On the 14th of December 2020 the Council of the European Union has adopted the Resolution on Encryption – Security through encryption and security despite encryption (1). The resolution requires that “Competent authorities must be able to access relevant data in a lawful and target manner, in full respect of fundamental rights and the relevant data protection laws, while upholding cybersecurity […]”. The text calls for adequate access to encrypted content, while at the same time claiming that no backdoors nor weakened encryption shall be implemented.

However, this approach is technically impossible according to more than 450 encryption experts (2)(3), having as implications that Digital Rights of citizens from inside and outside of the European Union would be violated.

In a cyber context, Digital Rights refer to fundamental human rights, among them: freedom of expression, right to privacy, legal rights when using electronic devices, and many other more (4). Digital Rights are guarding our democracy and enable secure communication of individuals, civil society, activists, public services, and companies.

Moreover, software is not bound to any region and consequently the regulation would affect the whole world. A lack of encryption would result in various negative consequences for different actors in our interconnected society:

  • Europe would no longer count as “safe harbour” for human rights including freedom of speech;
  • Companies would find it hard to guard trade secrets (e.g. recent steal of COVID-19 vaccine data would increase (6));
  • Investigative journalists would be highly endangered;
  • Critical infrastructures would be of higher risk of being hacked;
  • Digital technology such as autonomous driving or Internet of Things devices would be more susceptible to being hacked.

Security experts claim that every backdoor will diminish the security and will eventually be able to be used by people with malicious intent (2). No digital system can be claimed as being completely secure, as these systems become increasingly complex, software is always evolving, and finally there is always the human factor. This resolution however, would force companies to add a known risk into their system.

Also, given the vague nature of the resolution, it does not clearly define who exactly “competent authorities” will be, nor does it offer how the new legal framework will ensure that such power won’t be abused by those authorities that don’t stand for human rights.

Because “If privacy is outlawed, only outlaws will have privacy” (5), AEGEE-Europe, representing thousands of young people in Europe, stands behind more than 450 IT security experts (2)(3) and demands:

  • Safeguard Digital Rights within the EU;
  • Stop weakening encryption which will weaken the EU’s cyber security & encryption;
  • But rather: Strengthen encryption with an uncompromising right to encryption which includes:
    • Encryption shall be standard not an exception;
    • Ban of weakening of software security;
    • Obligation to communicate software security leaks.

Sources:

  1. https://data.consilium.europa.eu/doc/document/ST-13084-2020-REV-1/en/pdf
  2. https://sites.google.com/view/scientists4crypto/
  3. https://www.globalencryption.org/wp-content/uploads/2020/11/2020-Breaking-Encryption-Myths.pdf
  4. https://en.wikipedia.org/wiki/Digital_rights
  5. https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
  6. https://www.reuters.com/article/us-ema-cyber/hackers-steal-pfizer-biontech-covid-19-vaccine-data-in-europe-companies-say-idUSKBN28J2Q7