Security

Europe to push new laws to access encrypted apps data

App-makers get a choice: Open up voluntarily or we'll pass laws forcing you to


Update The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová.

Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline "three or four options" that range from voluntary agreements by business to strict legislation.

The EC's goal is to provide the police with a "swift and reliable" way to discover what users of encrypted apps have been communicating with others.

"At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action," Jourová said, according to EU policy site Euractiv.

Typically governments will use the threat of legislation to push companies into agreeing to offer what they want voluntarily. But Jourová clearly expects some significant pushback from the tech industry – particularly US corporations such as Facebook and Apple – and so argued that the voluntary, non-legislative approaches would only be provisional in order to get to "a quick solution," with laws coming later.

The intended message is that the EC is not bluffing and although it will take a few years to pass such legislation, it is prepared to do so, and may do so regardless of what app-makers offer.

The announcement comes close on the heels of a number of aggressive pushes by European governments against social media companies.

Earlier this month, the German government proposed a €50m fine if companies like Facebook and Twitter do not remove "obvious" criminal content within 24 hours. A few days later, the EC said it was going to insist that social media companies change their terms and conditions to remove various efforts to insulate them legally from content issues – such as the requirement for anyone to sue them in a California court rather than in their home country.

And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they "can and must do more."

That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.

The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.

At the heart of the matter though, nothing has changed: tech companies and security experts say that if crypto backdoors are created, it will be impossible to ensure that only the "good guys" can use this special access, and thus will undermine end-to-end encrypted systems and encrypted storage. Meanwhile politicians and law enforcement insist they don't care how it's done, they want to be able to access people's private communications and stored data, particularly if they have a warrant regarding suspected criminal behavior. ®

Correction: updated to add

The original version of this article stated that the EC was looking to pass legislation providing it with backdoor access to encryption.

A spokesperson from the EC got in touch to say that Jourová's words had been misinterpreted and there is no plan to introduce legislation covering encryption. The proposed laws will instead cover faster access to material held in the cloud in different jurisdictions. Material that, presumably, they expect to be unencrypted.

That clarification came on the same day that UK home secretary Amber Rudd also appeared to back away from her demand that law enforcement be given access to encrypted communications on apps such as WhatsApp.

Send us news
153 Comments

Nevada sues to deny kids access to Meta's Messenger encryption

State government says it's thinking of the children

Security is hard because it has to be right all the time? Yeah, like everything else

It takes only one bottleneck or single point of failure to ruin your week

Turns out cops are super interested in subpoenaing suspects' push notifications

Those little popups may reveal location, device details, IP address, and more

European Court of Human Rights declares backdoored encryption is illegal

Surprising third-act twist as Russian case means more freedom for all

Apple promises to protect iMessage chats from quantum computers

Easy to defend against stuff that may never actually work – oh there we go again, being all cynical like

Meta says risk of account theft after phone number recycling isn't its problem to solve

Leaves it to carriers, promoting a complaint to Irish data cops from Big Tech's bête noire

DoorDash coughs up a few bucks after California accuses it of spreading around customer info

Food delivery giant promises to drop off $375,000, no tip

Australian spy chief fears sabotage of critical infrastructure

And accuses a former Australian politician of having 'sold out their country'

Russia's Cozy Bear dives into cloud environments with a new bag of tricks

Kremlin's spies tried out the TTPs on Microsoft, and now they're off to the races

Europe's data protection laws cut data storage by making information-wrangling pricier

GDPR also slashed processing costs by over a quarter

Cybercrims: When we hit IT, they sometimes pay, but when we hit OT... jackpot

Or so says opsec firm, which confirms 70% of all industrial org ransomware in 2023 targeted manufacturers

Google open sources file-identifying Magika AI for malware hunters and others

Cool, but it's 2024 – needs more hype, hand wringing, and flashy staged demos to be proper ML