EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk
As a recent post underlines, law enforcement agencies around the world are still trying to argue that things are "going dark", and that strong encryption is bad and should be made illegal. Techdirt and many others have pointed out what an extremely stupid idea this would be. Here's a further reason why the US shouldn't ban strong encryption: it might lead to the EU making data transfers across the Atlantic much harder. The possibility has emerged thanks to some formal questions to the European Commission (pdf) submitted by a Member of the European Parliament, Moritz Körner. They include the following:
According to the news website Politico, the US government is considering a ban on encryption.
1. Would the Commission consider a similar ban in the EU to be useful?
2. Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?
The answers from the European Commission have now been published (pdf). The first response is as follows:
Encryption is one of the means of protecting confidentiality as well as privacy and is widely recognised as an essential tool for security and trust in open networks. No ban on encryption is being considered.
That's good, but:
At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases by the objective of preventing or investigating criminal offences, as long as such measures are necessary, proportionate and respect due process rights.
The boilerplate caveat doesn't say how the EU aims to provide lawful access to communications data when strong encryption is employed, and so doesn't really illuminate EU policy here. By contrast, the response to the second question about the impact a US ban on strong encryption might have does provide new information:
Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.
Privacy Shield governs the flow of EU citizens' personal data to the US -- something of vital importance to US Internet companies, and many others. Because of the GDPR's requirements, that flow can only take place if the European Commission issues an "adequacy decision" -- essentially confirming that a country outside the EU offers a sufficient level of data protection. Without adequacy, US companies would be forced to take additional, more onerous measures to guarantee that EU personal data was protected to the level required by the GDPR.
The European Commission's reply indicates that adequacy could be at risk if the US were to ban strong encryption. That's surprising, because the Commission has generally tried to ignore criticisms -- from the European Parliament, for example -- about the level of data protection in the US. This may just be a little saber-rattling on the Commission's part. But it's a useful hint that a US ban would not just be bad for the Internet, but could also turn out to be bad for the US.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: encryption, eu, privacy, privacy shield, us
Reader Comments
The First Word“
Nerding Harder
The US government has over a hundred times greater access to people's communications, personal papers and everything else now than it did when the Fourth Amendment was written. The US government has surveillance capabilities beyond the worst nightmares of our founders.
Our law enforcement has never had a problem finding anyone from petty thieves to traitors, from illegal immigrants to foreign spies. But they're saying now that their incredible wealth of information is insufficient, that we are at risk of them being unable to catch all these bad people if we return to a level of government surveillance that persisted for most of our history, that they had zero problems with then.
The answer is as simple as it is obvious. The tech sector is not the group that needs to nerd harder. They people who need to nerd harder are the government agencies that are apparently slacking off, because with greater capacity to find bad guys they are claiming a reduced ability to actually pursue them.
Giving them more tools when they aren't fully utilizing the ones they already have is silly, they just won't fully utilize those either.
They just need to nerd harder at the NSA, DOJ and ICE.
How to talk out of both sides of ones mouth at the same time
Seems like a premier example of doublespeak. While not banning encryption, it sure sounds like they want backdoors, ones that are about as effective as screen doors on submarines.
Re: How to talk out of both sides of ones mouth at the same time
Pretty much. If the encryption keeps out a government Luddite in a hurry, it would be banned. But data thieves and spies (corporate or foreign government) are usually a LOT more tech savvy than Luddite-leaning regulators, and anything that would keep a thief or spy out for five minutes would be an impassable barrier to a Luddite.
So it has to go.
It was years ago but if i remember correctly wasn't there a court case that said encryption is protected under the 1st amendment, as free speech? I think it was around the time pgp came out. I could be misremembering it though. Does anybody know?
Re:
https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech
Re: Nerding Harder
And FBI.
So the EU is okay with their governments calling for and implementing encryption back doors, just as long as it's not the US doing it or getting the info.
[ reply to this | link to this | view in chronology ]
Back in the 1980s, the US banned export of strong encryption. The result was that encryption software development moved offshore and continued merrily along. This meant the US completely lost the advantage it had in encryption development.
If the US bans strong encryption, the results will be almost the same. Except this time the US will not be able to import better software from abroad.
I think the ban strong encryption talk is intentionally confusing. Most of your encrypted communications can still be intercepted, decrypted, and reencrypted via MITM. If you have code books or keys shared in person and never transmitted over the internet then you can have real strong end to end encryption.
Also governments don't have morality problems putting malware into your computer so if you hooked a computer with an update-able operating system or firmware up to the internet you can assume someone had the chance to compromise it.
Hahaha no
“Ban strong encryption”
Europe as gotten so used to Russia coming into them they want America to do it to lol
Lets Ban the US Government
According to the news website Politico, the US government is considering a ban on encryption.
Lets ban the US government and both political parties on a permanent basis as they are directly responsible for the myriad of problems afflicting the nation.
Cast off the repressive yoke of a criminal/tyrannical US government.
Labels such as conservative, liberal, progressive (etal) only serve to box people in to one defective form of ideology or another and are divisive in nature.
As human history has shown in order to conquer a great nation you must first divide the people amongst themselves.
