France and Germany want to compel operators of mobile messaging services to provide access to encrypted content to terrorism investigations, after a series of deadly attacks in both countries.
French intelligence services, on high alert since attackers killed hundreds of civilians in Paris in November and in Nice in July, are struggling to intercept messages from Islamist militants.
Many of the groups now use encrypted messaging services rather than mainstream social media, with Islamic State a big user of such apps, investigators in several countries have said.
French Interior Minister Bernard Cazeneuve said the European Commission should draft a law obliging operators to cooperate in investigations of militants.
“If such legislation was adopted, this would allow us to impose obligations at the European level on non-cooperative operators,” he told a joint conference with his German counterpart in Paris.
The European Commission said it welcomed the Franco-German initiatives. An existing online privacy framework is already under review, it said.
“Security is a national competence, but creating the right framework at EU level will help member states carry out their duty to protect our citizens,” spokeswoman Natasha Bertaud said.
Telegram under the spotlight
Cazeneuve singled out an app operated by Telegram, which he said did not cooperate with governments, adding that legislation should target both EU and non-EU companies. A spokesman for Telegram did not immediately respond to a request for comment.
Telegram, founded by Russian Pavel Durov in 2013 and incorporated in several jurisdictions, promotes itself as ultra-secure, because it encrypts all data from the start of transmission to the finish.
A number of other services, including Facebook Inc’s WhatsApp, say they have similar capabilities.
Cazeneuve’s initiative, which he hinted at earlier this month, has come under fire from privacy and digital experts, who warned against opening “back doors” that would let governments read content.
“How could we then prevent terrorists from creating their own encrypted apps and as a consequence enjoy a higher level of security than users who have nothing to hide,” privacy advocates wrote in a piece in the newspaper Le Monde on Monday. Among them was the head of CNIL, France’s privacy watchdog.
“Cracking down on encryption for the wider public would therefore give a monopoly on its usage to organisations that would abuse it.”
US tech giants worried
A US-based tech lobby group, CCIA, which represents companies such as Facebook and Google, said it was worried about the proposals.
“It is certainly understandable that some would respond to recent tragedies with back doors and more government access,” said Christian Borggreen, Europe director at CCIA. “But weakened security ultimately leaves online systems more vulnerable to all types of attacks from terrorists to hackers. This should be a time to increase security – not weaken it.”
France and Germany – where nerves are raw following a wave of attacks on civilians this summer, including two claimed by Islamic State – are also seeking closer links between the continent’s databases of personal information.
That would cover data on visas, potential militant threats within the border-free Schengen area, refugees and airline passengers, German Interior Minister Thomas de Maiziere said.
“We believe that after Brexit …. it’s important to make clear where Europe offers better solutions for our members than if we carried out those solutions unilaterally – and that includes the areas of internal and external security,” he said.
Several EU politicians have called for technology companies to create backdoors to encrypted communication systems for law enforcement agencies. Such calls were reignited after terrorist attacks in Paris last November.
But others have warned about the security risks this might create for the wider digital economy. Andrus Ansip, the European Commission Vice-President in charge of the Digital Single Market, said he was "strongly against any backdoor to encrypted systems," saying this would have a ripple effect and weaken security in other areas like e-banking and e-voting.
In May, two EU agencies that have been on opposite sides of the debate on encryption agreed on limits to law enforcement agencies’ access to private data.
The agreement between EU cybersecurity agency ENISA and Europol marked a surprise turn in EU officials’ struggle over secure communication. After two days of meetings, the two agencies said they’d found common ground on when police can intercept encrypted communication.
While they oppose mandatory backdoors in encryption, they said police should have more leeway to crack encryption legally.
The directors of the two agencies said that if encrypted information is needed for security reasons, “feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution”.
- September 2016: European Commission to propose overhaul of EU telecoms law.