Tuta News

Encryption is non-negotiable: open letter to EU to not undermine privacy.

Encryption protects us all. At Tuta, we would rather leave the EU than give in to demands to undermine encryption.

The EU vs encryption? It's time that politicians understand that encryption protects us all!

At Tuta we fight for your right to privacy with encryption. But the EU is still discussing policies and law enforcement demands that threaten to break encryption. If the EU continues down this path, we at Tuta are given two choices - compromise our quantum-safe encryption, or relocate to a region that values and safeguards digital privacy. The answer for us is easy. We'd rather leave the EU than break our open source encryption. Now we have signed an open letter and together with more than 50 organizations and companies we call on the EU to uphold strong encryption and privacy rights.

Today a coalition of 55 professional associations, media, human rights organizations, trade unions, and tech companies issued a joint letter urging EU Ministers to adopt a digital security agenda that promotes fundamental rights and supports a secure digital ecosystem. The letter expresses concerns about the High-Level Group’s (HLG) recommendations on expanding law enforcement access to personal data, fearing these could lead to mass surveillance and undermine privacy.

Matthias Pfau, CEO of Tuta, warns that if the EU continues down this path, it risks losing innovative, privacy-focused companies and the trust of its citizens:

“If the EU continues down this path of undermining encryption, it will become impossible for companies like Tuta Mail to operate within its borders. At Tuta we fight for everyone’s right to privacy with encryption; and we will continue to do so! If the EU tries to stop us, we would rather relocate than undermine our quantum-safe encryption. The EU risks losing innovative, privacy-focused businesses - and with them, the trust of its citizens”, says Matthias Pfau, CEO of Tuta Mail.

Weakening encryption poses a serious risk to digital security, as recent cyberattacks on U.S. telecom providers by Chinese state-backed attackers have shown. This recent security breach in the USA highlights the importance of robust encryption. The EU must rethink its approach - because weakening encryption isn’t just a policy choice, it’s a threat to everyone’s safety. Encryption is the foundation of secure and trustworthy digital communication. Compromising this foundation opens the door to malicious actors, threatening the safety of citizens, businesses, and governments.

While U.S. officials - following the attack by China on the digital infrastructure in the US - increasingly recommend the use of end-to-end encrypted communication tools, the EU is moving in the opposite direction by discussing policies that would weaken encryption and deny everybody digital privacy. Strong encryption is essential to protect against various online threats, and the EU must prioritize robust security and privacy over policies that create systemic vulnerabilities.

Backdoors to encryption are never an option - because malicious actors will abuse them.

Key points of the open letter

  • Respect for Fundamental Rights: The letter opposes measures like “lawful access by design,” which could lead to weakening encryption and digital security systems, compromising personal data and communications. It stresses the need to uphold the right to privacy and avoid undermining encryption, which is crucial for safeguarding individuals’ safety and freedom.

  • Privacy and Professional Secrecy: The letter highlights that measures enabling unrestricted law enforcement access could compromise the confidentiality of communications, including those protected by professional secrecy, such as between doctors and patients, journalists and sources, and lawyers and clients. These protections are vital for safeguarding other fundamental rights like freedom of speech and freedom of expression.

  • Security of the Digital Ecosystem: The letter warns that the HLG’s proposal could undermine the EU’s robust digital security framework such as the GDPR, leading to a weakened digital ecosystem. It cautions against mandating service providers to collect unnecessary data or enable interception, as this would degrade security systems and create vulnerabilities. There is concern that the implementation of backdoors for law enforcement would expose systems to exploitation by malicious actors.

  • Impact on EU Businesses: The letter points out that strict enforcement measures and sanctions could harm small, secure service providers, potentially driving them out of the market. This would negatively affect the EU’s cybersecurity ambitions and the ability to provide secure services.

Read the full letter to understand how policymakers need to balance law enforcement needs with the protection of fundamental rights, without compromising everybody’s privacy.

Turn ON Privacy in one click.

Open Letter

Joint letter calling for the EU digital security agenda to promote fundamental rights and support a safe digital ecosystem

Dear Ministers,

We, the undersigned professional associations, media and human rights organisations, trade unions and technology companies, are writing to you to underline the necessity of an EU digital security agenda that both ensures justice, accountability and the respect of fundamental rights, and supports the development of a safe digital ecosystem.

In this context, we would like to share our concerns as regards the recommendations and report put forward by the High-Level Group (HLG) on access to data for effective law enforcement. In light of the HLG’s overall aim to grant law enforcement authorities maximal access possible to personal data, we identify important risks of mass surveillance as well as substantial security and privacy threats, if these recommendations were taken as a basis for future EU policies and legislation. We therefore urge you to consider the following recommendations when defining EU priorities in this policy area.

Respect fundamental rights and ensure the security and confidentiality of digital spaces

We would like to warn against granting law enforcement unfettered capacities that may lead to mass surveillance and violate fundamental rights.

In particular we are extremely worried about the concept of “lawful access by design” supported by the HLG, which aims at mainstreaming law enforcement access to data in the development of all technologies. In practice it would require the systemic weakening of all digital security systems, including but not limited to encryption. As a result, it would undermine the security and confidentiality of electronic data and communications, put everyone’s safety at risk and severely encroach people’s fundamental rights. This concept goes against the long-established recommendations of human rights organisations, data protection and cybersecurity experts, as well as the European Court of Human Rights’ (ECtHR) jurisprudence.

We therefore recommend to discard any measure that may bypass the protections afforded by encryption or weaken them, as it would create security and privacy threats to millions of people, public institutions and inevitably damage the broader digital information ecosystem.

Furthermore, we would like to recall that any future EU harmonised regime on data retention and access must respect the legal requirements of necessity and proportionality set out in EU law and the well-established case law of the Court of Justice of the EU (CJEU) and the ECtHR for the protection of fundamental rights against mass surveillance. In that regard, the proposed extension of the data retention obligation to virtually all information society services, encompassing the internet of things and internet-based services, is particularly concerning, as it would demand the untargeted, indiscriminate retention of personal data. This broad and general monitoring would generate in people’s mind the feeling that their private life is the subject of constant surveillance and cannot be considered compliant with the aforementioned requirements.

Uphold the right to privacy and inviolability of protected information

Whilst the right to privacy and confidentiality of communications is not absolute, any interference with fundamental rights must be compliant with the principles of legality, strict necessity and proportionality. General and indiscriminate retention of personal data that allow detailed profiles of the individual to be created and measures that undermine the security of all private communications do not meet these principles.

Those general and indiscriminate measures also affect persons whose communication is subject to professional secrecy, such as doctors and their patients, journalists and their sources, lawyers and social workers and their clients. The legal protection granted to those communications is a sine qua non guarantee for people’s effective exercise of other fundamental rights, including the right to a fair trial and of defence, freedom of expression and information including media and press freedoms, freedom of thought and religion, freedom of assembly and association, and the rights to social assistance and health care.

We are concerned that the envisaged sweeping powers for law enforcement to access data would interfere with the confidentiality of protected communications and related fundamental rights. These measures risk being abused to target journalists, human rights defenders, lawyers, activists and political dissidents. Crucially, the EU must guarantee the inviolability of data and other evidence falling under the principle of legal professional privilege or professional secrecy.

Support a safe, trustworthy and diversified digital ecosystem

Responsible device manufacturers and service providers have invested considerable resources in improving the security of their devices and the reliability of their services. These innovations not only meet the demands of increasingly privacy-conscious users, but also of regulatory authorities in charge of enforcing elevated standards in the cybersecurity and data protection fields. The EU holds a unique advantage thanks to a data protection framework that sets a high legal standard for protecting the fundamental rights and freedoms of people in a world where privacy is under constant attack.

Unfortunately, the HLG’s vision could undermine Europeans’ ability to choose trustworthy digital tools in the future. It recommends to set extensive, and sometimes contradictory, obligations on operators. This includes forcing them to collect and retain more user data than what is needed for providing their services, enabling real time interception and providing decrypted data to law enforcement, all the while avoiding to compromise the security of their systems. Despite the HLG’s intention to not undermine digital security, there is in reality no technical way to break the promise of end-to-end encryption without weakening the security of communications systems. A backdoor - or any other circumvention mechanism - intended for law enforcement can always be exploited by other actors, as numerous examples have shown.

Lastly, the HLG also outlines a worrying enforcement framework, including harsh sanctions to deter and punish non-compliance with EU obligations and law enforcement orders (administrative sanctions, commercial ban, imprisonment). We see here the risk of either driving reliable operators offering secure services out of the EU market or out of business if they are small or not-for-profit, or preventing them from developing secure solutions if established in the EU. Needless to say, this would be highly detrimental to the EU’s cybersecurity initiatives and ambitions.

We understand that investigative measures available to law enforcement must be adequate for the digital age and effective in addressing the unique challenges created by cross-border online services. However, efficiency should not be achieved at the expense of weakening fundamental rights, legal safeguards and the European economy. We are convinced that these objectives of general interest can be met with less intrusive measures than mass surveillance and systemic weakening of essential security guarantees.

We thank you in advance for your consideration and remain at your disposal should you have any questions.

Sincerely,

Access Now

ARTICLE 19, International

Association of European Journalists, Belgium (AEJ Belgium)

Bits of Freedom, Netherlands

Bolo Bhi, Pakistan

Centre for Democracy and Technology Europe (CDT Europe)

Chaos Computer Club (CCC), Germany

Civil Liberties Union for Europe (Liberties)

Committee to Protect Journalists (CPJ)

Community Media Forum Europe (CMFE)

Council of Bars and Law Societies of Europe (CCBE)

Cryptee, Estonia

D3 – Defesa dos DIreitos Digitais, Portugal

Danes je nov dan, Slovenia

Datenpunks, Germany

Deutsche Vereinigung für Datenschutz e.V. (DVD), Germany

Deutscher Anwaltverein (German Bar Association)

Digital Rights Ireland

Digitale Gesellschaft, Germany

Digitale Gesellschaft, Switzerland

eco – Verband der Internetwirtschaft e.V.

Electronic Frontier Foundation (EFF), International

Electronic Privacy Information Center (EPIC), United States of America

Element

Epicenter.works – for digital rights, Austria

Eurocadres

EuroISPA – The European Association of Internet Services Providers

European Broadcasting Union (EBU)

European Digital Rights (EDRi)

European Federation of Journalists (EFJ)

European Magazine Media Association (EMMA)

European Newspaper Publishers’ Association (ENPA)

European Publishers Council (EPC)

Global Forum for Media Development (GFMD)

Global Network Initiative (GNI)

Heartland Initiative

IFEX

Initiative für Netzfreiheit, Austria

IT-Pol, Denmark

La Quadrature du Net, France

Ligue des droits humains, Belgium

Mailfence, Belgium

Malta Information Technology Law Association (MITLA)

News Media Europe (NME)

Nextcloud GmbH, Germany

Panoptykon Foundation, Poland

Politiscope, Croatia

Privacy International

Proton, Switzerland

SHARE Foundation, Serbia

South East Europe Media Organisation (SEEMO)

Statewatch, International

Tech Global Institute

Tuta Mail, Germany

Wikimedia Foundation