Encryption locks personal data, but governments and law enforcement agencies have long been concerned that terrorists and criminals are using these systems to literally get away with murder.
Terror attack in France and Austria
Following recent terrorist atrocities in France and Austria the EU are set to demand backdoor access. The draft EU resolution says while: ‘The European Union fully supports the development, implementation and use of strong encryption’ they are increasingly concerned that law enforcement can’t get ‘access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes.’
This has sparked controversy among pro-security and pro-privacy groups.
YUDU Sentinel’s CEO Richard Stephenson sees this as a possible landmark event: “We might be at a tipping point when governments wrest back control from the social media giants. The public, desperate to stay safe, might just buy in. For a long time, businesses have become increasingly uncomfortable about secret and unknown communications passing between their staff without any corporate oversight. It would be natural to see the controllers wanting their power back, but this is a huge step for the EU if they have the nerve to take it.”
Others see this type of legislation as a direct attack on data privacy, which will aid criminals rather than deter them. Ray Walsh from ProPrivacy said: “Removing strong end-to-end encryption creates vulnerabilities that can be exploited not just by EU government agencies, but also by anybody – including hackers, cyber-criminals and state-sanctioned operatives from foreign governments – with the technical ability to discover that purposefully created backdoor.”
There is a particular concern that the backdoor ‘key’ could fall into the hands of governments with dubious human rights records such as Russia, Saudi Arabia or China. It might also just push criminal communications towards the dark web, where they are almost impossible to intercept.
No corporate oversight
Firms have long had concerns about staff using WhatsApp, not because of criminal intent, but because managers are denied access. Colleagues can set up chat groups but if a member leaves to go to the competition there is no way HR can remove them from the group if they take their mobile number with them. Former staff can still be listening in on commercially sensitive conversations, while working for the opposition. Chats can also be deleted, making WhatsApp of little use to firms needing to access messages in the wake of an emergency.
Richard Stevenson again: “Is the EU about to knock though the wall and open a backdoor to the privacy fortress of end-to-end encryption? I have long argued that these types of apps are great for family and friends, I use WhatsApp myself, but they have no place in a business environment. It’s not a question of snooping, firms must have legitimate access to what staff are doing and saying, what decisions and actions are being taken, particularly when it comes to post crisis review.”
The United States also seems to be on board with limiting encryption in an effort to fight crime. In October the Five Eyes intelligence group that comprises the US, UK, Canada, Australia and New Zealand released a statement that reflects much of the EU thinking: ‘Particular implementations of encryption technology pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.’