Breaking news

France is about to pass the worst surveillance law in the EU. We must stop them now!

An amendment to the “Narcotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.

France is about to pass the worst surveillance law in the EU, the Narcotrafic amendment. Tell legislators that a back door for the good guys only is not possible.

At Tuta, we are deeply concerned about the proposed amendment to the so-called "Narcotrafic" law, which would force encrypted communication providers to implement backdoors for law enforcement. This would threaten everybody’s security and privacy and could be in conflict with European data protection legislation and Germany's IT Security Act. We urge the French National Assembly to reject this dangerous amendment. A backdoor for the good guys only is not possible.

France is about to amend a bill against drug trafficking, the “Narcotrafic” law, which will force encrypted messaging apps like Signal and WhatsApp to backdoor the encryption for being able to hand over decrypted chat messages of suspected criminals within 72 hours of the request. In order to enforce it, the text provides for a “fine of EUR 1.5 million for natural persons and a fine of up to 2% of the annual world turnover for legal persons”. The amendment has already been passed by the Senate and is now moving fast to the National Assembly.

France, together with other nations, has made some successes in recent years with breaking into encrypted chat apps used by criminals such as Encrochat and AN0M. These vast amounts of decrypted data from criminals helped law enforcement in many countries to prosecute criminals and understand how organized crime operates. It looks like this new law is hoping to achieve the same as it would enable law enforcement to easier prosecute criminals.

However, breaking the encryption of an app built by criminals for criminals is something else entirely compared to breaking the encryption of chat apps used by billions of people such as WhatsApp, Signal and Tuta Mail. The collateral damage of the latter would be horrific.

An attack on security and privacy

Encryption is the foundation of secure digital communication. It is what keeps our data and ourselves protected in today’s internet. Unfortunately, the internet is not a safe place, but a place where malicious attackers and foreign spies lurk to get hold of your data to commit fraud, extortion, or industrial espionage.

By mandating backdoors, the French government is not only compromising the security of all users – citizens and businesses alike - but this amended “Narcotrafic” law is most likely also in contradiction with European data protection laws like the GDPR, and the German IT Security Act and the TKG. The GDPR pass the control over personal data back to the people by forcing companies to protect personal data, possibly also with end-to-end encryption. Furthermore, Germany’s IT Security Act (IT-Sicherheitsgesetz) mandates that critical infrastructure (including IT systems) must be protected from cyber threats and unauthorized access, and Germany’s Telecommunications Act (TKG) regulates the security of communication services and data. A law like the French “Narcotrafic” law that forces companies to implement technical measures to enable access for law enforcement (like backdoors) could be in conflict with the data protection obligations put on German IT companies. This raises the question whether and how European, and particularly German, companies would be able to comply with the French “Narcotrafic” law at all.

“German laws like the IT Security Act and the TKG force us to protect data and mandate that IT systems must not be altered in a way that the security is weakened just for access by law enforcement. We at Tuta, will not comply with any law requiring a backdoor, but German law also prohibits us from doing so.”

The European Data Protection Supervisor, for instance, clarifies:

“Encryption, or the encoding of messages in such a way that only intended recipients can understand them, is one of the main tools to guarantee the security of our information. It is recognised as necessary for the digital economy and for the protection of fundamental rights, such as privacy and free speech."

"While law enforcement requires the means to fight crime on the internet, any new measure would have to first pass the test for necessity and proportionality, based on substantiated evidence. While encryption makes bulk data collection and mass surveillance difficult, it is not a limiting factor in more targeted and specific measures. Restrictions on encryption pose significant risks to the economy and society in general.”

Abolition of security for all

Weakening encryption does not just affect criminals; it affects every individual, business, journalist, activist, and government entity relying on secure communication. Backdoors created for law enforcement inevitably become potential entry points for malicious actors, including cybercriminals and foreign intelligence agencies from nations such as Russia and China. Once encryption is compromised, it cannot selectively protect only those deemed ‘legitimate’ by the state - it becomes fundamentally weaker for everyone. Given the threats that we currently face, particularly here in Europe, undermining encryption would be a dangerous move that puts all of us at risk.

This has already been demonstrated nicely by a comic back in the days when the FBI wanted Apple to undermine the end-to-end encryption used on iPhones.

Comic, der zeigt, wie Apple-CEO Tim Cook das iPhone entsperrt, während das FBI, Hacker, repressive Regime und andere in der Schlange stehen, um Zugriff auf die entschlüsselten Daten zu erhalten. Comic, der zeigt, wie Apple-CEO Tim Cook das iPhone entsperrt, während das FBI, Hacker, repressive Regime und andere in der Schlange stehen, um Zugriff auf die entschlüsselten Daten zu erhalten. Comic showing Apple CEO Tim Cook unlocking the iPhone while the FBI, hackers, repressive regimes and more stand in line to get access to the decrypted data.

Pro-encryption is gaining traction

More recent news show increasing support for end-to-end encryption, also by government agencies. Most notably, the US Cybersecurity and Infrastructure Security Agency CISA has issued a recommendation to use end-to-end encryption following the Salt Typhoon hack, an attack by the Chinese that enabled them (and still enables them) to listen in on phone calls made via American telco providers. This February, the Swedish National Forces have done the same, recommending using encrypted apps for calls and messages instead of traditional phone calls. Both mention the quantum-safe encrypted chat app Signal as a means to protect all communication, not just highly sensitive messages. But now the very encryption that apps like Signal and email providers like Tuta offer is under threat by the French “Narcotrafic” law.

What is the “Narcotrafic” law?

The organization La Quadrature du Net has put together an extensive explanation on what the amendment of the “Narcotrafic” law includes. It shows that the risks for everybody’s security and privacy much outweigh the benefits it would bring for law enforcement.

  • The so-called “Narcotrafic” law attacks the protection of encrypted couriers (such as Signal or WhatsApp) by imposing the installation of backdoors for the police and intelligence.

  • By amending the legal regime for organized crime, which is applicable in other cases, this law does not apply only to drug trafficking. It can even be used to monitor activists.

  • The case file, a provision of the law, makes secret the documents of a file detailing the modalities of the use of surveillance techniques during an investigation. This undermines the right to self-defence and prevents the population from knowing the extent of the supervisory capacity of the judicial police.

  • The text provides for the police to remotely activate the microphones and cameras of fixed and mobile connected devices (computers, telephones, etc.) to spy on people.

  • It expands the authorization of the use of “black boxes”, a technique for analyzing the data of all our communications and exchanges on the Internet for the purpose of “fighting crime and organized crime”.

  • The police will be able to tighten up their policy of censoring content on the Internet by extending it to publications related to the use and sale of drugs. The risks of abuse for freedom of expression are therefore amplified.

Let’s fight for encryption!

With the introduction of the GDPR in 2018, the European Union has put itself at the forefront of defending citizens’ right to privacy and security. Allowing France to implement such extreme surveillance measures as proposed under the “Narcotrafic” law would set a dangerous precedent that would undermine the values that the EU stands for. We must not allow fear-driven policies to erode the security and freedom of all European citizens.

We at Tuta strongly call on the French National Assembly to reject this amendment and uphold the fundamental rights of privacy, security, and freedom of expression. Please remember: A backdoor for the good guys only is not possible.

Spread the word and get involved! Here’s how.

La Quadrature du Net has put together great resources that you can use to contact your representative.

Call your representative now and tell them to vote “No” to the amendment of the “Narcotrafic” law!

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.