Yesterday, the European Commission published a report setting out a range of responses to challenges posed by the use of encryption by criminals.
The ‘Eleventh progress report towards an effective and genuine Security Union’ sets out a broad package of anti-terrorism measures to be undertaken by the European Union over the next sixteen months, including actions to “support law enforcement and judicial authorities when they encounter the use of encryption in criminal investigations”. These are:
- Additional resources for Europol to further develop its decryption capabilities;
- The establishment of a network of points of expertise on encryption;
- The development of a toolbox of “alternative investigation techniques” by this network of points of expertise and the European Cybercrime Centre “to facilitate the development and use of measures to obtain information which has been encrypted by criminals”;
- Support for “structured dialogue” with service providers and other businesses under the umbrella of the EU Internet Forum and the network of points of expertise, with the involvement of civil society “where appropriate”;
- Funding of €500,000 for training programmes for law enforcement and judicial authorities to help obtain information which has been encrypted by criminals;
- Continuous assessment of technical and legal aspects of the role of encryption in criminal investigations, including through the establishment of an observatory function in collaboration with the European Cybercrime Centre at Europol, the European Judicial Cybercrime Centre, and Eurojust; and
- A legislative proposal, due to be introduced in early 2018, to make it easier for law enforcement agencies to access evidence located in another EU country, including encrypted information.
The availability of strong encryption has been widely recognised as essential to the full enjoyment of the right to privacy, freedom of expression, and a number of other human rights. In recent years, UN Special Rapporteurs, the UN Human Rights Council and governments across the world have publicly supported the use of encryption and opposed any attempts at weakening encryption standards. In today’s report, the European Commission itself called encryption “essential to ensure cybersecurity and the protection of personal data”.
The international human rights framework is clear that any restrictions on the availability or use of encryption must meet a three-stage test of being clearly set out in law, in pursuance of a legitimate aim, and necessary and proportionate to achieving that aim. Additionally, the value and importance of a multistakeholder approach in developing laws, policies and other measures that are both effective and rights-respecting is increasingly recognised and understood by governments, organisations and forums around the world.
Assessed against these criteria, the responses to the challenges posed by the use of encryption set out in the report are commendable. They are narrowly tailored towards the legitimate aim of combating crime and terrorism, and do not risk restricting or weakening the availability or use of encryption. In addition, the report explicitly rejects “measures that could weaken encryption or could have an impact on a larger or indiscriminate number of people”, such as mandatory ‘backdoors’, key escrow, or broader powers for law enforcement agencies to access encrypted communications and data is particularly. Such measures would undermine the benefits of encryption and jeopardise the human rights and security of users everywhere, and, as such, the Commission’s rejection of them is welcome.
At the same time, further clarity on the nature and scope of the proposed “alternative investigation techniques” is needed. Broad as it is, this term could encompass a range of actions – including physical searches of persons and property, compulsory handover of decryption keys (with sanctions for non-compliance), and hacking or surveillance techniques – which could have significant impacts on the human rights of the persons concerned, most notably the right to privacy. If used at all, these techniques must be consistent with international human rights law and standards. Without such safeguards, human rights are put at risk and confidence in the use of encryption is reduced. The European Commission should therefore provide further clarity on what techniques are envisaged, and what safeguards will be attached to their use.
Finally, the report’s commitment to the inclusion of industry and civil society in these discussions will – if realised – help ensure that measures to tackle challenges associated with the use of encryption also ensure the continued availability of strong encryption, which is crucial to the enjoyment of many human rights.
Beyond the actions set out in this report, encryption is also on the agenda of the Justice and Home Affairs Council, which comprises the Justice and Home Affairs Ministers of EU member states. The Council will likely consider the European Commission’s report at its upcoming meetings in November and December, and may propose further measures. GPD will continue to follow all discussions relating to encryption within the EU, and to scrutinise any proposed legislation or other measures for their compliance with international human rights law and standards.
For further information, contact Richard on firstname.lastname@example.org.
Interested in finding out more about GPD’s work on encryption?