Public Services

European Parliament justice body warns against weakened encryption

Neil Merrett Published 20 June 2017

Privacy International says home affairs committee's calls to guarantee encrypted communications among member states does not go far enough to safeguard personal data and devices


The European Parliament's Committee on Civil Liberties, Justice and Home Affairs has recommended further safeguarding electric data and preventing any efforts to weaken encryption technology amidst vows from member states such as the UK to crack down on "online safe spaces".

On the back of wider debate in the UK and other EU countries about balancing national security interests with the right to secure and private online correspondence via public and private sector service providers, human rights campaigners have argued that not enough is being done to prevent data breaches.

The emergence of Internet of Things (IoT) technology and the implications for all personal data generated by their use is among a broader number of considerations that privacy campaigners argue will need to be addressed in future EU legislation that would have ramifications for UK law at least until 2019.

In light of multiple terrorists attacks to have occurred in UK cities over the last month, Prime Minister Theresa May has accused "big companies" that provide internet-based services of giving extremist ideologies a safe space to be published and disseminated online, requiring tighter legislation.

"We need to work with allied, democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremism and terrorist planning. And we need to do everything we can at home to reduce the risks of extremism online," she said ahead of the June 8 General Election.

However, the European Parliament committee report on privacy and electronic communications has recommended legislation that would require member states not to impose obligations on electronic communications service providers to weaken security or encryption of digital services. If passed, this would directly challenge May's and other member states' ambitions to create methods for accessing encrypted and secure systems.

The findings in their current wording would demand "sufficient protection" against unauthorised access or altering of electronic communications data. This would still require approval by the European Parliament's elected officials - which represent over two dozen nations of differing political leanings.

"Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services," noted the report in one of a broad number of conclusions.

Tomaso Falchetta, legal officer for the human rights charity and advocacy group Privacy International, argued that the draft and proposals set out by the commission committee on justice and home affairs showed much more must be done to ensure the integrity and security of networks.

Falchetta argued that there was significant room for improvement on the report's recommendations, especially around implications for technology, despite praising some of the broader pledges around encryption.

"We welcome the fact that this report to be adopted by the European Parliament Committee on Civil Liberties, Justice and Home Affairs addresses some of these shortcomings. For example, Privacy International believes that the e-privacy regulation should be clearer that it protects the confidentiality of data shared across the increasing number of devices connected to the internet i.e. the Internet of Things (IoT)," he said

"The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data."

Responding specifically to Theresa May's comments earlier this month on potentially pursuing heightened regulation of the internet and online service providers - an aim that will be more difficult after the conservative's lost their parliament majority in the General Election - Falchetta claimed that her calls would serve only to weaken the security and confidentiality of digital communications in the UK.

"Already the Investigatory Powers Act gives the power to the secretary of state to demand companies to remove or otherwise weaken encryption. These measures would potentially require companies to fundamentally alter their systems by building in the permanent capability to undermine encryption on any individual customer's communications," he said.

"As such these measures would run contrary to one of the key amendments included in the European Parliament report, where it proposes that 'member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.' Would the amendment suggested in this report be included in the final text of the regulation? That is too early to say."

Privacy International pointed to the European Commission's own survey data of over 26,000 people across the EU that sought to gauge public opinion on e-privacy. The findings concluded that two thirds of the survey group believed that they should be able to encrypt messages and calls to ensure only a recipient could receive information.

However, on the back of terror attacks across the EU over the last twelve months, Privacy Intentional rejected arguments that online privacy and national security could not co-exist.

"Information security measures such as encryption are an enabler of privacy, and in turn, keep people safe," argued Falchetta.

"Without information security our devices, our services, and our infrastructure are at risk. Encryption is a fundamental part of our modern life, heavily relied on by everything from online banking and online shopping service, to the security of our energy infrastructure."

Related articles:

Is Cyber resilient?

Independent privacy body co-chair resigns over Whitehall engagement

ICO: "it's not privacy or innovation, but privacy and innovation"


Post a comment

Comments may be moderated for spam, obscenities or defamation.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.