ProtonMail, Threema & Others Warn EU Lawmakers on Encryption
Four European applications – ProtonMail, Threema, Tresorit, and Tutanota – that safeguard user information through end-to-end encryption have collectively released a statement expressing concern over recent actions by EU institutions. They warn that these actions could lead lawmakers down a precarious path toward compromising encryption standards.
End-to-end encryption is a method of encryption where the service provider lacks the ability to decrypt user data, significantly enhancing privacy as no external entity possesses the means to access the information in a readable format.
This form of encryption also strengthens security by minimizing potential vulnerabilities surrounding user data.
However, the increasing adoption of end-to-end encrypted services has been a point of contention for law enforcement agencies for several years. This is due to the difficulty it presents in accessing decrypted data. When presented with a warrant for user data protected by end-to-end encryption, service providers can only supply the information in an unreadable state.
Last month, the EU Council adopted a resolution regarding encryption that contains conflicting statements – advocating for both “security through encryption and security despite encryption” – which the four application developers interpret as a veiled attempt to introduce backdoors into encrypted systems.
The European Commission has also indicated an interest in achieving “improved access” to encrypted information. In a comprehensive counter-terrorism agenda published in December, it stated it would “work with Member States to identify possible legal, operational, and technical solutions for lawful access” [emphasis theirs].
Concurrently, the Commission has affirmed its commitment to “promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism”. It has also acknowledged that there is no single, simple solution to the security challenges posed by end-to-end encryption.
Despite these qualifications, application developers utilizing end-to-end encryption remain apprehensive. They believe that proposals originating from the Council of the EU – which participates in the adoption of EU laws, although the Commission typically drafts legislation – represent a move towards mandating backdoors.
“While not explicitly stated in the resolution, it is broadly understood that the proposal aims to grant law enforcement agencies access to encrypted platforms through backdoors,” the four developers write, further cautioning that such a step would fundamentally undermine the security that EU institutions also claim to prioritize.
“The resolution demonstrates a fundamental misunderstanding: Encryption is absolute; data is either encrypted or it is not, and users either have privacy or they do not,” they continue. “The desire to equip law enforcement with more tools to combat crime is understandable. However, the proposals are akin to providing law enforcement with a key to every citizen’s home and could initiate a dangerous trend toward increased infringements on personal privacy.”
They highlight that any attempt to compromise end-to-end encryption in Europe would contrast with the growing global interest in robustly encrypted services, citing the recent increase in registrations for apps like Signal as a result of privacy concerns surrounding Facebook-owned WhatsApp.
Europe has also been a leader in enacting legislation to protect privacy and security. Therefore, a reversal in course for EU lawmakers to weaken end-to-end encryption would be a significant shift. (Furthermore, EU data protection authorities are currently recommending the use of end-to-end encryption to legally secure transfers of personal data to countries where it may be at risk).
To suggest that the EU’s push in an anti-encryption direction is free of ideological contradictions would be a considerable understatement. The current communications from Brussels on this topic appear inherently conflicted, potentially reflecting an acknowledgment of the difficulty in resolving this complex policy issue.
The application developers also observe this. “Individuals worldwide are regaining control of their privacy, and European companies are often instrumental in enabling them to do so. It seems illogical that policymakers in the EU would now advocate for laws that contradict public opinion and jeopardize a thriving European technology sector,” they state.
In a direct quote from the joint statement, Andy Yen, CEO and founder of ProtonMail, a Swiss end-to-end encrypted email service, cautions against complacency in the face of the latest perceived push for a legal framework to circumvent encryption.
“This is not the first instance of anti-encryption rhetoric from certain parts of Europe, and it likely will not be the last. However, that does not mean we should be complacent,” he said. “Simply put, the resolution is no different from previous proposals that sparked widespread opposition from privacy-focused companies, civil society groups, experts, and MEPs.
“The difference this time is that the Council has adopted a more subtle approach and avoided explicitly using terms like ‘ban’ or ‘backdoor’. But there is no mistaking the intent. It is crucial that action is taken now to prevent these proposals from progressing further and to safeguard the privacy rights of Europeans.”
Martin Blatter, CEO of end-to-end encrypted instant messaging app Threema, also contends that EU lawmakers risk hindering the growth of domestic startups if they pursue legislation requiring European vendors to bypass or deliberately weaken end-to-end encryption.
“[It] would not only devastate the European IT startup ecosystem, it would also fail to provide any additional security,” he warned. “By aligning itself with some of the most repressive surveillance states in the world, Europe would recklessly abandon its unique competitive advantage and become a privacy wasteland.”
Istvan Lam, co-founder and CEO of Tresorit, an end-to-end encrypted file sync & sharing service, also argues that any attempts to weaken encryption would severely damage trust in services, as well as being “irreconcilable with the EU’s current position on data privacy”.
“We find this resolution particularly concerning given the EU’s previously progressive views on data protection. The General Data Protection Regulation (GDPR), the EU’s globally recognized model for data protection legislation, explicitly supports strong encryption as a fundamental technology to ensure citizens’ privacy,” he said, adding: “The current and proposed approaches are fundamentally incompatible, as it is impossible to guarantee the integrity of encryption while simultaneously providing any form of targeted access to the encrypted data.”
Arne Möhle, co-founder of Tutanota, a German end-to-end encrypted email provider, asserts that any push to backdoor encryption would be detrimental to security, potentially even assisting criminals.
“Every EU citizen needs encryption to protect their data online and to defend themselves against malicious attackers,” he said. “With the latest attempt to backdoor encryption, politicians want an easier way to prevent crimes such as terrorist attacks while disregarding a wide range of other crimes that encryption protects us from: End-to-end encryption safeguards our data and communication against eavesdroppers such as hackers, (foreign) governments, and terrorists.”
“By demanding encryption backdoors, politicians are not asking us to choose between security and privacy. They are asking us to choose no security,” he added.
A conflict appears to be brewing in Europe regarding the interpretation of the Council’s contradictory directive on ensuring “security through encryption and security despite encryption”. However, it is evident that any move toward backdoors would likely face significant regional opposition and could be subject to legal challenges under the region’s existing legal framework.
The Commission acknowledges this complexity. Its counter-terrorism agenda is also broad in scope. There is no indication that it views end-to-end encryption as the sole obstacle to be overcome. EU institutions are pursuing multiple avenues, in part because a number of fundamental limitations restrict the scope for interventions that are not specifically targeted.
Therefore, the outcome of the Council’s resolution may be a concerted effort to enhance law enforcement skills in relevant areas (such as digital forensics and metadata analysis). And potentially the creation of structures to allow local or state-level forces across the bloc to access more advanced technical expertise from security services to support targeted investigations (e.g., device hacking). Rather than a Europe-wide mandate requiring end-to-end encryption vendors to implement a universal key escrow ‘solution’ (or similar) – indiscriminately jeopardizing everyone’s security and privacy.
However, this situation warrants close monitoring.
Related Posts
NHS England Data Breach Confirmed by Tech Provider
Cisco Zero-Day Exploit: Chinese Hackers Targeting Customers
Pornhub Hacked: User Data Extorted by Hacking Group
Google and Apple Release Emergency Security Updates
700credit Data Breach: 5.6 Million Affected
