Tuta News

Open letter against ProtectEU

New name, same problems: The EU now calls Chat Control "ProtectEU", but it comes with the same backdoor issues as before.

The EU vs encryption? It's time that politicians understand that encryption protects us all!

Today a coalition of ~90 organizations and individuals, including Tuta, have published a joint letter urging the EU to not undermine encryption with the new ProtectEU draft.

Matthias Pfau, CEO of Tuta, warns that if the EU continues down this path, it risks losing innovative, privacy-focused companies and the trust of its citizens:

“Strong encryption is essential to protecting human rights and Europe’s digital infrastructure. Any attempt to grant law enforcement exceptional access would introduce dangerous vulnerabilities. There is no technical “silver bullet”, access for the “good guys only” is not possible. So called solutions like client-side scanning undermine encryption and open a backdoor for everyone - also criminal actors and state-sponsored surveillance. We urge EU leaders to never weaken security when shaping Technology Roadmap on encryption”, says Matthias Pfau, CEO of Tuta Mail.

Encryption is fundamental to everybody’s security and weakening it, can have devastating consequences, as was demonstrated by recent attacks on U.S. telecom providers by Chinese hackers. This was one of the worst security breaches in US history and only possible because these outdated telecom systems do not use end-to-end encryption. Following the Salt Typhoon hack, the Swedish Armed forces as well as the American Cybersecurity and Infrastructure Security Agency (CISA) recommended Signal, an end-to-end encrypted WhatsApp alternative, for securing sensitive communications.

Here at Tuta we say backdoors to encryption must not be allowed - because malicious actors will abuse them.

Key points why to oppose ProtectEU

  • Threat to fundamental rights & security: The EU’s plan to develop a Technology Roadmap on encryption includes the idea to enable law enforcement access to encrypted data.

  • Technically impossible: Cryptography experts stress that it is impossible to provide such access without weakening encryption; any “exceptional access” introduces vulnerabilities exploitable by malicious actors and authoritarian regimes.

  • Flawed solutions: Proposals like client-side scanning are not privacy-preserving; they enable bulk surveillance and increase the risk of security breaches.

  • Encryption must be end-to-end: Strong encryption is crucial for safeguarding human rights and secure digital infrastructure across Europe.

Turn ON Privacy in one click.

Open letter to the EU on May 26, 2025

89 civil society organizations, companies, and cybersecurity experts call on the EU Commission to uphold strong encryption

In summary, the open letter in regard to ProtectEU want to make sure that human rights are respected and maintained and that the European Union keeps its world-class recognition as an IT market where data protection is guaranteed. With our open letter, we are highlighting that:

  • Strong encryption is not an obstacle to EU security but a prerequisite for it, positioning the widespread use of end-to-end encryption as a tool for advancing cybersecurity and EU’s resilience in the current geopolitical context.

  • Encryption is beneficial to the EU and its citizens; it is required to strengthen cyber defense in alignment with the European Union’s existing security strategies.

Dear Henna Virkkunen, Executive Vice President for Tech Sovereignty, Security and Democracy, and Magnus Brunner, Commission for Internal Affairs and Migration

The undersigned civil society organizations, companies, and cybersecurity experts, including members of the Global Encryption Coalition, urgently share their concerns regarding aspects of the recently announced European Internal Security Strategy (Protect EU) due to its potential impact on end-to-end encryption.

On April 1st the European Commission shared its new five-year strategy, ProtectEU, to address elevated security concerns for the European Union in the midst of a rapidly evolving geopolitical landscape. Included in the strategy is the European Commission’s intent to develop a “Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner.”

While we recognise the importance of elevating security efforts during moments of increased geopolitical instability, we are concerned by the framing of the technology roadmap. Government agencies elsewhere in the world actively encourage more usage of end-to-end encryption, not less, to protect the integrity of cyberspace against increased security threats. Strong encryption, including end-to-end encryption, is a key cybersecurity tool that protects the European Union against cyberattacks, hybrid threats, espionage, and attacks on critical infrastructure.

The European Commission itself has acknowledged the need to step up efforts and investment to protect the integrity of cyberspace as reflected in the Revised Directive on Security of Network and Information (NIS2). The Revised Directive introduces obligations for platforms and service providers to implement appropriate and proportionate cybersecurity risk-management measures, including encryption, to protect the confidentiality, integrity, and availability of their systems and services. The European Data Protection Supervisor echoes this message, stating that “restrictions on encryption pose significant risks to the economy and society in general.”

Yet, against this backdrop, we are deeply concerned by the Commission’s continued focus on identifying ways to weaken or circumvent encryption. This undermines its own security objectives under the ProtectEU strategy, which emphasises the importance of resilience and preparedness in the face of more sophisticated cyber threats. Undermining encryption weakens the very foundation of secure communications and systems, leaving individuals, businesses, and public institutions more vulnerable to attacks.

Past and ongoing efforts in the European Union to grant law enforcement access to encrypted data have primarily focused on client-side scanning, a technology that circumvents encryption by scanning user devices before the encryption mechanism starts. Scanning not only violates the promises of end-to-end encryption but also creates vulnerabilities that could be exploited by criminals and hostile state actors. There is widespread consensus among technical experts that encryption circumvention tools create new risks that threaten national security, concerns recently echoed by member state authorities in Sweden and the Netherlands. The European Court of Human Rights and European Union Agency for Fundamental Rights have emphasized that statutory requirements that “weaken the encryption mechanism for all users” would be disproportionate under the Charter of the Fundamental Rights of the EU.

The technology roadmap announced by the European Commission mirrors efforts taken by other governments to identify encryption circumvention tools, such as the UK’s “Safety Tech Challenge,” which pledged funding for proof-of-concept tools for preventing and detecting child sexual abuse material in end-to-end encrypted environments. In the case of UK efforts, the selected independent third party reviewer, REPHRAIN, found that none of the resulting proofs of concept fulfilled their evaluation framework for human rights, security, accountability, and other criteria. We believe that any similar EU approach would produce the same results, wasting valuable resources.

We call on the European Commission to:

  • Acknowledge that strong encryption is not an obstacle to EU security but a prerequisite for it, positioning the widespread use of end-to-end encryption as a tool for advancing cybersecurity and EU’s resilience in the current geopolitical context.

  • Reframe the Technology Roadmap on Encryption, highlighting the benefits of encryption and identifying areas for increased usage to strengthen cyber defense in alignment with the European Union’s existing security strategies.

  • Develop the Technology Roadmap by drawing on a wide range of perspectives, not only those of law enforcement, but also cybersecurity experts, civil society, digital rights advocates and private companies. Any future roadmap that aspires to be credible and balanced must consider the feasibility of any potential technological capabilities and their societal, technical, and legal impact.

Please direct your response to Callum Voge, Director of Governmental Affairs and Advocacy at the Internet Society (voge@isoc.org), and to Silvia Lorenzo Perez, Programme Director of the Security, Surveillance and Human Rights Programme at the Centre for Democracy & Technology — Europe (sperez@cdt.org).

Organizational Signatories

3 Steps Data

ACT | The App Association

Africa Media and Information Technology Initiative (AfriMITI)

Africa Rural Internet and STEM Initiative (AFRISTEMI)

Alternatif Bilisim

AMS-IX

Big Brother Watch

Bits of Freedom

Blacknight

Blockchain Association

Center for the Study of Organized Hate (CSOH)

Centre for Democracy and Technology Europe

Centro Latinoamericano de Investigaciones Sobre Internet

Chaos Computer Club

Comunitatea Internet Association

Cybersecurity Advisors Network (CyAN)

Danes je nov dan, Inštitut za druga vprašanja

Datenpunks

Digitale Gesellschaft

Digital Rights Ireland

Digital Society

Državljan D / Citizen D

eco - Association of the Internet Industry

Electronic Frontier Finland - Effi ry

Electronic Frontier Foundation

Electronic Frontier Norway

Element

Emerald Onion

Epicenter.works

EuroISPA - The European Association of Internet Services Providers

European Digital Rights (EDRi)

FiCom ry

Freedom of the Press Foundation

Global Partners Digital

Hermes Center

Internet Architecture Board

Internet Australia

Internet Society

Internet Society Brazil Chapter

Internet Society Catalan Chapter (ISOC-CAT)

Internet Society Mali Chapter

Internet Society Nepal Chapter

Internet Society Portugal Chapter

IT-Pol Denmark

Japan Network Information Center

JCA-NET

Kleindatenverein

LGBT Tech

Matrix.org Foundation

Mozilla

OpenMedia

Phoenix R&D GmbH

Politiscope

Privacy & Access Council of Canada

PrivID, Inc

Proton

SABOA foundation

SecureCrypt

SkypLabs

Statewatch

SUPERRR Lab

Surfshark

Tech for Good Asia

Tuta Mail

Vircos Tecnologia

Vrijschrift.org

Wikimedia Europe

Xnet. Institute for Democratic Digitalisation

X-Lab

Individual Cybersecurity Experts

Jon Callas, Indiana University

Sofia Celi, Brave

Claudia Diaz, KU Leuven

Donald E. Eastlake 3rd, Independent

Nicola Fabiano, Fabiano Law Firm

Stephen Farrell, Trinity College Dublin

Masayuki Hatta, Surugadai University

Mallory Knodel, New York University

Sascha Meinrath, X-Lab

Peter Neumann, Moderator, ACM Risks Forum

Riana Pfefferkorn, Stanford University

Jonathan Rudenberg, Grace

Bruce Schneier,

Adam Shostack, Author of Threat Modeling: Designing for Security

Eugene H. Spafford, Purdue University

Asli Telli, University of Cologne

Peter Thomassen, deSEC

Kenn White

Matthew Wright, Rochester Institute of Technology

Philip Zimmermann, Associate Professor Emeritus in Cybersecurity, Delft University of Technology

Open letter to the EU on May 5, 2025

Academics, technologists and other experts call for a key role in EU Technology Roadmap on encryption

Dear Ms. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy,

The undersigned stakeholders are civil society organisations, scientists, researchers and other experts with expertise in human rights and technology. On 1 April, the European Commission published its new Internal Security Strategy, ProtectEU, setting out its plans for the next five years with the aim of coordinating a European response to security threats. Providing safety, protection and justice to all people and communities in Europe is an important part of the EU’s mission. It requires an evidence-based and holistic approach by all institutions to address societal problems at the root and to deliver adequate structural solutions.

From this perspective, we are concerned that the foreseen framework for access to data by law enforcement authorities risks undermining the exercise of fundamental rights and our collective cybersecurity. In particular, the “preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner” raises several questions.

From past and recent attempts at EU level, we know that ‘silver bullet’ technological ‘solutions’ are not only ineffective, but result in harmful consequences, including for those who most need protection. There is a wide scientific consensus about the technical impossibility to give law enforcement exceptional access to communications that are end-to-end encrypted without creating vulnerabilities that malicious actors and repressive governments can exploit. Experts found that even the latest technologies like client-side scanning, which are pitched as secure and privacy-preserving, are in fact privacy invasive, enable bulk surveillance and increase the risks of security breaches. Encryption is a vitally important tool for people’s rights and freedoms, as well as for the development of vibrant and secure communities, civil society, public administrations and industry. In face of a complex threat landscape and the increased digitalisation of every aspect of our lives, encryption is not a luxury but a sine qua non condition for our ability to navigate safely online.

Rather than investing more resources and time in systems that are demonstrably causing harm, we firmly believe that all stakeholders need to work together to find long-term solutions (both technical and non-technical) to complex societal issues, which are based on scientific evidence, and are respectful of all fundamental rights.

As the European Commission has set its intention to “safeguard cybersecurity and fundamental rights” while carrying out this exploratory work, we would like to support the Commission in meeting this objective and therefore kindly request the following:

  • A meeting between you and representatives of signatories of this letter to further discuss our position and contributions;
  • Seats at the Technology Roadmap table for academics, independent technologists, tech and human rights lawyers and civil society actors specialising in these issues to ensure that we can meaningfully participate.

We further believe that we would be well-positioned to provide expert technical briefings to you, your cabinet and services, and would be delighted to make ourselves available for this purpose.

Civil society organisations specialising in technology and/or digital rights:

  • Access Now (EU/International)

  • ACT | The App Association

  • ANSOL - Associação Nacional para o Software Livre (Portugal)

  • Asociația pentru Tehnologie și Internet (ApTI) (Romania)

  • Bangladesh NGOs Network for Radio and Communication (BNNRC)

  • Big Brother Watch (United Kingdom)

  • Bits of Freedom (Netherlands)

  • Chaos Computer Club (Germany)

  • Committee to Protect Journalists (CPJ) (Belgium)

  • Cyprus Computer Society (CCS)

  • D64 – Center for Digital Progress (Germany)

  • Danes je nov dan, Inštitut za druga vprašanja (DJND) (Slovenia)

  • Dataföreningen i Sverige (Sweden)

  • Dataföreningen Väst (Swedish Computer Association west)

  • Defend Democracy (Netherlands/Belgium)

  • Deutscher Anwaltverein (DAV) (Germany)

  • Digital Rights Ireland

  • Digitale Gesellschaft e.V. (Germany)

  • Državljan D / Citizen D (Slovenia)

  • Electronic Frontier Foundation (EFF)

  • Electronic Privacy Information Center (EPIC) (US)

  • European Digital Rights (EDRi)

  • Homo Digitalis (Greece)

  • Initiative für Netzfreiheit. (Netzfreiheit / IfNf) (Austria)

  • Internet Society (US/International)

  • ISOC India Hyderabad Chapter

  • ISOC India Hyderabad Chapter (ISOC Hyderabad)

  • IT-Pol (Denmark)

  • JCA-NET (Japan)

  • Panoptykon Foundation (Poland)

  • Politiscope (Croatia)

  • Privacy First (Netherlands)

  • Privacy International

  • SHARE Foundation (Serbia)

  • Slovenian Society INFORMATIKA (SSI)

  • Statewatch (United Kingdom)

  • The Association for Information Technology and Communications of Romania (ATIC)

  • The Centre for Democracy & Technology Europe (CDT Europe)

  • Xnet, Institute for Democratic Digitalisation (Spain)

Individual signatories specialising in technology and/or digital rights:

  • Assist. Prof. Giovanni Apruzzese, University of Liechtenstein

  • Assist. Prof. Lili Nemec Zlatolas, University of Maribor

  • Associate Prof. Dr. Carsten Baum, Technical University of Denmark

  • Aureli Gómez i Vidal, critical internet services engineer

  • Emeritus Professor Douwe Korff, London Metropolitan University

  • Dr Dan Bogdanov, Estonian Academy of Sciences

  • Dr. David Galadi-Enriquez, University of Cordova

  • Dr. Eyal Ronen, Tel Aviv University

  • Dr. Jordi Cortit, Clarivate

  • Dr. Juanjo Llórente Albert, Universidad Popular Valencia

  • Dr. María Iglesias Caballero, National Institute of Health Carlos III

  • Dr. Stephen Farrell, Trinity College Dublin

  • Eng. Jorge Pinto, Independent Technologist

  • Filippos Frantzolas Msc, Hellenic Professionals Informatics Society (HePIS)

  • Mr. Henrique California Mendes, application security engineer

  • Matthias Pfau, co-founder of Tuta.com and cryptography expert

  • Prof. Anja Lehmann, Hasso-Plattner-Institute, University of Potsdam

  • Prof. Aurélien Francillon, EURECOM

  • Prof. Bart Preneel, University of Leuven

  • Prof. Carmela Troncoso, MPI-SP & EPFL

  • Prof. Diego F. Aranha, Aarhus University

  • Prof. Dr. Daniel Loebenberger, Sprecher Fachbereich Sicherheit der Gesellschaft für Informatik e.V.

  • Prof. dr. Jaap-Henk Hoepman, Radboud University / Karlstad University

  • Prof. Dr. René Mayrhofer, Johannes Kepler University Linz

  • Prof. Dr. Simone Fischer-Hübner, Karlstad University & Chalmers University of Technology

  • Prof. Dr. Tanja Lange, Eindhoven University of Technology

  • Prof. Ian Goldberg, University of Waterloo

  • Prof. Keith Martin, Royal Holloway, University of London

  • Prof. Kenneth G. Paterson, ETH Zurich

  • Prof. Kimmo Halunen, University of Oulu

  • Prof. Levente Buttyán, Budapest University of Technology and Economics (Head of the Laboratory of Cryptography and System Security))

  • Prof. Manuel Barbosa, Universidade do Porto (FCUP)

  • Prof. Marko Hölbl, University of Maribor

  • Prof. Martin Albrecht, King’s College London

  • Prof. Panos Papadimitratos, KTH Royal Institute of Technology

  • Prof. Simona Levi, Director of Postdegree in Tecnopolitics and Rights in the Digital Era at Universitat de Barcelona

  • Prof. Srdjan Čapkun, ETH Zurich

  • Prof. Stefano Calzavara, Università Ca’ Foscari Venezia

  • Prof. Vaclav Matyas, Masaryk University

  • Prof. Vasile Balatac, National University of Political Studies and Public Administration – SNSPA

  • Simone Aonzo, PhD, EURECOM

  • Univ.-Prof. Dr. Matteo Maffei, TU Wien

  • Yigit Aydinalp, University of Sheffield

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.