In 2003, US air travellers were informed that they would have to use a ‘TSA approved’ luggage lock on their checked baggage. These locks could be opened using master keys held by the US’s Transportation Security Administration (TSA), thereby allowing them to inspect any checked item of luggage for explosives and then relock it. Non-approved locks would be broken off by inspectors, leaving the bags unsecured for the sake of national security and passenger safety. In 2015, plans were posted online allowing anybody with a 3D printer to produce their own master keys, giving anybody easy access to Americans’ locked luggage.
Today, the US and some EU governments are reported to want to apply a similar approach to our email and personal communications, calling for public authorities to have ‘back door access’ to encrypted devices and communications services in the name of national security. Unsurprisingly, civil liberties advocates have strongly resisted these calls, but so have technology experts. Pointing to the possibilities for exploits that such backdoor access would create, they have warned of the risk this would pose for cybersecurity in Europe and the companies, people and infrastructure that depend on it.
It is clear that the debate of personal security and privacy versus national security is not a new one, yet the circumstances of this debate are different. With entire sectors now reliant on a secure digital environment in order to be able to conduct business, and more and more sensitive information stored online, keeping our technologies secure has become of paramount importance for the functioning of Europe’s economies. At the same time, the incentives for cybercriminals and other hackers have also increased, and companies across the globe are becoming increasingly aware of this growing cyber threat; PwC’s 2016 Global State of Information Security Survey found that 38% more security incidents were detected in 2015, compared to the previous year, and Germany’s IT association Bitkom has estimated that over two-thirds of German industrial companies have been victims of digital crime over the past two years. UK government research, meanwhile, has found that two-thirds of large businesses experienced a cyber attack or breach in the past year.
In this environment, it is understandable that governments, companies and individuals will want to have the most resilient and secure systems and devices. However, whereas the EU’s Commissioner for the Digital Single Market, VP Andrus Ansip, has repeatedly voiced his objection to back door access, the evolving debate in other EU member states could require the Commission to take a more nuanced approach. Measures such as the UK’s recent Investigatory Powers Bill, or the recent vote by French lawmakers to fine companies that do not decrypt data for investigating authorities, could limit the use of the most secure forms of encryption in these countries, such as end-to-end encryption. With other countries such as the Netherlands clearly rejecting limits on encryption, and Hungary reportedly considering a ban on encryption, it is very possible that differing national systems could place pressure on the internal market for digital goods and services, strengthening calls for an EU-wide approach.
Initial steps in this direction have, to some extent, already been taken; the Commission has launched the EU Internet Forum in the context of its work on the European Agenda on Security, bringing together Ministers and CEOs of major internet companies to, amongst other things, explore ‘the concerns of law enforcement on new encryption techniques’. Whilst this has been with the support of the European Parliament, whose MEPs, who last year raised their ‘serious concerns over the increasing use of encryption technologies by terrorist organisations’, its narrow scope and the closed discussion will leave many dissatisfied.
Yet, any decision in the US or another large economy to enable access to encrypted content and communications could make European preferences for stronger security irrelevant. Europe would do well to have an open discussion on what it should do about encryption before it finds itself trying to catch up with decisions made elsewhere.
Michael Wilen, Account Manager
To share your views on why EU Matters, contact us at: email@example.com