Thorsten Benner and Mirko Hohmann
BERLIN — While Europe has
taken a great interest in the “crypto war” between the U.S. government and
Apple as well as other Silicon Valley behemoths, it has yet to wake up to the
gathering storm of encryption policy within its own borders. Various
EU governments have proposed unilateral measures on how to deal with
encryption, and the split between advocates of encryption and staunch opponents
is growing.
Hungary’s ruling party Fidesz
has suggested legislation that would make
encryption software illegal. In France, a draft bill threatens to fine tech
companies unwilling or unable to decrypt user data. Similar measures are being discussed in the U.K. as part of the draft
Investigatory Powers Bill.
Meanwhile, in the Netherlands
the government has argued that it is not
“desirable to take legal measures against the development, availability and use
of encryption.” The Germans also support “more and better encryption.” In its Digital Agenda, the German government even resolved
to become the “world leader in encryption.”
* * *
A lot is at stake in this debate today.
Encryption is by far the most important technology for the safeguarding of
online security and privacy. Without it, the digital economy would
collapse. Yet, as we know, criminals and terrorists use encryption to
shield their communication from law enforcement agencies afraid of “going
dark.”
But so far neither side of the debate has come up with
the right answer. The anti-encryption camp’s solutions are impractical and
harmful. It is impossible to give government access to encrypted communication
in a way that would not undermine encryption as a whole and compromise users’
security. If France and Hungary were to make it difficult or illegal for
companies such as Apple or Whatsapp to offer encryption, interested users could
choose from a wide variety of alternative tools freely available from other
providers across the globe.
So it is not surprising that the European
cybersecurity agency ENISA has come out strongly against backdoor
measures, a view shared by most law enforcement officials, not least because
encryption is essential in the protection of citizens’ data against criminals.
Law-abiding citizens would be the ones to lose out on a law that bans or
weakens encryption. It’s unlikely criminals and terrorists would be cowed by
such measures.
The pro-encryption camp has not offered up a way to
address legitimate concerns by law enforcement. Reacting to the Brussels
attacks in March, Europol directorRob Wainwright said: “Encrypted communication via the internet and
smartphones are a part of the problems investigators face.” There will be more
and more cases in which law enforcement bodies are unable to access data stored
on a criminal’s phone or monitor online conversations between terrorists.
German Federal Prosecutor General Peter Frank
correctly emphasized that “law
enforcement and security agencies need to be able to keep pace with
technological progress.”
* * *
Getting encryption right will require a
new European consensus that provides answers to the concerns of law enforcement
in a way that doesn’t undermine the vital role of encryption for citizens and
the economy.
To that end, EU governments should take an “encrypted
world” as a given and decisively bid farewell to anti-encryption legislation
and backdoors. Instead, the discussion should focus on identifying the tools
and resources law enforcement needs in order to fulfill its duties in the face
of ubiquitous encryption.
Improving and potentially pooling technical
capabilities should be a second priority. If agencies cannot access encrypted
communication, computer network exploitation software (also called device
hacking) can give them direct access to a suspect’s computer or mobile phone.
Yet only a few European countries have access to these tools. And where they do
— such as with the German exploitation software Bundestrojaner —
they are often technologically limited and lack a clear legal framework.
Similarly, many countries lack the computing
capacities to break certain encrypted devices by “brute force,” and do not have
the appropriate staff to put these new technologies to the best possible use.
EU countries should agree on the capabilities they need and develop a platform
to consolidate and exchange them.
Finally, the EU must double
down its efforts to update mutual legal assistance regimes, especially its
cooperation with the U.S.
The times in which law
enforcement agencies served a domestic telecommunications provider with a
warrant to gain access to a suspect’s phone conversations are over. A more
diverse set of companies now play a role, and most of these are based in the
U.S. If the FBI is “going dark,” European agencies should be going even darker,
since cooperation across the Atlantic is inevitably slower.
In contrast to their American
counterparts, European agencies often lack informal access to American
companies and hold less legal sway over them.
In order to pave the way for a
European consensus on such measures, the Dutch EU presidency should make
encryption a priority for the remainder of its term and source suggestions
on how to strengthen law enforcement bodies from policymakers and experts
across the Continent — especially in countries currently considering
anti-encryption legislation.
EU disunity on encryption
weakens Europe’s voice on the global stage on one of the key digital policy
issues of our time. The lack of a common policy undermines its common digital
market and obstructs the fight against organized crime and terror.
It is about time EU
governments jointly live up to this task rather than going it alone.
Thorsten Benner and Mirko
Hohmann are researchers with the Global Public Policy Institute (GPPi) in Berlin.
No comments:
Post a Comment