EU Commission Kicks Off 2025 With Yet Another Plea For Backdoored Encryption
The EU Commission spent most of 2024 getting knocked around by opponents of its anti-encryption efforts. While it did find some support from countries with, shall we say, more authoritarian urges, most countries that still actually cared about security and privacy pushed back, resulting in the Commission putting encryption backdoors on the back burner until the next legislative session.
But there was never any reason to believe the EU Commission wouldn’t make another effort to push this past the member nations of the EU Council. Now that nearly half a year has passed, the EU Commission is getting back to basics: ensuring public safety by actively undermining public safety.
Here’s Iain Thomson, reporting for The Register:
The EU has shared its plans to ostensibly keep the continent’s denizens secure – and among the pages of bureaucratese are a few worrying sections that indicate the political union wants to backdoor encryption by 2026, or even sooner.
[…]
“We are working on a roadmap now, and we will look at what is technically also possible,” said Henna Virkkunen, executive vice-president of the EC for tech sovereignty, security and democracy. “The problem is now that our law enforcement, they have been losing ground on criminals because our police investigators, they don’t have access to data,” she added.
“Of course, we want to protect the privacy and cyber security at the same time; and that’s why we have said here that now we have to prepare a technical roadmap to watch for that, but it’s something that we can’t tolerate, that we can’t take care of the security because we don’t have tools to work in this digital world.”
This all sounds somewhat reasonable if you take VP Virkkunen at her word. Of course, the claim that police investigators are routinely stymied by a lack of “access to data” demands a citation, but there’s nothing in Virkkunen’s statement that clarifies how often this is actually a problem. Obviously, it happens in more than 0% of cases. But is it actually happening so often the only solution is breaking encryption for everyone, not just the criminal suspects law enforcement officers are interested in?
The report [PDF] doesn’t offer much clarification either. It does, however, open with a statement that apparently expects EU residents to believe that their personal security is far less important than (multi)national security that apparently can only be obtained by undermining the security of millions of people. (Emphasis in the original.)
Security is the bedrock upon which all our freedoms are built. Democracy, the rule of law,
fundamental rights, the wellbeing of Europeans, competitiveness and prosperity – all hinge on
our ability to provide a basic security guarantee. In the new era of security threats that we now
live in, EU Member States’ ability to guarantee security for their citizens is more than ever
contingent on a unified, European approach to protecting our internal security. In an
evolving geopolitical landscape, Europe must continue to make good on its enduring promise
of peace.
What the EU Commission would like readers to believe is that their opinions (and their personal security) matter.
We need a whole-of-society approach involving all citizens and stakeholders, including civil society, research, academia and private entities. The actions under the strategy therefore take an integrated, multi-stakeholder approach wherever possible.
“Wherever possible.” There’s the carve-out. Since most of this has to do with national security, it will be explained to stakeholders refused entry to the discussion that the issues are far too sensitive to be observed and discussed by mere members of the public, no matter how well-qualified they are to discuss these issues.
It takes a few more pages before the EU Commission finally lays out its anti-encryption goal. (Emphasis in the original.)
[T]he Commission will present in the first half of 2025 a roadmap setting out the legal and practical measures it proposes to take to ensure lawful and effective access to data. In the follow-up to this Roadmap, the Commission will prioritise an assessment of the impact of data retention rules at EU level and the preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner, safeguarding cybersecurity and fundamental rights.
This is all about giving law enforcement encryption backdoors. Any pretense of involving all shareholders has pretty much been dismissed at this point. On top of that, the vague assertion by VP Virkkunen about cops “losing group to criminals” due to a “lack of access” to device and communications content isn’t actually backed by the contents of this report. All it has to say on the subject is an absurdly obvious statement of fact that doesn’t actually state one way or the other whether or not investigators are having problems accessing this information without the use of encryption-breaking assistance:
Around 85% of criminal investigations now rely on law enforcement authorities’ ability to access digital information.
The report from EU law enforcement complaining (equally vaguely) about the same issue is similarly devoid of hard data detailing encrpytion’s deleterious effect on criminal investigations. Instead, it provides a long list of options currently available to law enforcement before somehow arriving at the conclusion that all of these options simply aren’t enough. What law enforcement wants is instant access to whatever it wants to access. But that was never the reality even back in the good old pre-digital days.
It’s the height of entitlement to claim you deserve full access to anything cops come across simply because it can now be held entirely in a device that fits into someone’s pocket. Criminals have always tried to hide or destroy evidence. But just because they have done this for years, no one has suggested it’s illegal for people to own paper shredders, fire pits, shovels, or access to nearby bodies of water. And certainly no one ever suggested it should be up to the government to decide whether or not people should have access to any of these things.
The EU Commission wants the impossible: “secure” backdoors that only the good guys can access. And if it can’t have that (and it can’t), it’s more than happy to have the next best thing: backdoors that can be exploited by criminals, so long as they can also be exploited by cops.