In July 2016, Justice Ministers in the European Union met to discuss the “issue” of encryption in the context of the fight against crime and terrorism. In August, Bernard Cazeneuve and Thomas de Maiziere, the French and German ministers of interior, announced that because more people are using encryption, governments must develop a coordinated response. In September, the Slovak Presidency of the Council of the EU, the institution that represents Member State governments, shared a questionnaire with Council members to guage national approaches to encryption. That same month, the Commission circulated a questionnaire on Criminal Justice in Cyberspace. In November, Cazeneuve and de Maiziere revised their demands, backing off from encryption and pointing a finger at the issue of jurisdiction. In November, a Council progress report indicated that encryption is essential, but a problem to be solved. In December, at the Justice and Home Affairs (JHA) Council meeting, it was decided that more needs to be done and the Commission was asked to prepare several legislative proposals for June 2017.
That much we know.
It seems that, once again, an important legislative process is being set in motion behind closed doors. With the exception of the Council meeting outcomes document, none of the documents were made public. The lack of transparency around these actions, both at the EU and member state level, undermines the already vulnerable trust between EU citizens, their respective governments, and EU institutions.
EDRi members Access Now, Bits of Freedom and several other organisations have been fighting for transparency on these hidden discussions around encryption. The answers to the Slovak Presidency questionnaire on national approaches to encryption would not only provide us insight into an opaque decision-making process, but can go a long way in helping us understand how law is interpreted and applied across member states; they are essential to public understanding of existing legislation concerning encryption. Many of these documents have been acquired, the rest will be targeted through freedom of information requests in order to make sure we have the whole picture about what member states are thinking.
So far we have learned that most law enforcement investigations run into encryption, either online or offline, and lack the specific knowledge and technical capability to adequately process this. We have learned that law enforcement often uses commercially available software or contracts third parties to obtain the information from encrypted devices and communication channels, but this evidence is not admissible in court. It has also been pointed out that while compelling people to turn over their encryption keys would certainly help investigations, most member states have laws protecting individuals from self-incrimination.
While helpful to our overall understanding of the EU’s plans to legislate in the future, there are still a lot of stones left unturned, and a lot of conversations into which we have no insight. The EU is not likely to undermine encryption – it would be counter-intuitive given the position of the Commission, ENISA, and several others. We may, however, see extremely harmful legislation labeled as “access to e-evidence” coming our way. As the Council requested, in June 2017 we can expect the Commission to come with solutions to e-evidence, namely streamlining mutual legal assistance, improving cooperation with service providers and taking a closer look at enforcement jurisdiction in cyberspace.
EU ministers are targeting encryption. We need to know more. (08.11.2016)
Mixed messages: crypto and other closed-door conversations in the EU(09.12.2016)
(Contribution by Lucie Krahulcova, EDRi member Access Now, International)