Belgian Government Wants To Add Encryption Backdoors To Its Already-Terrible Data Retention Law

from the it-can-always-get-worse dept

Earlier this year, a data retention law passed by the Belgian government was overturned by the country's Constitutional Court. The law mandated retention of metadata on all calls and texts by residents for one year, just in case the government ever decided it wanted access to it. Acting on guidance from the EU Court on laws mandating indiscriminate data retention elsewhere in the Union, the Constitutional Court struck the law down, finding it was neither justified nor legal under CJEU precedent or under Belgium's own Constitution.

[T]he Constitutional Court finds that the Data Retention Act aims at broader objectives than safeguarding national security, combating serious crime and preventing serious threats to public security and that the interference is thus not limited to what is strictly necessary. In addition, the Constitutional Court points out that such requirement to retain traffic and location data should be the exception, not the rule, must set out clear and precise rules regarding the scope and application of such measure, whereby certain minimum requirements should be implemented, and should ensure that the interference is limited to what is strictly necessary.

That prompted an immediate rewrite and a hasty propulsion of the law through the legislative process. This ruling was handed down in April. By May 10th, the government had another legislative proposal ready to go. Then it expanded it, adding encrypted messaging services to the list of entities obliged to collect and retain communications metadata.

But the demands go even further than metadata. Either incapable or unwilling to understand how end-to-end encryption works, legislators want a form of encryption that can be stripped away whenever the government wants access to communications. This is from an open letter sent to the Belgian government by 81 organizations and cybersecurity experts.

The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities, or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users.

If you can't see where this is going, you might be a Belgian legislator.

There is no way to simply “turn off” encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.

It's a backdoor. Backdoors don't work. Or rather, they do, but then the encryption doesn't work. Legislators and those pressuring legislators to mandate encryption backdoors don't like to use that term, so they dance around it. In the US, they call it technical assistance or whatever the opposite of "warrant-proof encryption" is. In Belgium, they stuff it into a bill that originally targeted phone service providers and call it "data retention."

It's unclear how the legislature thinks this version will be found constitutional by the courts, unless it's relying on the addition of some minimal targeting requirements to change it from a bulk data collection the government can access at any time to a slightly smaller bulk data collection the government can access at any time -- one that now includes metadata collected by encrypted communications platforms which will have to backdoor their own encryption to comply with demands for data.

If this is allowed to become law, everyone's communications will be less secure, not just those belonging to people the state wants to surveil or lock up.

Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.

If that's an acceptable tradeoff for the government, the bill will become law. But it will have to survive another legal challenge once it goes live. And from what's seen here, it looks like more of the stuff that was already struck down by the court, only with bonus encryption backdoors. If Belgian legislators aren't willing to protect their constituents, hopefully the courts will pick up the slack.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, belgium, data retention, encryption, surveillance

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    basstabs (profile), 6 Oct 2021 @ 8:57am

    The big problem with government in the modern age is that a majority of career politicians (at least in my anecdotal experience in the US, I’d love to see to see data on the subject) have degrees in non-technical fields like history, law, political “science,” etc. The closest they might get to a field that would give them even a solid background in math is economics.

    This is all fine and dandy in 1890 or 1950, but in our increasingly technological society where math, computers, and science have become so ubiquitous, government is increasingly incapable of responding to modern challenges because politicians are woefully unprepared to even understand the problem, let alone solve it. They don’t understand the concept of something being mathematically impossible (just like they didn’t a century ago in Indiana during the Pi bill debacle), so to them tech people “just aren’t trying hard enough to find an answer, and if we legislate enough, they’ll be forced to work harder and they’ll find an answer for us.”

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.