EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption

from the sounds-like-a-plan dept

The EU's "Cookie Law" is a complete joke and waste of time. An attempt to regulate privacy in the EU, all it's really served to do is annoy millions of internet users with little pop up notices about cookie practices that everyone just clicks through to get to the content they want to read. The EU at least recognizes some of the problems with the law and is working on a rewrite... and apparently there's an interesting element that may be included in it: banning encryption backdoors. That's via a new report from European Data Protection Supervisor (EDPS) Giovanni Buttarelli, who was put in charge of reviewing the EU's ePrivacy Directive to make it comply with the new General Data Protection Regulation (GDPR) that is set to go into effect in May of 2018. The key bit:
The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications.

Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.
To be clear, this actually seems like it may go too far. There are plenty of situations where it seems completely reasonable for law enforcement to use other means to figure out ways to decrypt encrypted communications. Arguing that it should be completely outlawed seems a bit extreme. But blocking backdoors does seem like a good idea. The report also says that the use of end-to-end encryption should be encouraged to the point of being mandated in some cases:
In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design. In this context the EDPS also recommends that the Commission consider measures to encourage development of technical standards on encryption, also in support of the revised security requirements in the GDPR.

The EDPS further recommends that the new legal instrument for ePrivacy specifically prohibit encryption providers, communications service providers and all other organisations (at all levels of the supply chain) from allowing or facilitating 'back-doors'.
Conceptually, this sounds good, but the implementation matters. Mandating encryption seems to be going a bit far. While I tend to think it makes sense for much more widespread use of encryption, it's not clear why the government needs to get involved here at all. And that includes in the development of such standards. In fact, as we've seen in the past, when the government gets involved in creating encryption standards, that seems to be where the intelligence community can slip in their backdoors.

Still, this is certainly an interesting development. Of course, it would also conflict with the UK's Snooper's Charter ("Investigatory Powers Act") which mandates backdoors for encryption. Though, to be fair, by the time the new rules go into practice, perhaps the UK will no longer be a part of the EU.

Filed Under: backdoors, data protection, encryption, eprivacy directive, eu, gdpr, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 27 Jul 2016 @ 12:23am

    Banning backdoors for encryption?

    I guess that's good news for people who live in the United King- oh, right...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 12:31am

    The UK won't have left by that time (2018).
    First they are already delaying the official "WE QUIT" message until the end of the year. From that point on it takes at least two years before they can actually leave, those two years are considered the absolute minimum needed to untangle the UK from the EU. Both parties can ask the other to extend this point until the end of time.

    Then there is a second cruder option (but seeing the history of how the EU and it's different national governments have acted when a referendum went against the EU it should be taken seriously) and that is to ignore the referendum since it is only an advisory to the government. The biggest losers if the UK does leave, the financial industry, has already demanded that this happens (in case people are wondering how influential the financial industry is, it is mainly centered in what amounts to an independent city state in London with a special representative called the Remembrancer, also on a few occasions Tech dirt has made fun of the keystone cops that is the police force of this patch of land.)

    reply to this | link to this | view in chronology ]

    • identicon
      Rana, 27 Jul 2016 @ 8:18am

      Re:

      Both parties can ask the other to extend this point until the end of time.

      Oh, kind of like copyright extensions.

      reply to this | link to this | view in chronology ]

      • icon
        Eldakka (profile), 27 Jul 2016 @ 5:57pm

        Re: Re:

        Not really.

        As per Article 50, paragraph 3:
        3. The Treaties shall cease to apply to the State in question from the date of entry into force of the withdrawal agreement or, failing that, two years after the notification referred to in paragraph 2, unless the European Council, in agreement with the Member State concerned, unanimously decides to extend this period.
        It requires unanimous agreement to extend.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 12:56am

    Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

    That would certainly go too far and lead to the same idiotic situation you've got in the US where it becomes illegal to break copy protection just because it is copy protection, even if it's something hideously basic like a rot13 cipher, but gets federal protection "just because"...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jul 2016 @ 6:01am

      Response to: Anonymous Coward on Jul 27th, 2016 @ 12:56am

      I think that the main concern with this bit is that it effectively prevents anyone from verifying that the "backdoors are banned" part is actually followed.

      Basically you could get into troubles for having found a backdoor in a non-open protocol (because this requires to "reverse-engineer the encryption")

      reply to this | link to this | view in chronology ]

  • identicon
    Shadow Firebird, 27 Jul 2016 @ 2:35am

    Governments *should* get involved in mandating encryption

    One reason: who else could protect us … from them?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 3:08am

    The reason encryption should be mandated

    ...is to finally get it adopted and integrated in a user friendly way. Security conscious people have advocated for encryption for, basically, forever. Most normal users were not interested. Most normal users STILL are not interested, even after all the revelations of the past years. Because of that, encryption is not much of a selling point for most mainstream apps.

    There are two ways to argue here: Those knowledgable should protect everyone else by advising the represantives and getting them to legally mandate what is neccessary, even if the majority of the population does not care. I can already hear the cries of "nanny state!".

    The other way is to protect yourself, to continue to evangelize to the masses and fail to get any real change. We will continue to live in a world were governments, corporations and criminals alike will with ever more ease acquire and collect ever more private data on everyone but a small minority. The negative effects of this will be borne by everyone - even the few security conscious who did protect themselves.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 27 Jul 2016 @ 3:20am

      Re: The reason encryption should be mandated

      I am pretty sure the other intent is that there are lots of businesses and services and governments which do not properly encrypt stored data or personal online communications. And there is the always lovely IoT. And gee, if the cookie law is so bloody heinous, could you imagine having to adopt encryption properly? Ermahgerrrrrrd. I'm sure we could invent a cost to business for that which is 10 times the global domestic product for the next 100 years.So yeah i guess a regulation for it is the only way to get that done.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 27 Jul 2016 @ 4:47am

    There are plenty of situations where it seems completely reasonable for law enforcement to use other means to figure out ways to decrypt encrypted communications.

    And the Government is free to try to decrypt it via whatever methods available. I do think they go too far in mandating encryption anywhere other than public services that demand it (ie: banking, Govt stuff). It should be an option for everybody else.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jul 2016 @ 6:27am

      Re:

      "I do think they go too far in mandating encryption anywhere other than public services that demand it (ie: banking, Govt stuff). It should be an option for everybody else."

      Happy with online commerce unencrypted? Happy with private health information unencrypted? Neither of these are public services in the sense that how they happen is mandated by govt. Making providers financially liable won't erase the damage potentially done by hacked & leaked information. If users want to send unencrypted messages/chats/files that is one thing, but online search histories, memberships, purchases and so on is something else. Those are the things the EU is concerned about before nannying everyone to encrypt every chat msg.

      reply to this | link to this | view in chronology ]

      • identicon
        Rana, 27 Jul 2016 @ 8:23am

        Re: Re:

        Making providers financially liable won't erase the damage potentially done by hacked & leaked information.

        Especially if the provider is a corporation whereby profits are privatized while losses are socialized.

        reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 28 Jul 2016 @ 5:03am

        Re: Re:

        Hmm, you misunderstood me and I misunderstood the article. It seems I agree with the sentence but I misread it. The Govt has no business telling anyone how and when to use encryption, much less mandating backdoors. They can try to decrypt whatever they put their hands on but not forbid it. And it's exactly what the article says. I think I didn't have enough coffee on me at the time..

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 6:07am

    They have to have something to negotiate with.

    "To be clear, this actually seems like it may go too far."

    For most of us, it makes sense to just ask for what is needed, but for politicians, they have not figured that out yet. So it makes sense they would demand the world first and then negotiate to something more reasonable. It really is the only way not to get the shaft from the start unfortunately.

    reply to this | link to this | view in chronology ]

  • icon
    JustMe (profile), 27 Jul 2016 @ 8:37am

    Mike, don't forget

    It wasn't just about annoying consumers. There was also all of the compliance efforts required by companies with websites that *might* possibly have a visitor from the ER.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jul 2016 @ 2:12pm

    Should? No. Must.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.