Europe's privacy body has reiterated its pro-privacy, anti-backdoor stance.
The European Data Protection Supervisor (EDPS) Giovanni Buttarelli has long expressed the view that “privacy versus security” is a false dichotomy. In 2015, he told a conference in Brussels that “the objective of cyber-security may be misused to justify measures which weaken protection of [data protection] rights”.
He's now issued a much longer dissertation on the topic, the Preliminary EDPS Opinion on the review of the ePrivacy Directive, here (PDF).
The ePrivacy framework needs to be extended, the opinion states, it needs to be clarified, and it needs better enforcement.
The document also says the emergence of new services since the directive was first issued means it needs a thorough update. For example, Buttarelli's document states that there's a danger that new services erode privacy protections even though they're “functionally equivalent” to existing services.
For example, he writes, VoIP services should afford users the same privacy protection as traditional phone services, as should mobile messaging apps.
Likewise, he highlights the risk that the Internet of Things erodes privacy because the directive doesn't pay enough attention to machine-to-machine communications.
On encryption, Buttarelli is unequivocal:
The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.
The prohibition on backdoors would be universal, the EDPS writes: encryption providers, communication service providers, and “all other organisations (at all levels of the supply chain)” should be prohibited from “allowing or facilitating” backdoors.
SOHOpeless vendors on notice
On the matter of protecting citizens' communications security, the EDPS's utterances might give pause to the tech industry, since they suggest better regulation of the security of everything from networks to endpoints to operating systems.
Carriers might fail at network security, but there's at least a consensus in the telco sector that networks should be secure.
Modem vendors, on the other hand, repeatedly exhibit a lax attitude to security, so they might be chilled at the thought that the EDPS is considering extending “security requirements to reinforce coverage of software used in combination with the provision of a communication service, such as the operating systems embedded in terminal equipment”.
Ditto IoT vendors, who aren't merely lax about privacy, they're hostile to it, since gathering user data is fundamental to the business model: wearable computing, home automation, and vehicles should also be covered, Buttarelli writes.
Other high points of the document include:
- Cookies – While a first-party analytics cookie is one thing, the EDPS is against the practice of forcing users to consent to third-party trackers to access content: “the EDPS recommends that legislators consider a complete or at least a partial ban on the so-called ‘cookie walls’.”
- Consent – Citizens deserve better and simpler consent mechanisms, particularly given the opportunities new technologies like smartphones and IoT devices offer for tracking.