EU to propose new rules targeting encrypted apps in June

EU Justice Commissioner Vera Jourova announced that she will propose legal changes in June affecting how police access encrypted data. [EC]

The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers.

Jourová said she will announce “three or four options” including binding legislation and voluntary agreements with companies to allow law enforcement authorities to demand information from internet messaging apps “with a swift, reliable response”.

The announcement comes as interior ministers from EU countries have amped up pressure on the Commission to introduce new rules to help police crack through secure encryption and demand private data for investigations.

Non-legislative measures will be provisional “to have a quick solution”, since negotiations over EU laws can drag on for years before they are passed.

“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said.

Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions.

Pressure from UK, France and Germany

UK Home Secretary Amber Rudd said on Sunday (26 March) that encrypted messaging services should be forced to give access to police. Rudd singled out Facebook-owned WhatsApp just as British media reported that the attacker in last week’s London terrorist attack used the messaging app.

One day later, German Interior Minister Thomas de Maizière and his French counterpart Matthias Fekl told MEPs they want police to have the same legal right to access online services as they do to demand phone call information from telecoms companies.

“Germany and France have asked the European Commission to study the possibility of making internet operators subject to the same requirements as telephone operators,” Fekl said during a meeting of the European Parliament’s Civil Liberties Committee in Brussels.

The two countries have heaped pressure on the Commission to crack down on encrypted internet communication. De Maizière and former French Interior Minister Bernard Cazeneuve sent a letter to the executive last summer asking for legal changes to help police access encrypted data.

De Maizière told MEPs that voice-over-internet services like Skype should fall under the same security obligations as regular phone calls.

“We have to move from a system where we regulate based on the technology to a logic that is based on the use the technology serves,” de Maizière said. A legal change would be most effective on the EU level, he added, insisting that he does not want to create so-called encryption backdoors or built-in access for police that weakens security technology.

Gilles de Kerchove, the EU’s anti-terrorism coordinator, said “it’s much too early to say that backdoor would be a solution” for accessing encrypted data of messaging services like WhatsApp and Telegram.

“We all agree that we have to balance two concerns,” he told EURACTIV in a recent interview. “One is allowing the security services, police, and law enforcement agencies to get access to the content, which is important for security reasons. And at the same time, we need a very strong internet – we don’t want to create vulnerabilities.

“And the question is, can you open a backdoor for Europol only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies? This is part of the discussion but we are not there yet. There is internal work—it’s a tricky issue.”

ePrivacy directive

In January, the Commission proposed changes to the EU ePrivacy law affecting telecoms services and extended the eight-year-old privacy rules for the first time to internet services.

The proposal leaves national governments room to ignore some privacy safeguards if they threaten national security, but does not include measures regulating encryption. National ministers in favour of laws regulating encryption complain that they have no legal power to force internet firms to hand over secured data.

Five out of 12 EU countries – Hungary, Croatia, Italy, Latvia and Poland – that responded to a questionnaire sent out last year by the Slovakian government, when it held the rotating Council of the EU presidency, said they wanted an EU-wide law on encryption.

Germany’s response to the survey said any new regulations should not weaken privacy. Authorities in Germany have instead used software to secretly monitor communication on devices before it is encrypted. France did not respond to the survey.

Originally Posted by EURACTIV