Shedding light: We address the flawed Going Dark Report

With a coalition of 55 civil society groups, industry and professional associations, we today address the final report of the High-Level Group (HLG) “Going Dark” and we shed light on its opaque creation and problematic recommendations. We warn of the substantial threats to security and privacy if the overall Going Dark agenda of the HLG is followed, which would mean to grant law enforcement maximal access possible to personal data. As experts and digital human rights defenders, we further provide recommendations for defining this area of EU policy in line with European fundamental rights.

Closed doors to civil society, open to industry

Formally the HLG is called “High Level Group on Access to Data for Effective Law Enforcement”, but it is usually referred to as HLG or in the context of “Going Dark”, because of the way the HLG has framed their work. Going Dark is the false claim that there is a lack of access to data despite unprecedented surveillance powers in the hands of law enforcement agencies.

Speaking of Going Dark: The HLG report was created behind closed-doors and without meaningful participation of civil society. Despite painting themselves as “an inclusive forum for all relevant stakeholders”, the HLG would only simulate an openness to the involvement of digital policy experts after public pressure. Previously the HLG had restricted EDRi and other civil society organisations from participating and exclusively met with law enforcement agencies and like-minded industry actors instead. This biased composition and opaque procedure of the HLG is unfortunately also reflected in the problematic outcomes of this group.

The report is an attempt to launder dangerous policies

The HLG is rehashing bad ideas that have previously repeatedly been rejected by human rights groups, cybersecurity experts and even the European Court of Human Rights.

• Mainstreaming backdoors in technologies becomes “lawful access by design”. This would put the security and confidentiality of all electronic data and communications at risk and severely encroach fundamental rights of all people in the EU.
• Data retention is back on the agenda – again. The HLG wants to harmonise retention and access across the EU. Beware of the proposed extension of data retention obligations to the Internet of Things and virtually any internet-based services. This is of course not in line with well-established case law, that forbids general monitoring because it would make innocent citizens feel that their private life is under constant surveillance.
• To square the circle on surveillance and IT-security, the HLG tries to circumvent encryption – and the laws of mathematics. It is not the first time we hear the proposal to access end-to-end-encrypted data without compromising the security of relevant systems, but it remains an impossible and dangerous suggestion nonetheless.

Unfortunately there is more. So far the HLG had a list of 42 recommendations, which received heavy criticism by EDRi and other experts, since the Going Dark agenda would constitute “insecurity by design”. The European Data Protection Board recently warned of the contradictory demands by the HLG to providers, who are supposed to allow access for surveillance purposes and protect the security of their systems at the same time.

Our recommendations for value driven EU security policy

An EU security policy fit for the digital age must address the challenges we face today. Secure communications and legal certainty are imperative for citizens and law enforcement alike. In the light of potential threats by criminals, foreign state-sponsored agencies and even some authoritarian actors within the EU, people expect the institutions to prioritise policies that protect their IT-security and fundamental rights. That is why we recommend:

• Support a safe, trustworthy and diversified digital ecosystem. Citizens need technology that empowers them instead of putting them at risk.
• Ensure the security and confidentiality of digital spaces because the possibility for people to exercise their fundamental rights depend on it.
• Uphold the right to privacy and inviolability of protected information. This is required by the Charter of Fundamental Rights and case law of the Court of Justice of the EU and the European Court of Human Rights.