ProtonMail, Tutanota among authors of letter urging EU to reconsider encryption rules
Encrypted service providers are urging lawmakers to back away from a controversial plan that critics say would undercut effective data protection measures.
ProtonMail, Threema, Tresorit and Tutanota — all European companies that offer some form of encrypted services — issued a joint statement this week declaring that a resolution the European Council adopted on Dec. 14 is ill-advised. That measure calls for “security through encryption and security despite encryption,” which technologists have interpreted as a threat to end-to-end encryption. In recent months governments around the world, including the U.S., U.K., Australia, New Zealand, Canada, India and Japan, have been reigniting conversations about law enforcement officials’ interest in bypassing encryption, as they have sporadically done for years.
In a letter that will be sent to council members on Thursday, the authors write that the council’s stated goal of endorsing encryption, and the council’s argument that law enforcement authorities must rely on accessing electronic evidence “despite encryption,” contradict one another. The advancement of legislation that forces technology companies to guarantee police investigators a way to intercept user messages, for instance, repeatedly has been scrutinized by technology leaders who argue there is no way to stop such a tool from being abused.
The resolution “will threaten the basic rights of millions of Europeans and undermine a global shift towards adopting end-to-end encryption,” say the companies, which offer users either encrypted email, file-sharing or messaging.
“[E]ncryption is an absolute, data is either encrypted or it isn’t, users have privacy or they don’t,” the letter, which was shared with CyberScoop in advance, states. “The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizens’ home and might begin a slippery slope towards greater violations of personal privacy.”
The European Council resolution is just the latest effort from governments around the globe to weaken encryption for the benefit of law enforcement. Governments backing law enforcement entities’ interest in weakening encryption often suggest it is the only way they can glean important information about cases of terrorism or child sexual abuse, a sentiment the resolution repeats.
“For competent authorities, access to electronic evidence can be essential, not only to conduct successful investigations and thereby bring criminals to justice, but also to protect victims and help ensure security,” the resolution states.
But law enforcement authorities have long been finding workarounds to weakening encryption, demonstrating that they don’t, in fact, need to weaken encryption to do their jobs all the time. The American Civil Liberties Union has sued the FBI to provide more information about current capabilities in the FBI’s Electronic Device Analysis Unit to break into phones for electronic evidence, an apparent effort to hold up the Department of Justice’s calls for weakening encryption.
The adoption of the encryption resolution in the European Union does not affect the landscape for encrypted services in Europe immediately, as the resolution is non-binding. But its adoption suggests a “shift in tone and puts pressure on the European Commission to propose anti-encryption legislation in the near future,” the encrypted email service provider ProtonMail has argued.
While the objection from ProtonMail, Threema, Tresorit and Tutanota to Europe’s latest foray into the arena is not entirely unexpected, it comes just as ordinary citizens around the world have been endorsing the importance of privacy and end-to-end encryption, the companies note in the letter.
“[A]fter more people became aware of WhatsApp sharing data with Facebook … users are switching to privacy-first end-to-end encrypted services in record numbers,” the letter states, referencing how earlier this month WhatsApp announced it would be updating its business customers’ privacy policy, which would share data with Facebook. Many users interpreted it as an unwelcome breach of trust and privacy and have reportedly begun switching by the millions to end-to-end encrypted applications like Signal.
“People around the world are taking back control of their privacy,” the four companies write, adding that last year’s growth of telework amid the spread of coronavirus around the world “saw tens of millions of individuals and businesses turning to technologies like end-to-end encryption to ensure their digital security and privacy.”
Support from governments is not universal. Members of Congress, such as Rep. Ro Khanna, D-Calif., have argued that weakening encryption for criminal investigations wouldn’t just impact ordinary citizens — it would negatively impact national security as well.