Welcome to part two in our encryption series. This time around we’re going to talk about some of the fine work people are doing in Europe to help increase protections for privacy rights. Specifically, the debate on “backdoor” encryption and whether or not law enforcement should be allowed to force companies to give them a set of keys to their encryption. Most recently, Apple has announced plans to add an on-device scanning function for Child Sexual Abuse Imagery (CSAM) so they can send the results to law enforcement. Many critics say this is the first step to backdoors becoming the norm, but let’s take a look at what’s being done to stop this level of surveillance.

Encryption Europe

Encryption Europe is an industry alliance of European SMEs committed to making encryption simple, useful, and stable for everyone. Much of their recent work has revolved around fighting backdoor encryption legislation. Several months ago, they held a panel discussion looking for insight from the technology community about the pros and cons of backdoor encryption.

Their recent panel discussion focused mainly on a legal framework that should be used for Law Enforcement Agencies, education of public authorities, and political decision makers. There also needs to be work done that would ensure oppressive regimes are unable to use backdoors against citizens, companies, and public authorities all around the world.

There are really two sides to this argument, the first being that lawful access to information could help prevent child abuse, drug smuggling, or terrorist threats, is widely perceieved as a positive for society.

The second is that it’s inevitable that any mechanism allowing lawful decryption will be leaked onto the internet sooner than later. Once the keys are “in the wild”, nothing will stop criminals from using those keys to target people, businesses, or even law enforcement agencies, with attacks on their easily decrypted data.

What does backdoor encryption mean?

Backdoor encryption is a global push to force companies that protect data with encryption—from cell phone manufacturers to messaging apps—to add some way to turn off encryption if law enforcement asks.

In theory, this would go something like; a known criminal sends a text to another known criminal, but because the text is encrypted, law enforcement can’t read it when they try to intercept it. They go to the messaging app maker and ask for access to two specific accounts and the messages sent on a specific day. The app maker then hands over the encryption keys, or decrypts the texts and hands over the texts.

The downside to backdoor encryption

There are a lot of downsides to backdoor encryption. First; anyone relying on an encryption system that can be turned off at will is facing the same problem as communication without any encryption at all. They have no guarantee that their communications are ever encrypted, or that they might be decrypted at any time.

Second; any system with backdoors is just waiting to be hacked. 2020 taught us that there are a lot of really smart people out there, constantly looking for ways to exploit software and hardware bugs. If turning off encryption is a feature, it won’t take long for someone to find, or buy those keys and share them with the rest of the internet.

Third; personal privacy laws exist specifically to stop mass surveillance programs. Even with privacy laws, law enforcement has access to petabytes (that’s a lot) of data that people give away freely, every day. You’d be shocked at how often people post confessions and evidence on social media. Phone telemetry data is available from ISP. If your car has GPS, you guessed it, someone can find out where you are at all times.

What is Encryption Europe doing about this?

Our friends at Encryption Europe hold regular open panels and workshops on the importance of encryption. In light of growing concerns in Europe about the European Council’s Resolution calling for a “balanced” approach to encryption. During the panel, Timothée Rebours had this to say, "Encryption is a fundamental tool to protect the confidentiality of personal data and the security of the information systems, specifically enshrined in article 32 of the GDPR." Similarly, Gregory Wawszyniak added, "Encrypting data represents a way to ensure confidentiality of personal data and strengthen the resilience of processing systems. An appropriate and effective encryption solution can in fact be a means of demonstrating compliance with the security requirements of the GDPR."

The fight for online privacy

There are a number of organizations fighting for online privacy rights, all over the world. Some notable ones are:

The links provided will take you to their websites, so you can learn more about how to help protect online privacy rights.

Protect your privacy

You can help make privacy rights the next big election issue, no matter where you live, by contacting your local and federal governments. Together, we can keep strong encryption the standard.

Warm rawr-gards,
the TunnelBear Team