One year ago, the Council of the European Union published the Council Resolution on Encryption, in which the necessity for security through encryption and for security despite encryption is emphasized. The resolution is based on the assumption that access to encrypted content is becoming increasingly important for competent authorities in the area of security and criminal justice inter alia in the fight against terrorism and organised crime. The idea to improve access to encrypted data is also set out in the Counter-Terrorism Agenda for the EU and other EU legislative initiatives such as the draft for a NIS 2.0 Directive and the EECC. While the envisaged promotion and in some instances even the obligation of service providers to provide end-to-end encryption means a step towards improved data security, the implementation of a technical solution for security and law enforcement authorities to gain access to encrypted data represents a step backwards for data security.
Our paper provides an introduction to the history and technological functioning of encryption before outlining why such an access solution, which is not a back door, is probably not technically feasible and ultimately weakens the overall IT security.
The results of our research have been presented at the 22. DSRI Herbstakademie 2021, Im Fokus der Rechtsentwicklung – Die Digitalisierung der Welt, held virtually in September 2021.
A short version of our paper has been published in the conference proceedings, and a long version as University of Luxembourg Law Research Paper No. 2021-010.