The Council of the European Union is a group of representatives of 27 EU governments. The institution continues to investigate the challenges caused by encryption technology. Someone in there recently coined a new policy term “security through encryption and security despite encryption” (in this document). What does it mean?
The Council of the EU has a long-term interest in encryption and cryptography. The point of interest of this particular working group revolves around lawful access to content.
The new document has a few great parts. For example, it expressly says there are no intentions of prohibiting encryption or enacting backdoors. This is because “The European Union fully supports the development, implementation, and use of strong encryption”, encryption has important uses in “critical infrastructures, civil society, citizens and industry by ensuring the privacy, confidentiality and data integrity”. But they are nonetheless concerned with “competent authorities in the area of security and criminal justice” (i.e. that some devices/content cannot be unlocked/decrypted even with a warrant?), the concerns are about the reach of the judicial system and law enforcement. Specifically:
“There are instances where encryption renders analysis of the content of communications in the framework of access to electronic evidence extremely challenging or practically impossible despite the fact that the access to such data would be lawful. Independently of the technological environment of the day, it is therefore essential to preserve the powers of competent authorities in the area of security and criminal justice through lawful access”
They don’t know how to do that (to “create a balance”). For this reason, they wonder about engaging research and academia to do something or to learn how something may be done. In Europe in practice this maybe means the European Commission creating a high-level expert group on something and possibly advise in the road forward. It will immediately become important how such a group will be composed. For example, the group on AI was fairly reasonable, while the structure and composition of another one on disinformation was a bit less great.
Security despite encryption
The key issue in the unveiled documents is the identification of the “encryption” as a problem hence the coined a new tech policy term:
“Security despite encryption”.
The problem with this term is that we don’t know what this means. This technology policy vessel is defined but it is not filled with anything as of now. This is precisely the danger of such phrases. They are easily read and remembered. But who knows what kind of plan or policy is behind?
The sound of it is quite similar to the "responsible encryption" (invented in the U.S.) so let’s try unraveling the content using the powers technology policy reverse engineering :-)
“Security through encryption and security despite encryption”
The term looks like a fairly consciously and intentionally made an amalgam of tech&tech policy term blending the technical “security” (guaranteed “ through encryption”) and then the non-technical “security” (physical security/policing/judicial process, so on), which should be upheld “despite encryption”. Is encryption an obstacle? What one does with obstacles? Remove them, of course. But you cannot remove encryption because it is needed to make systems secure (also the first part speaks “security through encryption…” so encryption is here to stay). This leaves us with the “despite”. What remains within the reach of change? The physical/offline/etc “security” (“...despite encryption”) problems cannot be easily changed as they do not magically disappear. This leaves us with the only aspect that hypothetically is left for a change: encryption.
How one may expect to do this is totally another story and not the topic of this analysis. Here I merely try to unravel the tangled technology/security policy term. We do not know what the designers of this term had in mind (even if anything in particular)
Words have power. Words may impact policies. Words certainly can change policy and politics. How things are framed matter. Words should be carefully used. Can security be guaranteed despite encryption? In the case of computer/technology security - it cannot be guaranteed without encryption. Such a question makes no sense. But security certainly cannot be guaranteed without strong encryption.
Did you like the assessment and analysis? Any questions, comments, complaints or maybe even offers? Feel free to reach out: firstname.lastname@example.org