James Ball

The EU’s muddled approach to encryption

The EU's muddled approach to encryption
(Photo: iStock)
Text settings

The EU would like you to know that it doesn’t want to ban encryption. In fact, it correctly recognises that encryption is absolutely essential for our privacy and financial safety on the internet. That’s why a draft resolution – due to be tabled in front of EU leaders at a pivotal summit later this month – spends paragraphs extolling the virtues of online encryption, before setting out the EU’s complaint: they would really like to be able to read encrypted messages. And they want technology companies to do something about it.

On the surface, the EU’s argument might seem quite reasonable: most of us would generally believe that with warrants or similar safeguards, authorities should be able to read the messages of serious criminals or terrorists. This is an argument successive UK governments have also been fond of making.

The problem is that once you scratch below the surface, legislators are essentially proudly proclaiming themselves to be pro-cake and pro-eating it.

Online security is quite different from offline security, in that our communications are ultimately protected by encryption, which boils down to complex mathematics. Encryption uses calculations which are easy to perform one-way round but almost impossible to reverse – the mathematical equivalent of scrambling an egg – which means tech companies can make our messages all but impossible to decipher as they traverse the internet’s network of cables and servers.

In fact, thanks to encryption, the creators of most modern messaging apps can’t read their users’ messages – even if they wanted to. This is crucial for our security and privacy: messages aren’t secure if someone who works for a tech company (or a criminal or spy posing as them) can access them. And it means that when governments or police forces ask tech companies to hand over data, they can’t – they never had it in the first place.

But this is giving governments – which in the internet era have become accustomed to being able to drown themselves in terabyte after terabyte of bulk data – something of a headache. In response, they have begun urging, or threatening to compel, tech companies to create some means of circumventing their sophisticated encryption for selected users, so that they can hand over their data.

This is, essentially, the online equivalent of getting someone to leave the back door open so you don’t have to use the locked, barred and reinforced front door. And just like an open back door in real life, in practice that means you’re leaving the door open to everyone.

If tech giants create vulnerabilities so it is easier to access user data, the same methods will also be used by criminals and foreign governments. In the online world, it is simply not possible to selectively weaken security just for the ‘good guys’.

The EU’s latest resolution tackles this thorny problem by insisting that they are big supporters of encryption and that they understand the risks of backdoors, and so would not ask tech giants to insert them into their messaging apps.

Instead, they ask tech companies, researchers, academics and others to look for some other way of allowing them to access messages – essentially deciding that a back door by any other name will somehow magically work differently.

We should be relieved that the latest EU proposal is so laughably vague, but it is symbolic of the dead-end in which governments across the world have got to when it comes to regulating the internet – a task we all agree, to different extents, is necessary, but one for which most governments seem woefully ill-equipped.

If the EU is interested in tracking and monitoring criminals, there are already other technical methods available – for example, through phone manufacturers themselves (though backdoors here could, again, cause unintended consequences). It could also spend more on human intelligence, which is traditionally far more effective, and has been starved of resources in the internet era.

Instead, the EU joins an array of other governments and bodies straddling between menace and comical ineffectiveness. By railing against encryption, they undermine public trust in a technology that is vital to our online privacy and security.

And by having nothing more than a plea to the heavens for some magical fix to their problem, the EU are instead making themselves look comically unprepared for the task of regulating the internet era of capitalism. We are two decades into the digital age, and our politicians are still decidedly analogue.

Written byJames Ball

James Ball is the Global Editor of the Bureau of Investigative Journalism, which last month launched a two-year project looking into Russian infiltration of the UK elite and in London’s role in enabling overseas corruption