EU member states want more competences to be able to probe messages with end-to-end encryption, according to a draft Council resolution that has been made available to EURACTIV Germany.

While this remains a political statement of intent, it is to be finally adopted in December. However, civil society organizations fear this could put a ‘nail in the coffin’ into end-to-end encryption, which was fought for in the “Crypto Wars” of the 1990s.

End-to-end encryption, also known as “E2E”, means that only the sender and the recipient of a message can read it as it is always encrypted. Someone intercepting the message would be unable to read as only the two end users would have a code on their respective devices to read it.

This is also one of the reasons why so-called “state trojans” are so popular with state authorities as they would allow them to read the decrypted messages directly on the end-user devices. While the German police have such a tool at its disposal, Austria’s courts struck down a law in December 2019 which had allowed state authorities to use “state trojans” for about a year.

“Better balance” between privacy and crime prevention

The EU “continues to support strong encryption” because this is “an anchor of trust in digitization,” the draft says.

However, this poses new challenges for law enforcement agencies. They are “increasingly dependent on electronic evidence to effectively combat terrorism, organized crime, child abuse, and other cybercrimes.

Encryption is an obstacle, the states write. It “makes the analysis of the contents of communications very demanding to practically impossible, although access to this data would be legal.” For this reason, “competent authorities” must be able to access encrypted data in order to combat terrorism, for example.

Technical solutions still need to be discussed with the companies behind the various messaging services, such as Facebook, Twitter, or Signal.

In all of this, the draft repeatedly emphasizes that the basic rights of citizens must be protected and only legal access should be guaranteed.

No way around platforms

Data protection activist and head of digital policy civil rights organization, epicenter.works, Thomas Lohninger, is not convinced by this.

“It is not possible to out-lever encryption only for bad intentions. This is not a legal problem, but a technological reality,” Lohninger told EURACTIV Germany in an interview.

Although it remains unclear how states would like to proceed technically, there are only a few options.

Since they want to cooperate with corporate platforms, there will likely be a backdoor or “third key” in addition to those obtained by the sender and receiver. Companies would have to build this third key and then make it available to security authorities.

So far, platforms have been able to successfully defend themselves against such requests to make their own products less secure. But the Council’s draft resolution suggests that the states are now seeking to use their ‘big legal guns’ to force platforms to cooperate, said Lohninger.

The data protection activist also fears that such a key might not only be used for monitoring that is in accordance with the rule of law and absolutely necessary.

Who gets the key?

“As soon as such a key exists, it creates covetousness,” according to the expert. Although third countries with less strong legal systems, such as Saudi Arabia or China, could get their hands on such a key, Lohninger fears players in EU member states such as the secret and intelligence services obtaining it could also be problematic.

In earlier drafts of surveillance laws, there had been talk of “law enforcement agencies” – i.e. the police, who are allowed to monitor. However, these have now become “competent authorities”. This also includes intelligence services, such as the German Federal Intelligence Service (BND). Although these are theoretically also subject to the rule of law, they often act in a non-transparent manner.

For example, the German Constitutional Court found in May that the BND had unconstitutionally monitored people abroad for many years.

The network activist Viktor Schlüter is also concerned. “That would be like ordering people to stop writing letters in too ornate handwriting so that they can be better intercepted and read,” said the co-founder of the “Digital Freedom” initiative in an interview with EURACTIV Germany. Schlüter wonders how it can be that authorities that have made mistakes in preventing attacks can be “given more surveillance powers”.

In the case of last week’s Vienna attack, the Austrian Office for the Protection of the Constitution is now under pressure. The assassin was a known perpetrator and although there had been warnings from Slovakia that he wanted to buy ammunition there, the office was unable to prevent the attack.

A special commission has been appointed to examine those responsible and there has already been a resignation: Erich Zwettler, head of the Vienna State Office for the Protection of the Constitution, voluntarily resigned. The opposition demands that he be succeeded by Interior Minister Karl Nehammer (ÖVP).

In any case, this draft is now being circulated within the Council’s working groups, meaning member states can still raise objections.

Edited by Samuel Stolton