German and French ministers want to force the European Commission to draw up laws allowing the authorities to access messaging services protected with end-to-end encryption, which could effectively ban those firms which don’t comply.
French Interior Minister Bernard Cazeneuve met his German counterpart Thomas de Maiziere in Paris yesterday to discuss the plans, which appear to have been precipitated by recent terror attacks in both countries.
It’s unclear, however, whether any of these atrocities would have been prevented had the security services been able to access the communications of suspects.
Cazeneuve told a press conference that the Commission should now draft laws forcing tech providers to help in specific investigations of terrorists.
"If such legislation was adopted, this would allow us to impose obligations at the European level on non-cooperative operators,” he said, according to Reuters.
In response, the EU executive said in a statement: "Security is a national competence, but creating the right framework at EU level will help member states carry out their duty to protect our citizens.”
However, its security agency, Enisa, has already argued that putting backdoors in encrypted comms would damage civil society and industry.
The move would also be a u-turn by the French government, after digital secretary Axelle Lemaire rejected similar proposals put forward by Republican Nathalie Kosciusko-Morizet at the start of the year.
"What you propose is a design by vulnerability,” she argued at the time. “With a backdoor, personal data is not protected at all.”
The Dutch government has also come out strongly against encryption backdoors.
This debate has been rolling on for years now, in the US and UK – most notably in the efforts of the FBI to force Apple into building backdoors into its products, via the courts.
In the UK, the matter is set to be settled in the forthcoming Investigatory Powers Bill, which could end up demanding the same.
However, US tech providers like Apple have already stated they will not engineer such backdoors into their products.
The risk is that eventually the black hats would get hold of the keys – breaking security for hundreds of millions of consumers and businesses around the globe.
It also claimed that if they acceded to demands from the likes of the US, UK or EU governments, it would be difficult not to comply with similar demands from more oppressive regimes such as China.
A ban on such services for “non-cooperative operators” as envisaged by Cazeneuve would be virtually impossible to enforce by the EU.
Venafi chief security strategist, Kevin Bocek, argued that governments don’t have a great track record when it comes to security and privacy, so can’t be trusted with the all-important ‘God Key’.
“Take Stuxnet, for example: here, we saw the US government creating a vulnerability that leveraged misused keys and certificates for their own means, which was soon hi-jacked and put to use in the worst possible way, an attempt to tamper with critical infrastructure,” he added.
“That government attack formed the basis for an attack blueprint that common cyber-criminals now use. If in the wrong hands, these keys and certificates can become potent weapons of mass destruction – do we really want more WMD blueprints to flood the market?”
Rafael Laguna, CEO of comms firm Open-Xchange, argued that an encryption backdoor is an oxymoron.
“The mathematics behind cryptography and the realities of modern cybercrime mean that a single ‘flaw’ in encryption technology ensures the failure of the entire system," he said.
“Breaking encryption will put the safety of the people at risk. Encryption not only protects data, it protects systems, too. Systems that regulate and deliver power, run trains and fly planes, manage airports, subways, traffic lights – virtually all infrastructure of our modern world. They use the same communications infrastructure and tools that we do for our day to day communication.”