from the it-can-always-get-worse dept
Earlier this year, a data retention law passed by the Belgian government was overturned by the country’s Constitutional Court. The law mandated retention of metadata on all calls and texts by residents for one year, just in case the government ever decided it wanted access to it. Acting on guidance from the EU Court on laws mandating indiscriminate data retention elsewhere in the Union, the Constitutional Court struck the law down, finding it was neither justified nor legal under CJEU precedent or under Belgium’s own Constitution.
[T]he Constitutional Court finds that the Data Retention Act aims at broader objectives than safeguarding national security, combating serious crime and preventing serious threats to public security and that the interference is thus not limited to what is strictly necessary. In addition, the Constitutional Court points out that such requirement to retain traffic and location data should be the exception, not the rule, must set out clear and precise rules regarding the scope and application of such measure, whereby certain minimum requirements should be implemented, and should ensure that the interference is limited to what is strictly necessary.
That prompted an immediate rewrite and a hasty propulsion of the law through the legislative process. This ruling was handed down in April. By May 10th, the government had another legislative proposal ready to go. Then it expanded it, adding encrypted messaging services to the list of entities obliged to collect and retain communications metadata.
But the demands go even further than metadata. Either incapable or unwilling to understand how end-to-end encryption works, legislators want a form of encryption that can be stripped away whenever the government wants access to communications. This is from an open letter sent to the Belgian government by 81 organizations and cybersecurity experts.
The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities, or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users.
If you can’t see where this is going, you might be a Belgian legislator.
There is no way to simply “turn off” encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.
It’s a backdoor. Backdoors don’t work. Or rather, they do, but then the encryption doesn’t work. Legislators and those pressuring legislators to mandate encryption backdoors don’t like to use that term, so they dance around it. In the US, they call it technical assistance or whatever the opposite of “warrant-proof encryption” is. In Belgium, they stuff it into a bill that originally targeted phone service providers and call it “data retention.”
It’s unclear how the legislature thinks this version will be found constitutional by the courts, unless it’s relying on the addition of some minimal targeting requirements to change it from a bulk data collection the government can access at any time to a slightly smaller bulk data collection the government can access at any time — one that now includes metadata collected by encrypted communications platforms which will have to backdoor their own encryption to comply with demands for data.
If this is allowed to become law, everyone’s communications will be less secure, not just those belonging to people the state wants to surveil or lock up.
Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.
If that’s an acceptable tradeoff for the government, the bill will become law. But it will have to survive another legal challenge once it goes live. And from what’s seen here, it looks like more of the stuff that was already struck down by the court, only with bonus encryption backdoors. If Belgian legislators aren’t willing to protect their constituents, hopefully the courts will pick up the slack.