EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption
The EU's "Cookie Law" is a complete joke and waste of time. An attempt to regulate privacy in the EU, all it's really served to do is annoy millions of internet users with little pop up notices about cookie practices that everyone just clicks through to get to the content they want to read. The EU at least recognizes some of the problems with the law and is working on a rewrite... and apparently there's an interesting element that may be included in it: banning encryption backdoors. That's via a new report from European Data Protection Supervisor (EDPS) Giovanni Buttarelli, who was put in charge of reviewing the EU's ePrivacy Directive to make it comply with the new General Data Protection Regulation (GDPR) that is set to go into effect in May of 2018. The key bit:
Still, this is certainly an interesting development. Of course, it would also conflict with the UK's Snooper's Charter ("Investigatory Powers Act") which mandates backdoors for encryption. Though, to be fair, by the time the new rules go into practice, perhaps the UK will no longer be a part of the EU.
Permalink | Comments | Email This Story
The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications.To be clear, this actually seems like it may go too far. There are plenty of situations where it seems completely reasonable for law enforcement to use other means to figure out ways to decrypt encrypted communications. Arguing that it should be completely outlawed seems a bit extreme. But blocking backdoors does seem like a good idea. The report also says that the use of end-to-end encryption should be encouraged to the point of being mandated in some cases:
Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.
In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.
In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design. In this context the EDPS also recommends that the Commission consider measures to encourage development of technical standards on encryption, also in support of the revised security requirements in the GDPR.Conceptually, this sounds good, but the implementation matters. Mandating encryption seems to be going a bit far. While I tend to think it makes sense for much more widespread use of encryption, it's not clear why the government needs to get involved here at all. And that includes in the development of such standards. In fact, as we've seen in the past, when the government gets involved in creating encryption standards, that seems to be where the intelligence community can slip in their backdoors.
The EDPS further recommends that the new legal instrument for ePrivacy specifically prohibit encryption providers, communications service providers and all other organisations (at all levels of the supply chain) from allowing or facilitating 'back-doors'.
Still, this is certainly an interesting development. Of course, it would also conflict with the UK's Snooper's Charter ("Investigatory Powers Act") which mandates backdoors for encryption. Though, to be fair, by the time the new rules go into practice, perhaps the UK will no longer be a part of the EU.
Permalink | Comments | Email This Story