personal data was protected to the level required by the GDPR.

The European Commission’s reply indicates that adequacy could be at risk if the US were to ban strong encryption. That’s surprising, because the Commission has generally tried to ignore criticisms — from the European Parliament, for example — about the level of data protection in the US. This may just be a little saber-rattling on the Commission’s part. But it’s a useful hint that a US ban would not just be bad for the Internet, but could also turn out to be bad for the US.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk”

Subscribe: RSS Leave a comment
Bergman (profile) says:

Re: How to talk out of both sides of ones mouth at the same time

Pretty much. If the encryption keeps out a government Luddite in a hurry, it would be banned. But data thieves and spies (corporate or foreign government) are usually a LOT more tech savvy than Luddite-leaning regulators, and anything that would keep a thief or spy out for five minutes would be an impassable barrier to a Luddite.

So it has to go.

This comment has been deemed insightful by the community.
Bergman (profile) says:

Nerding Harder

The US government has over a hundred times greater access to people’s communications, personal papers and everything else now than it did when the Fourth Amendment was written. The US government has surveillance capabilities beyond the worst nightmares of our founders.

Our law enforcement has never had a problem finding anyone from petty thieves to traitors, from illegal immigrants to foreign spies. But they’re saying now that their incredible wealth of information is insufficient, that we are at risk of them being unable to catch all these bad people if we return to a level of government surveillance that persisted for most of our history, that they had zero problems with then.

The answer is as simple as it is obvious. The tech sector is not the group that needs to nerd harder. They people who need to nerd harder are the government agencies that are apparently slacking off, because with greater capacity to find bad guys they are claiming a reduced ability to actually pursue them.

Giving them more tools when they aren’t fully utilizing the ones they already have is silly, they just won’t fully utilize those either.

They just need to nerd harder at the NSA, DOJ and ICE.

This comment has been deemed insightful by the community.
Gorshkov (profile) says:

Re: Nerding Harder

More to the point: Yes, there are going to be instances where the lack of encryption would be the only way to solve the case but those, generally speaking, are going to be very rare edge cases.

But the core problem isn’t the lack of data – it’s the lack of ability to use all that data. And when you already have a problem finding the needle in a haystack, making the haystack bigger is not going to be much of a help.

Stop whining about how you’re all the way over here and the magnet is all the way over there. Just pick the damned thing up, and do your bloody job.

Scary Devil Monastery (profile) says:

Re: Re: Nerding Harder

"More to the point: Yes, there are going to be instances where the lack of encryption would be the only way to solve the case but those, generally speaking, are going to be very rare edge cases."

Even more to the point – the same argument could be made about abolishing habeas corpus or actis rea. You could win the war on drugs tomorrow. Just have the police round up everyone they THINK is a dealer and shoot them. There’d be some collateral as every psycho in a uniform decides to go on sanctioned killing sprees. But the drugs would be gone.

That violating core principles may be the only way to accomplish a certain thing never means the thing to go must be the core principle.

This comment has been deemed insightful by the community.
Chris-Mouse (profile) says:

Back in the 1980s, the US banned export of strong encryption. The result was that encryption software development moved offshore and continued merrily along. This meant the US completely lost the advantage it had in encryption development.
If the US bans strong encryption, the results will be almost the same. Except this time the US will not be able to import better software from abroad.

Anonymous Coward says:

I think the ban strong encryption talk is intentionally confusing. Most of your encrypted communications can still be intercepted, decrypted, and reencrypted via MITM. If you have code books or keys shared in person and never transmitted over the internet then you can have real strong end to end encryption.

Also governments don’t have morality problems putting malware into your computer so if you hooked a computer with an update-able operating system or firmware up to the internet you can assume someone had the chance to compromise it.

Anonymous Coward says:

Re: What are you talking about? They aren’t that smart!

What’s all this talk about code books keys and up other stuff I don’t understand?

I’m completely tech illiterate and I bet the EUs and american servers “if they have them” look like a politician who hoards his data on a single computer that runs a beta windows 95 with flash games from 1996!

Europe and America: how do you know how our security is moth#####?

Personanongrata says:

Lets Ban the US Government

According to the news website Politico, the US government is considering a ban on encryption.

Lets ban the US government and both political parties on a permanent basis as they are directly responsible for the myriad of problems afflicting the nation.

Cast off the repressive yoke of a criminal/tyrannical US government.

Labels such as conservative, liberal, progressive (etal) only serve to box people in to one defective form of ideology or another and are divisive in nature.

As human history has shown in order to conquer a great nation you must first divide the people amongst themselves.

This comment has been deemed insightful by the community.
Glenn says:

The only thing going dark are the law enforcement agencies, as in, going over to "the dark side" (obviously because everyone who isn’t them is just a criminal whose law-breaking hasn’t yet been identified–some encryption also obviously keeps them from doing).

If they want to see criminals, then they should look in the mirror.

Anonymous Coward says:

Re: Re:

Ya, the Blue Line Gang. They are ALL thug tyrants. You go ask a so-called Good one if he ever arrested one of his police buddies, NOPE!! Not a one. They protect each other. They will flat out LIE, LIE, LIE. They make up lies to make you do what they want. If they crash into you, it’s YOUR fault!!! They will arrest you with their goto, B.S. charges. Even if they get thrown out later, it doesn’t matter to them.

When the so-called Good ones stand there and watch what is happening, and won’t stop it and pretend they don’t know what is going on. Always record the police. They’ll LIE and say you can’t. It’s a 1st amendment protected RIGHT. Record them, if only to protect yourself from their LIES. They will in fact LIE and screw you over. They don’t care!!! They are disgusting tyrants. Don’t call them as they may, in fact, end up shooting you. They will come with their guns and make sure to escalate things.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...