EU throws a spanner in London’s encryption backdoor works

If the European Parliament had set out to deliberately embarrass the British government over its view that consumer encryption needs backdoors it couldn’t have done a better job.

The discomfiture has emerged from two amendments to Article 7 of the EU’s Charter of Fundamental Rights proposed last week by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).

The first of these, amendment 36, is largely an upgrading of the obligation of service providers to protect customers using security technologies, including encryption.

But amendment 116, a brand new provision, is where things get interesting. Service providers must ensure:

…that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data.

Followed by an important statement that won’t have gone down well in London:

When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

Let’s compare this sentiment with the so-called “Technical Compatibility Notices (TCNs)” mentioned in a draft UK government document leaked to the Open Rights Group in May.

TCNs define what service providers with more than 10,000 users might have do to be in compliance with future powers that might be added to the already contentious “Snooper’s Charter” Investigatory Powers Act (IPA), which came into effect in November 2016.

While the draft doesn’t mention end-to-end encryption of the WhatsApp variety by name, it is hard to see how any communications company could meet its demands without offering a way around the sort of encryption it offers.

Crudely, with terrorism a major worry, the UK government doesn’t have the time to batter down the front door and wants companies to offer it some back door short cuts on a tell-us-now basis.

Naked Security has already explained why fiddling with encryption risks unintended consequences, but the issue here is what the possibility of the  EU’s Charter of Fundamental Rights adopting precisely the opposite would mean for consumer encryption.

On the face of it, WhatsApp might find itself compelled to offer some kind of bypass in the UK whilst guaranteeing its total security in the EU’s 27 states.  Clearly, this won’t be credible – assuming it’s even technically possible.

Which side will blink first? Depending on the path taken towards Brexit, the assumption is that the UK will repeal the Charter of Fundamental Rights. The problem remains that the UK approach is still trying to impose rules on an industry where companies run on global rather than national standards.

The British government – even with the help of an equally sceptical US government – can’t easily impose this kind of top-down control on technology without years of legal and engineering toil.

If the wording suggested by MEPs makes it into EU law, it will find itself at odds not just with technology providers but the EU too. Bravado aside, it is likely to lose this one in painfully slow motion.