Skip to content
Naked Security Naked Security

EU throws a spanner in London’s encryption backdoor works

A wave of terrorist attacks has led to the UK government calling ever more noisily for ways to access the content of terrorists' messages - but new rules from Brussels make that demand much more difficult

If the European Parliament had set out to deliberately embarrass the British government over its view that consumer encryption needs backdoors it couldn’t have done a better job.

The discomfiture has emerged from two amendments to Article 7 of the EU’s Charter of Fundamental Rights proposed last week by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).

The first of these, amendment 36, is largely an upgrading of the obligation of service providers to protect customers using security technologies, including encryption.

But amendment 116, a brand new provision, is where things get interesting. Service providers must ensure:

…that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data.

Followed by an important statement that won’t have gone down well in London:

When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

Let’s compare this sentiment with the so-called “Technical Compatibility Notices (TCNs)” mentioned in a draft UK government document leaked to the Open Rights Group in May.

TCNs define what service providers with more than 10,000 users might have do to be in compliance with future powers that might be added to the already contentious “Snooper’s Charter” Investigatory Powers Act (IPA), which came into effect in November 2016.

While the draft doesn’t mention end-to-end encryption of the WhatsApp variety by name, it is hard to see how any communications company could meet its demands without offering a way around the sort of encryption it offers.

Crudely, with terrorism a major worry, the UK government doesn’t have the time to batter down the front door and wants companies to offer it some back door short cuts on a tell-us-now basis.

Naked Security has already explained why fiddling with encryption risks unintended consequences, but the issue here is what the possibility of the  EU’s Charter of Fundamental Rights adopting precisely the opposite would mean for consumer encryption.

On the face of it, WhatsApp might find itself compelled to offer some kind of bypass in the UK whilst guaranteeing its total security in the EU’s 27 states.  Clearly, this won’t be credible – assuming it’s even technically possible.

Which side will blink first? Depending on the path taken towards Brexit, the assumption is that the UK will repeal the Charter of Fundamental Rights. The problem remains that the UK approach is still trying to impose rules on an industry where companies run on global rather than national standards.

The British government – even with the help of an equally sceptical US government – can’t easily impose this kind of top-down control on technology without years of legal and engineering toil.

If the wording suggested by MEPs makes it into EU law, it will find itself at odds not just with technology providers but the EU too. Bravado aside, it is likely to lose this one in painfully slow motion.


The EU plans to illegalize the monitoring and interception of all supposedly-encrypted communications? So no EU country will ever again be able to (and no EU country’s intelligence services ever will) conduct so-called lawful interception of, say, cellphone calls or SMSes? Or will “old” technologies that have been required to permit interception and monitoring so far…will those be left as they are? If not, who will foot the bill for changing the interceptable standards that were required before this new law?


As intelligence agencies do what is not supposed to be done on behalf of states lets hope the technical standards are up to it or it won’t make any practical difference.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!