Matthias Pfau, CEO of Tuta, warns that if the EU continues down this path, it risks losing innovative, privacy-focused companies and the trust of its citizens:

“Strong encryption is essential to protecting human rights and Europe’s digital infrastructure. Any attempt to grant law enforcement exceptional access would introduce dangerous vulnerabilities. There is no technical “silver bullet”, access for the “good guys only” is not possible. So called solutions like client-side scanning undermine encryption and open a backdoor for everyone - also criminal actors and state-sponsored surveillance. We urge EU leaders to never weaken security when shaping Technology Roadmap on encryption”, says Matthias Pfau, CEO of Tuta Mail.

Encryption is fundamental to everybody’s security and weakening it, can have devastating consequences, as was demonstrated by recent attacks on U.S. telecom providers by Chinese hackers. This was one of the worst security breaches in US history and only possible because these outdated telecom systems do not use end-to-end encryption. Following the Salt Typhoon hack, the Swedish Armed forces as well as the American Cybersecurity and Infrastructure Security Agency (CISA) recommended Signal, an end-to-end encrypted WhatsApp alternative, for securing sensitive communications.

Here at Tuta we say backdoors to encryption must not be allowed - because malicious actors will abuse them.

Key points of the open letter

• Threat to fundamental rights & security: The EU’s plan to develop a Technology Roadmap on encryption includes the idea to enable law enforcement access to encrypted data.

• Technically impossible: Cryptography experts stress that it is impossible to provide such access without weakening encryption; any “exceptional access” introduces vulnerabilities exploitable by malicious actors and authoritarian regimes.

• Flawed solutions: Proposals like client-side scanning are not privacy-preserving; they enable bulk surveillance and increase the risk of security breaches.

• Encryption must be end-to-end: Strong encryption is crucial for safeguarding human rights and secure digital infrastructure across Europe.

Turn ON Privacy in one click.

Get

---

Open letter to the EU

Academics, technologists and other experts call for a key role in EU Technology Roadmap on encryption

Dear Ms. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy,

The undersigned stakeholders are civil society organisations, scientists, researchers and other experts with expertise in human rights and technology. On 1 April, the European Commission published its new Internal Security Strategy, ProtectEU, setting out its plans for the next five years with the aim of coordinating a European response to security threats. Providing safety, protection and justice to all people and communities in Europe is an important part of the EU’s mission. It requires an evidence-based and holistic approach by all institutions to address societal problems at the root and to deliver adequate structural solutions.

From this perspective, we are concerned that the foreseen framework for access to data by law enforcement authorities risks undermining the exercise of fundamental rights and our collective cybersecurity. In particular, the “preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner” raises several questions.

From past and recent attempts at EU level, we know that ‘silver bullet’ technological ‘solutions’ are not only ineffective, but result in harmful consequences, including for those who most need protection. There is a wide scientific consensus about the technical impossibility to give law enforcement exceptional access to communications that are end-to-end encrypted without creating vulnerabilities that malicious actors and repressive governments can exploit. Experts found that even the latest technologies like client-side scanning, which are pitched as secure and privacy-preserving, are in fact privacy invasive, enable bulk surveillance and increase the risks of security breaches. Encryption is a vitally important tool for people’s rights and freedoms, as well as for the development of vibrant and secure communities, civil society, public administrations and industry. In face of a complex threat landscape and the increased digitalisation of every aspect of our lives, encryption is not a luxury but a sine qua non condition for our ability to navigate safely online.

Rather than investing more resources and time in systems that are demonstrably causing harm, we firmly believe that all stakeholders need to work together to find long-term solutions (both technical and non-technical) to complex societal issues, which are based on scientific evidence, and are respectful of all fundamental rights.

As the European Commission has set its intention to “safeguard cybersecurity and fundamental rights” while carrying out this exploratory work, we would like to support the Commission in meeting this objective and therefore kindly request the following:

• A meeting between you and representatives of signatories of this letter to further discuss our position and contributions;
• Seats at the Technology Roadmap table for academics, independent technologists, tech and human rights lawyers and civil society actors specialising in these issues to ensure that we can meaningfully participate.

We further believe that we would be well-positioned to provide expert technical briefings to you, your cabinet and services, and would be delighted to make ourselves available for this purpose.

Sincerely, Civil society organisations specialising in technology and/or digital rights:

• Access Now (EU/International)

• ACT | The App Association

• ANSOL - Associação Nacional para o Software Livre (Portugal)

• Asociația pentru Tehnologie și Internet (ApTI) (Romania)

• Bangladesh NGOs Network for Radio and Communication (BNNRC)

• Big Brother Watch (United Kingdom)

• Bits of Freedom (Netherlands)

• Chaos Computer Club (Germany)

• Committee to Protect Journalists (CPJ) (Belgium)

• Cyprus Computer Society (CCS)

• D64 – Center for Digital Progress (Germany)

• Danes je nov dan, Inštitut za druga vprašanja (DJND) (Slovenia)

• Dataföreningen i Sverige (Sweden)

• Dataföreningen Väst (Swedish Computer Association west)

• Defend Democracy (Netherlands/Belgium)

• Deutscher Anwaltverein (DAV) (Germany)

• Digital Rights Ireland

• Digitale Gesellschaft e.V. (Germany)

• Državljan D / Citizen D (Slovenia)

• Electronic Frontier Foundation (EFF)

• Electronic Privacy Information Center (EPIC) (US)

• European Digital Rights (EDRi)

• Homo Digitalis (Greece)

• Initiative für Netzfreiheit. (Netzfreiheit / IfNf) (Austria)

• Internet Society (US/International)

• ISOC India Hyderabad Chapter

• ISOC India Hyderabad Chapter (ISOC Hyderabad)

• IT-Pol (Denmark)

• JCA-NET (Japan)

• Panoptykon Foundation (Poland)

• Politiscope (Croatia)

• Privacy First (Netherlands)

• Privacy International

• SHARE Foundation (Serbia)

• Slovenian Society INFORMATIKA (SSI)

• Statewatch (United Kingdom)

• The Association for Information Technology and Communications of Romania (ATIC)

• The Centre for Democracy & Technology Europe (CDT Europe)

• Xnet, Institute for Democratic Digitalisation (Spain)

Individual signatories specialising in technology and/or digital rights:

• Assist. Prof. Giovanni Apruzzese, University of Liechtenstein

• Assist. Prof. Lili Nemec Zlatolas, University of Maribor

• Associate Prof. Dr. Carsten Baum, Technical University of Denmark

• Aureli Gómez i Vidal, critical internet services engineer

• Emeritus Professor Douwe Korff, London Metropolitan University

• Dr Dan Bogdanov, Estonian Academy of Sciences

• Dr. David Galadi-Enriquez, University of Cordova

• Dr. Eyal Ronen, Tel Aviv University

• Dr. Jordi Cortit, Clarivate

• Dr. Juanjo Llórente Albert, Universidad Popular Valencia

• Dr. María Iglesias Caballero, National Institute of Health Carlos III

• Dr. Stephen Farrell, Trinity College Dublin

• Eng. Jorge Pinto, Independent Technologist

• Filippos Frantzolas Msc, Hellenic Professionals Informatics Society (HePIS)

• Mr. Henrique California Mendes, application security engineer

• Matthias Pfau, co-founder of Tuta.com and cryptography expert

• Prof. Anja Lehmann, Hasso-Plattner-Institute, University of Potsdam

• Prof. Aurélien Francillon, EURECOM

• Prof. Bart Preneel, University of Leuven

• Prof. Carmela Troncoso, MPI-SP & EPFL

• Prof. Diego F. Aranha, Aarhus University

• Prof. Dr. Daniel Loebenberger, Sprecher Fachbereich Sicherheit der Gesellschaft für Informatik e.V.

• Prof. dr. Jaap-Henk Hoepman, Radboud University / Karlstad University

• Prof. Dr. René Mayrhofer, Johannes Kepler University Linz

• Prof. Dr. Simone Fischer-Hübner, Karlstad University & Chalmers University of Technology

• Prof. Dr. Tanja Lange, Eindhoven University of Technology

• Prof. Ian Goldberg, University of Waterloo

• Prof. Keith Martin, Royal Holloway, University of London

• Prof. Kenneth G. Paterson, ETH Zurich

• Prof. Kimmo Halunen, University of Oulu

• Prof. Levente Buttyán, Budapest University of Technology and Economics (Head of the Laboratory of Cryptography and System Security))

• Prof. Manuel Barbosa, Universidade do Porto (FCUP)

• Prof. Marko Hölbl, University of Maribor

• Prof. Martin Albrecht, King’s College London

• Prof. Panos Papadimitratos, KTH Royal Institute of Technology

• Prof. Simona Levi, Director of Postdegree in Tecnopolitics and Rights in the Digital Era at Universitat de Barcelona

• Prof. Srdjan Čapkun, ETH Zurich

• Prof. Stefano Calzavara, Università Ca’ Foscari Venezia

• Prof. Vaclav Matyas, Masaryk University

• Prof. Vasile Balatac, National University of Political Studies and Public Administration – SNSPA

• Simone Aonzo, PhD, EURECOM

• Univ.-Prof. Dr. Matteo Maffei, TU Wien

• Yigit Aydinalp, University of Sheffield