The head of the European Union’s information-security agency on Wednesday rebuked government proposals requiring tech companies to design their encryption so that they could circumvent it for criminal and terrorism investigations.
“If you have a potential backdoor in an encryption implementation,” Udo Helmbrecht, the director of the European Union Network and Information Security Agency (ENISA), told Euractiv.com, “then the question is, how can you [ensure] that terrorists or criminals don’t attack it and don’t use it?”
In the wake of recent deadly terrorist attacks in Paris, Brussels, and San Bernardino, California, many Western governments are considering legislation that would force tech companies to be able to bypass their products’ encryption if investigators present them with warrants for user data.
Law-enforcement and intelligence officials, like FBI Director James Comey in the United States, argue that terrorists and criminals are “going dark” by using encryption to mask their planning. But tech companies, security experts, and civil-liberties advocates have strenuously opposed demands for so-called “backdoors” in encryption, arguing that they would devastate innocent users’ security and tech firms’ economic competitiveness.
As part of the latest phase of the so-called “crypto wars,” the United States, the United Kingdom, and France are considering various legislative solutions to the encryption dilemma.
In the United States, the leaders of the Senate Intelligence Committee are working on a bill that is said to require backdoors. French lawmakers recently approved an amendment that would punish companies that refuse to cooperate with demands for encrypted data. And the U.K. Parliament is debating the Investigatory Powers Bill, which contains a provision letting authorities demand “the removal of electronic protection applied … to any communication or data.”
The phenomenon extends beyond Europe. China recently adopted a counterterrorism law that could let police demand backdoor access, and it is said to be looking to U.S. policymakers for guidance or political cover in implementing such a requirement.
Critics of backdoors point out that they create new digital risks by deliberately engineering a vulnerability that is available to anyone who can find it.
“What would be your feeling if you leave your house and you know somebody else has a key?” Helmbrecht said.
“It is very encouraging to see E.U. officials support encryption,” said Estelle Massé, a policy analyst in the Brussels office of the digital-rights group Access. “We now encourage the E.U. to translate these statements in action and engage with members states such as France and Hungary that are putting forward proposals to undermine encryption.”
Massé noted that Helmbrecht’s remarks echoed what Andrus Ansip, the vice president of the European Commission, the E.U.’s executive body, has said about backdoors.
A spokesperson for U.K. Home Secretary Theresa May, who is spearheading the Investigatory Powers Bill, attempted to distance the legislation from Helmbrecht’s concerns.
“The bill does not create backdoors,” the spokesperson said in an email. “Rather, it maintains the existing obligation for telecommunications companies to assist in the execution of warrants which can themselves only be issued where necessary and proportionate.”
While it is true that there is no explicit backdoor mandate in the bill, the requirement that tech companies “assist in the execution of warrants” would effectively prohibit them from implementing encryption that they cannot break. This would amount to a mandate that they place backdoors in their encryption.
Nathalie Kosciusko-Morizet, the French lawmaker who sponsored the punitive amendment, did not respond to an email asking for her response to Helmbrecht’s remarks.
ENISA, founded in 2004 and based in Greece, is an E.U. agency that works to bolster network security across the 28-member international body. Its 55 staff members serve as resources for E.U. and national lawmakers considering information-security policies.
Helmbrecht has served as ENISA’s director since October 2009. Before that, he led Germany’s Federal Office for Information Security, which oversees, among other things, national cryptography policy.
Update 2:04pm CT, March 30: Added quote from Access analyst.
Update 9:45am CT, March 31: Added response from Home Office.
Photo via ITU Pictures/Flickr (CC BY 2.0)