An internal document of the German Presidency of the Council to the delegations of the member states dated November 6th is making the rounds in EU circles as reported by Austrian television sender ORF. The aim is to force services such as WhatsApp, Signal and many others that implemented end-to-end encryption for their users to enable authorities to access encrypted chat messages with the help of a general key. It's clear that the terrorist attack in Vienna is being used by the EU Council of Ministers to push through a law against safe encryption for EU citizens.
In Brussels, terrorist attacks are regularly used to push though long-planned surveillance measures. For instance, the data retention regulation was passed in the EU after the terrorist bombings in Madrid (2004) and in London (2005). General data retention was later declared illegal in the EU by the European Court of Justice, "signaling that security concerns do not justify excessive privacy infringements", such as general data retention for all citizens.
Nevertheless, now the EU Council once again wants to push for a severe surveillance law. This time they want "exceptional access" to encrypted communication with the help of a general key provided by the services in question. The details of this method have been published by Politico in August.
The "Draft Council Resolution on Encryption - Security through encryption and security despite encryption" stresses the fact that "The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society."
However, this reads as a lip service when continued:
"Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organized crimes and terrorism, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully."
While the EU Council titles this section with "Creating a better balance", they actually mean: Having a general key to break the encryption in case the authorities need to.
As privacy advocates, however, we understand the risks, but more on this later. The main reason the authorities state as to why they want such a general key is that it would have helped them to prevent terrorist attacks. So let's look at the latest terrorist attack in Vienna. If the Austrian authorities had had access to the encrypted chat of the terrorist, would they have been able to prevent the attack?
Earlier this year, German authorities had asked Austrian colleagues to monitor a meeting between two suspected Islamists and the future attacker in Vienna in July. In the following risk assessment of the future attacker, who was on parole after a previous terrorism-related conviction, mistakes were made.
Despite the fact that also the Slovakian authorities informed Austrian authorities that the terrorist had tried to purchase ammunition in Slovakia, this intelligence did not lead to a constant surveillance of the future attacker. The Austrian authorities could even have issued an arrest warrant because of this due to his criminal record.
It is becoming increasingly clear that apparently errors of investigation had made the attack possible in the first place and not the lack of digital monitoring powers.
The Austrian Interior Minister himself admitted: "Apparent and intolerable investigations mistakes were made." Yet, politicians again call for surveillance of all citizens - instead of educating their officers to better assess potential threats with the data they already have.
The ORF comments on this ironically: "These are the "competent authorities": GCHQ, DGSE, BND, etc., whose vacuum-cleaning methods on the optical fibres produce less and less processable data due to increasing transport encryption. In order to avert this impending data poverty, general keys have now been requested and it looks as if this will be approved by the Council. This means that the BVT (Austrian Federal Office for the Protection of the Constitution and Counter Terrorism), which is unable to even eliminate a terrorist who is served twice on a silver platter by two other services, will in future be able to investigate for weeks in chat sessions without success."
If it wasn't so sad, it would make us smile.
The bottom-line is: The authorities and intelligence services already have a lot of data on potential threats. Assessing the data in depth takes time and qualified people in order to narrow down the most dangerous potential threats. There is no proof that adding more data to the databases will in any way help to find potential attackers.
Unfortunately, the dangers of such general surveillance much outweigh the potential benefits. So bringing encryption into a "better" balance with the requirements of authorities as the EU Council puts it, is far from the truth.
The problem is - as always with encryption - who controls the key? Once there is a general decryption key for encrypted chat messages, the authorities will want to use it. Malicious attackers will want to obtain it. State agencies will want to get access to it to use it not just against criminals, but also for industrial espionage, to monitor the opposition in Autocratic countries, etc.
The main questions are:
Given that we already have governments in the EU that have autocratic tendencies such as Poland and Hungary, countries that make abortion illegal, that discriminate against LGBT communities and other minorities, we should be well aware of the harm that could be done by giving a general decryption key to the authorities of such European member states.
A general key to all WhatsApp and Signal messages would be a high-profile target for criminals and (criminal) state agencies. It would just be a matter of time until such a key would leak into malicious hands. Ironically enough, the EU itself has recently recommended their employees to use Signal for chatting securely with outsiders of the institution.
The Vienna terrorist attack is just one in a long row of attacks in Europe that show that it is not increased surveillance that is needed to fight terrorism. To the contrary, an analysis done by journalists came to the conclusion that all Islamic terrorists since 2014 have been known to the authorities before the attacks took place.
Similarly, the NSA phone surveillance program in the USA was not only declared illegal recently, it also proved to be expensive and ineffective. It did not stop one single terrorist attack.
When politicians ask to break encryption - even if it's for the 'good' guys only - they do not offer us to choose between more security or less. They force us to choose no security.
This proposal by the EU Council must never become law as
We call on EU politicians to read up on online security, to learn about the importance of encryption and the threats posed towards individuals by weakening encryption as well as the threats posed towards an open and democratic society.
As a free and open society we share the values of freedom of speech and privacy in Europe. Now, we must remain strong to protect these values.
If these freedoms are taken away from us, the terrorists have already won.