On Global Encryption Day (21 October), Edward Snowden, the whistleblower behind the NSA surveillance revelations, defined encryption as a matter of life and death. A day earlier, a coalition of EU lawmakers voiced concerns that an upcoming legislative proposal could open the door to mass surveillance.
The Global Encryption Day is an initiative by civil society and technology companies to advocate for strong encryption. Encrypted messaging services enable secured communication that would not be readable if intercepted.
For this reason, encrypted communications have been accused by law enforcement authorities and governments around the globe of enabling criminal activities and terrorist networks. Public authorities have therefore requested special access, a backdoor that security experts fear might be exploited for other purposes than legitimate law enforcement.
“If you weaken encryption, people will die. This year alone, after the fall of the government of Afghanistan, we saw how crucial encryption is in keeping ordinary people safe,” Snowden said during the Global Coalition Day event.
In 2013, Snowden disclosed a number of highly classified documents from the US National Security Agency, revealing a global surveillance programme that involved telecom companies and EU governments. These revelations prompted a global discussion around privacy, which in Europe resulted in shaping GDPR as a solid legal framework.
“It would have been impossible for me to whistleblow without encryption. My first messages to journalists were made with encryption and without secure end-to-end encryption it is impossible to see how brave investigative journalism could happen at all,” the former NSA employee added.
The Global Encryption Coalition made a public call to ‘Make the Switch’, offering encryption as a way to prevent power abuses and defend marginalised groups, victims of political persecution and professional categories that deal with sensitive information such as journalists and lawyers.
“Protecting strong encryption is essential for protecting the human rights of millions of people around the world. Everyone has the right to privacy and security – that can only be maintained with secure end-to-end encryption,” said Jimmy Wales, founder of Wikipedia.
Child sexual abuse material
The power struggle around encrypted services has taken centre stage in the policy initiatives to fight child sexual abuse online. In April, the EU adopted a temporary measure that enables service providers to scan private messages in search of child pornography, known as ePrivacy derogation.
The Commission is due to present a long-term measure on 1 December, which privacy advocates fear would put in place automatic monitoring mechanisms to detect child sexual exploitation abuse materials in online services.
On Wednesday (20 October), a cross-party coalition of 20 MEPs sent an open letter to leading Commission officials voicing their concerns over what would open the door, in their view, to mass surveillance.
“Indiscriminately and generally monitoring everybody‘s online activities “just in case” causes devastating collateral damage,” the letter reads.
For the lawmakers, the measures would go against the fundamental right to confidential communications, and would not stand judicial review as it “neither necessary nor proportionate, as clarified by the CJEU [Court of Justice of the European Union] in the “Schrems I” judgment in 2015.”
Schrems I was a landmark judicial ruling that in 2015 brought down the EU agreement for data transfers to the United States, precisely following Snowden’s revelations on the capacity of US security agencies to harvest private information.
The MEPs point to similar practices in authoritarian states, singling out China as the example not to follow. The outsourcing of law enforcement activities to private operators is also seen as problematic, as it removes the independence safeguards and institutional oversight from criminal investigations.
The letter also refers to a legal assessment of the German Bundestag on the CJEU ruling concerning automated analyses of communications data. The legal opinion notes that “the CJEU only deems automated analysis justifiable under EU law when it is used for limited periods of time, in specific situations when there is a particularly considerable and imminent threat.”
The EU lawmakers stressed that the public outcry that hit Apple following the announcement it intended to scan personal photos for child sexual abuse materials would be replicated if the EU executive attempted to normalise monitoring of encrypted services.
[Edited by Zoran Radosavljevic]