In a significant development, Prime Minister Theresa May is advocating for technology companies, including major players like Facebook, Apple, and Google, to implement controversial ‘backdoors’ that would enable law enforcement access. However, she is aware that the concept is rife with complexities that extend beyond mere implementation.
The European Parliament’s Civil Liberties, Justice and Home Affairs Committee is actively working on a draft proposal aimed at tightening privacy and electronic communication regulations. The proposal advocates for enforcing end-to-end (E2E) encryption across communications while explicitly prohibiting any access backdoors for law enforcement agencies.
“The protection of confidentiality of communications is an essential condition for safeguarding fundamental rights and freedoms,” the document states.
Prioritizing User Security
According to the draft, the emphasis should be on enhancing, not compromising, protections for EU citizens. The document asserts that users deserve a guarantee regarding the confidentiality and safety of their data. Any backdoor could potentially weaken this critical privacy.
Defining a backdoor in this context means “a feature or defect of a computer system that allows surreptitious unauthorized access to data.”
Numerous governments, including the U.S. Department of Defense, have pressured major tech companies to establish backdoor access, thus allowing federal authorities to intercept user data and communications. However, experts caution that such backdoors are not secure and can be exploited by malicious actors.
End-to-End Encryption Proposed
The draft strongly advocates for the implementation of E2E encryption as a way to complicate federal requests for data from tech firms. The proposal seeks to outlaw decryption of user information and the establishment of any backdoors that would enable government access to private information.
If approved, these amendments would significantly hinder government enforcement of Section 49 of the Regulation of Investigatory Powers Act (RIPA) 2000, which mandates the removal of “electronic protections” when feasible.
For context, E2E encryption secures communications by encrypting data on the sender’s device before it reaches the company server. The server then transmits the encrypted data to the intended recipient, who is the only one able to decrypt it.
The critical takeaway is that no intermediary—such as application service providers, Internet service providers (ISPs), hackers, or even law enforcement—should have the capacity to access or alter the data.
“When end-to-end encryption is utilized, any form of decryption, reverse engineering, or monitoring shall be strictly prohibited,” the draft specifies.
“Member States shall not impose any obligations on electronic communications service providers that would weaken the security and encryption of their networks and services.”
Addressing IoT Security
In its draft, the committee notes that existing regulations must evolve to address the vulnerabilities exposed by machine-to-machine communications in the Internet of Things (IoT). The growing interconnectivity of devices is creating new challenges for citizen privacy and data security.
Thus, the proposed Regulation aims to encompass not only conventional human communications but also machine interactions, ensuring comprehensive protection for privacy and data confidentiality. It seeks to create a safe and trusted IoT environment within the digital market.
Ultimately, the committee envisions that avenues of communication—including voice calls, internet access, instant messaging, email, and social media interactions—should be fortified against unauthorized access from hackers or governmental entities.
The draft also includes stipulations requiring applications, browsers, ISPs, and connected devices to honor no-track requests from users and only to access data with explicit user consent.
However, it is crucial to recognize that many technology firms operate under U.S. jurisdiction, and as the post-Snowden landscape demonstrates, the location of data storage can significantly alter the impact of jurisdictions and regulations.
