Security
The EU has joined the UK in poking the Big Tech bear on encryption backdoors with its ProtectEU security strategy, which outlined plans to allow law enforcement to access encrypted data.
While not legislation in itself, the ‘European Internal Security Strategy’ laid out the commission’s security goals, including the launch of a new Cybersecurity Act to secure cloud and telecom services and an assessment of the EU’s data retention rules on encrypted content.
It said the commission will prioritise “the preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner, safeguarding cybersecurity and fundamental rights.”
Under the umbrella of a “change of culture on internal security”, ProtectEU outlined a number of stronger powers on cybersecurity for authorities such as Europol, which last year said Meta’s end-to-end encryption (E2EE) rollout had undermined its safety obligations.
The EU cited the findings of its High-Level Group on data access for law enforcement and said “systematic cooperation” between authorities and service providers was essential to “disrupt the most threatening criminal networks and individuals”, with 85% of criminal investigations now relying on access to digital information.
See also: “EU shows “a complete lack of security thinking” says former Estonian president
If it goes ahead, the encryption policy would no doubt see pushback from big tech companies following Apple’s fallout with the UK government over its own backdoor demands and the security implications of providing a way in to encrypted back ups, a debate currently playing out in the country’s courts.
Speaking to The Stack before the release of the ProtectEU strategy, Robin Wilton, Senior Director of Internet Trust at non-profit the Internet Society, said the UK’s policy seemed to be “punishing people for backing their data up.”
He said: “We want the benefits of the internet to reach everyone and measures that undermine encryption undermine the trustworthiness of the internet and they undermine people's experience of the internet as a trustworthy place.”
Wilton had also warned the UK’s backdoor push was part of an international trend, citing similar “traceability” and data access pushes in India, China and Australia and a creeping desire for more access for authorities in the Five Eyes intelligence alliance.
While referring to the UK government’s legal challenges, he said the EU’s current GDPR law considered a mobile device to be part of a person’s private sphere and this should be extended to data on it, even if encrypted elsewhere.
“How can you possibly argue that my mobile phone is part of my private sphere, but the encrypted backup I make of it and happen to store somewhere else is not part of my private sphere? It just doesn't make sense.” - Robin Wilton
Elsewhere in the ProtectEU strategy, the EU said it would look at “measures to reduce dependencies on single foreign suppliers”, a goal likely to please European tech companies that had called for the organisation to provide more support in the face of US tech dominance last month.
Citing both cyberattacks and foreign misinformation campaigns, the ProtectEU document said current dependencies made the bloc vulnerable to “hybrid campaigns by hostile states”.
The issue needs to be “addressed as a matter of priority” it said, committing the EU to collaborating with key industries to produce security solutions and revisit procurement rules with an eye on addressing “critical resilience needs.”
Henna Virkkunen, the commission's EVP for tech sovereignty, security and democracy, said: "Security is a pre-condition for our democracy and prosperous economies. The EU must be bold and proactive in addressing the complex security challenges we face."
Quantum cryptography was also a big concern in the strategy, with the EU set to work with its member states on transition to quantum ready security and enforce quantum-safe encryption for "high-risk cases" at "critical entities" by 2030.