In November 2020, the Council of the European Union published the Council Resolution on Encryption, in which the necessity for security through encryption and for security despite encryption is emphasized. The Resolution is based on the assumption that access to encrypted content is becoming increasingly important for competent authorities in the area of security and criminal justice inter alia in the fight against terrorism and organised crime. The idea to improve access to encrypted data is also set out in the Counter-Terrorism Agenda for the EU and other EU legislative initiatives such as the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse (COM(2022)209 final) and the NIS 2 Directive. The EU Commission’s Proposal on child sexual abuse material (CSAM) will require messaging platforms to access private data and messages to detect CSAM. While recognising that end-to-end encryption technology s an important tool to guarantee the security and confidentiality of communication, it is unclear how the mandatory detection of CSM should be carried out in practice without weakening or degrading encryption. In that regard, a joint opinion by the European Digital Privacy Supervisor and the European Data Protection Board is calling the efforts to undermine encryption ‘disproportionate’. However, the NIS 2 Directive replicates that the ‘use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law’ without weakening end-to-end encryption (Recital 98).
In a previous publication we have discussed in detail that – while the envisaged promotion and in some instances even the obligation of service providers to provide end-to-end encryption means a step towards improved data security – the implementation of a technical solution for security and law enforcement authorities to gain access to encrypted data represents a step backwards for data security. Our paper ‘When Security Interests Collide – Technical and Legal Implications of Mandatory Access by Public Authorities to Encrypted Data (Wenn Sicherheitsinteressen kollidieren – Technische und rechtliche Implikationen einer verpflichtenden Zugriffsmöglichkeit auf verschlüsselte Daten durch Behörden)’ provides an introduction to the history and technological functioning of encryption before outlining why such an access solution, which is not a back door, is probably not technically feasible and ultimately weakens the overall IT security.