As one might expect, the Paris attacks have provided to EU member states and politicians the opportunity to strengthen the legal means of surveillance available to intelligence services and enforcement authorities. Will this tip the balance between privacy and security?
At the center of today’s discussions: the encryption of data transiting through and/or saved on certain devices such as smartphones and laptops, and some of their messaging applications. Michael Rogers, Director of the U.S. National Security Agency, declared on February 17 that because of encrypted communications used by terrorists to plan their actions, “we did not generate the insights ahead of time. Clearly, had we known, Paris would not have happened.”
Following the attacks, various French and UK politicians targeted smartphone manufacturers and mobile application developers. For instance, on February 25, French Parliamentarian Eric Ciotti proposed an amendment to a new bill debated in the wake of the Paris attacks, imposing a fine of up to 2 million euros to any company refusing to provide the encryption keys enabling authorities to disclose data held by a suspected terrorist, and prohibiting such company from selling its products for one year. Currently, the bill only applies to manufacturers and provides a five-year period of incarceration and a fine of up to 350,000 euros.
In the UK, politicians called for expediting the passage of the draft Investigatory Powers Bill – dubbed the “Snooper’s Charter” by its critics – which expands the power of security agencies to monitor Internet records and to compel companies to decrypt data for the police. Last week, a revised version of the bill was published to address pre-legislative committee concerns. The latest draft of the bill makes it clear that companies will only be required to remove encryption that they have themselves applied when it is financially and practically feasible.
For terrorism prevention, these measures seem perfectly legitimate. However, one must remember that cryptology has experienced liberalizations in Europe and is now considered one of the best tools to ensure the protection of privacy. Its use has been generalized and has become mandatory in several sensitive sectors such as electronic financial transactions. What is more, the future General Data Protection Regulation (GDPR) should confirm the principle of privacy by default, which is precisely implemented by the latest encryption methods used by industry.
Companies could try to dismiss an authority’s request by invoking this privacy-by-default principle, whether by designing products so only consumers hold encryption keys, or by not even storing encrypted data at all. France, and to a lesser extent the UK, aim to limit this possibility. Whether these attempts will be considered compliant with the EU instruments for protection of privacy and data protection remains to be seen.
For more information on encryption, cybersecurity and the privacy-by-default principle, please refer to the following prior Password Protected blog posts: