By Jim Preen, Director of Crisis Management at YUDU Sentinel
A document leaked to Austria’s ORF TV network indicates the EU may be taking a sledgehammer to end-to-end encryption used by WhatsApp and other comms systems.
Encryption locks personal data, but governments and law enforcement agencies have long been concerned that terrorists and criminals are using these systems to literally get away with murder.
Terror attack in France and Austria
Following recent terrorist atrocities in France and Austria the EU are set to demand backdoor access. The draft EU resolution says while: ‘The European Union fully supports the development, implementation and use of strong encryption’ they are increasingly concerned that law enforcement can’t get ‘access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes.’
This has sparked controversy among pro-security and pro-privacy groups.
YUDU Sentinel’s CEO Richard Stephenson sees this as a possible landmark event: “We might be at a tipping point when governments wrest back control from the social media giants. The public, desperate to stay safe, might just buy in. For a long time, businesses have become increasingly uncomfortable about secret and unknown communications passing between their staff without any corporate oversight. It would be natural to see the controllers wanting their power back, but this is a huge step for the EU if they have the nerve to take it.”
Others see this type of legislation as a direct attack on data privacy, which will aid criminals rather than deter them. Ray Walsh from ProPrivacy said: “Removing strong end-to-end encryption creates vulnerabilities that can be exploited not just by EU government agencies, but also by anybody – including hackers, cyber-criminals and state-sanctioned operatives from foreign governments – with the technical ability to discover that purposefully created backdoor.”
There is a particular concern that the backdoor ‘key’ could fall into the hands of governments with dubious human rights records such as Russia, Saudi Arabia or China. It might also just push criminal communications towards the dark web, where they are almost impossible to intercept.
No corporate oversight
Firms have long had concerns about staff using WhatsApp, not because of criminal intent, but because managers are denied access. Colleagues can set up chat groups but if a member leaves to go to the competition there is no way HR can remove them from the group if they take their mobile number with them. Former staff can still be listening in on commercially sensitive conversations, while working for the opposition. Chats can also be deleted, making WhatsApp of little use to firms needing to access messages in the wake of an emergency.
Richard Stevenson again: “Is the EU about to knock though the wall and open a backdoor to the privacy fortress of end-to-end encryption? I have long argued that these types of apps are great for family and friends, I use WhatsApp myself, but they have no place in a business environment. It’s not a question of snooping, firms must have legitimate access to what staff are doing and saying, what decisions and actions are being taken, particularly when it comes to post crisis review.”
The United States also seems to be on board with limiting encryption in an effort to fight crime. In October the Five Eyes intelligence group that comprises the US, UK, Canada, Australia and New Zealand released a statement that reflects much of the EU thinking: ‘Particular implementations of encryption technology pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.’
Unique selling point
The EU resolution, which could become law before the end of the year, talks about the European Union establishing ‘an active discussion with the technology industry’ but the two are clearly at odds. The tech firms want to preserve encryption, while the EU want to chip away at it in their bid to ‘access electronic evidence, conduct successful investigations and bring criminals to justice.’
This must be a worrying time for WhatsApp and their competitors. End-to-end encryption is one of their unique selling points. On their website WhatsApp boast: ‘Some of your most personal moments are shared on WhatsApp, which is why we built end-to-end encryption into the latest versions of our app. When end-to-end encrypted, your messages and calls are secured so only you and the person you’re communicating with can read or listen to them, and nobody in between, not even WhatsApp.
Tech firms have huge power and influence, but going up against the might of the EU presents them with a significant challenge. While the EU makes much of their willingness to work with the industry, any kind of backdoor access will be seen by the social media firms as a threat to their business model. They are unlikely to roll over and agree to the EU’s demands and will fight this legislation. As these massive institutions face off, it would be unwise to predict who will emerge the winner.