European law enforcement agencies want to innovate “with” encryption
However, this may not be as bad as one may think.
On 13-14 September, the EU Innovation Hub for Internal Security conference held a closed roundtable to discuss how to improve the work of law enforcement agencies confronted with encrypted data. More specifically, the aim was to examine how progress can be made in tackling the constraints on law enforcement and justice created by encryption without creating additional risks for fundamental rights or the legitimate protection of information.
Encryption Europe, the alliance that I have coordinated since 2019 and that Tresorit is a valued member of, was invited to present its perspective on this topic, and more specifically, on innovation on metadata and dialogue with OTT providers .
On this sensitive topic, I can’t think of a better contribution than the one published by Ciaran Martin less than a year ago: End-to-end encryption: the (fruitless?) search for a compromise. Martin, Professor at the Blavatnik School of Government, University of Oxford, is the former Chief Executive Officer of the National Cyber Security Centre of the UK: he acutely understands the challenges of balancing national security interests with the interest of the nation as a whole in staying secure. In his insightful publication, Martin clearly describes what is at stake. For a deeper understanding of the matters I address below, I strongly urge everyone to read his easy-to-read paper.
Now that you have this background in mind let me address three questions: What happened at the EU Innovation Hub last week? Why is it (potentially) meaningful? What’s next, realistically?
What happened at the EU Innovation Hub last week?
On the face of it, not much. Some people presented projects that are already public, and academic, industry and law enforcement representatives exchanged views that were also previously known. As far as Encryption Europe is concerned, we made the case, surprise surprise, for the critical importance of encryption in the EU. We advised governments to stay away from certain bad practices (again, see Martin’s paper for details) and support good practices such as developing policies based on facts (transparency reports published by OTT providers are a first step in the right direction) and involve trustworthy third parties (such as academia or industry representatives such as, guess who, Encryption Europe). Our full report is published on our website.
Why is it (potentially) meaningful?
You will have understood from Martin’s publication that the encryption debate is old and still very much alive, and no one, neither the Five Eyes nor the EU (and its Member States), are able to clearly define how far the right for encryption without backdoors can be protected. In such a context, the fact that the European Commission put together a multi-agency meeting and discussion with participants from industry and academia is a valuable step forward. I can already hear the sceptics stating that the EU is good at talking and not at delivering results. That may be the case, but this is quite unavoidable in a union of 27 Member States. In this instance, I am glad we have the capacity to create a space for multi-stakeholder discussion that is inclusive of law enforcement and human rights viewpoints. Indeed, I am pleased to say that I did not hear anyone calling for backdoors or weakening encryption. That is quite an achievement in itself!
What’s next, realistically?
The short answer is that I don’t know, and I suspect that no decision has been made on the next steps. In an attempt to look for solutions, Encryption Europe suggested that a multi-stakeholder dialogue is organised within the trusted environment of the Council of Europe (CoE). The CoE, based in Strasbourg in France, is the house of human rights and democracy. What is unique with this international governmental institution is that it has an undisputed track record in defending human rights (it operates the European Court of Human Rights), democracy (it paved the way for democracy of most East-European countries after the collapse of the USSR), and the fight against cybercrime (with its Cybercrime Convention, one of its most successful instruments). The possibility that the CoE plays a role in the short term may be slim, but given that
- law enforcement agencies cannot operate in legal and political uncertainty and
- that there is no chance we make progress if we do not inject new trusted players into the discussion,
I would say that this institution will sooner or later be the right place for defining a way forward. Until then, at least the EU Innovation Hub for Internal Security is a new and promising initiative for mature and healthy policy work.