what’s all this about europe wanting crypto backdoors?

A recent press report indicated that European legislators, concerned about terrorism, may be moving towards a prohibition of end-to-end encryption. However, the situation is more complex than initially presented. Continue reading for a detailed analysis of the current developments… 

Is a Ban on E2E Encryption Imminent in Europe?

No.

Yesterday, an Austrian news publication released a report that appeared to suggest an impending ban on end-to-end encryption, linking this possibility to a recent terrorist incident within the country. In reality, discussions among Member States regarding encryption—and whether or how to regulate it—have been ongoing for several years.

The report is based on a draft resolution from the Council of the European Union (CoEU), dated November 6. According to the draft document, a final version, potentially incorporating further revisions, is scheduled to be presented to the Council on November 19 for approval.

The CoEU, a decision-making body composed of representatives from Member States’ governments, is responsible for establishing the political direction of the bloc. However, the European Commission is the entity tasked with drafting legislation. Therefore, this is not, in any way, considered ‘draft EU legislation.’

A Commission source familiar with cyber security strategy characterized the resolution as a “political statement”—and likely one without substantial impact.

What are the Specifics of the CoEU Draft Resolution? 

The document begins by affirming the EU’s complete support for “the development, implementation, and utilization of robust encryption”—a position inconsistent with an intention to ban E2EE.

It then addresses “challenges” to public safety arising from criminals’ access to the same technologies used to protect essential civic infrastructure—indicating that criminals can leverage E2EE to render “lawful” access to their communications “extremely difficult” or “practically unattainable”.

This is a recurring debate within security circles—frequently prompted by the ‘Five Eyes’ nations’ advocacy for expanded surveillance capabilities—and one that consistently resurfaces in relation to the technology sector due to advancements in communications technology. However, the CoEU does not assert that access to encrypted data is truly impossible.

Instead, the resolution proceeds to call for discussions on how to ensure the authorities responsible for security and criminal justice can maintain their capabilities—while fully respecting due legal process and EU rights and freedoms, such as (specifically, the right to privacy of communication and the right to data protection).

The document proposes establishing a “more effective” balance between these competing interests. It states, “The principle of security through encryption and security despite encryption must be fully upheld.”

The specific request is for “governments, industry, research institutions, and academia… to collaborate strategically to achieve this balance”.

https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf

Does the Draft Resolution Advocate for Backdooring Encryption?

No.

In fact, the Council of Ministers explicitly states [emphasis ours]: “Competent authorities must be able to access data in a lawful and targeted manner, fully respecting fundamental rights and the data protection framework, while maintaining cybersecurity. Any technical solutions for accessing encrypted data must adhere to the principles of legality, transparency, necessity, and proportionality.”

Therefore, the primary objective—beyond the broader political aim of demonstrating a ‘pro-security’ stance—is to identify ways to enhance targeted data access while upholding key EU principles linked to fundamental rights (such as communication privacy).

This does not equate to a ban on E2EE or the creation of a backdoor.

What Does the Resolution Say Regarding the Legal Framework? 

The Council of Ministers requests that the Commission conduct a review of existing relevant regulations to ensure consistency and to support law enforcement in operating as efficiently as possible.

The document mentions “potential technical solutions”—but again, emphasizes that any such tools for law enforcement must support the exercise of their investigatory powers within domestic legal frameworks that comply with EU law—and further stresses “upholding fundamental rights and preserving the benefits of encryption”. The document previously discussed the importance of information security as a benefit of encryption, and is essentially calling for the preservation of security without explicitly stating it. 

This section of the draft document contains numerous strikethroughs, suggesting it is likely to undergo revisions. However, one rewording emphasizes the need for transparency in any collaborative efforts with communications service providers to develop “solutions”. (A backdoor that is publicly known would, of course, not be a backdoor.)

Another suggestion within the draft calls for enhancing the skills of relevant authorities to improve their technical and operational expertise—in other words, providing more cyber training for law enforcement.

Finally, the document highlights the importance of improved coordination and expertise sharing across the EU to strengthen authorities’ investigative capabilities.

It also discusses developing “innovative approaches in light of new technologies”—but concludes by clearly stating: “there should be no single prescribed technical solution to provide access to encrypted data”. This means no universal key or backdoor.

Is There Cause for Concern? 

The Commission may face some pressure on this issue as it develops its new cyber strategy, potentially leading to political pressure for specific policy proposals—although significant developments are unlikely before next year. The CoEU is not currently proposing any policy ideas; it is merely seeking assistance in formulating them.

TechCrunch consulted Dr. Lukasz Olejnik, an independent cybersecurity researcher and consultant based in Europe, for his perspective on the draft resolution. He agreed that there is no broad attack on E2EE in the draft, nor any immediate prospect of legislation stemming from it. He suggested that the CoEU appears uncertain about how to proceed—hence its request for input from experts in academia and industry.

“First, there is no discussion of backdoors. The message clearly emphasizes the importance of encryption for cybersecurity and privacy,” he stated. “As for the subject of this document, it is a long-term process currently in the exploratory phase. Problems and ideas are being identified. Nothing will happen immediately.

“It is not even approaching a ban on E2EE. It seems they are unsure of what to do. Therefore, among the ideas is perhaps establishing a ‘high-level expert group’—the document mentions engaging ‘academia.’ This process is sometimes initiated by the Commission to identify ‘recommendations,’ which may or may not be used in the policy process. It would then depend on who would be admitted to such a group, and this varies considerably.

“For example, the AI group was considered quite reasonable, while the other dedicated one on disinformation was geared towards EU media figures rather than researchers or concrete expertise. We do not know where all this will lead.”

Olejnik expressed doubt that the Council could independently drive legislation in this case, given the complexity involved. “It is too early to speak of any legislation,” he said. “The legislative process in the EU can be complex to understand, but the EU Council would be unable to implement something so complex on its own.”

However, he did highlight the CoEU’s introduction of the phrase ‘security despite encryption’ as a noteworthy development—suggesting that the policy implications of this new framing remain unclear. Therefore, as always, the security debate surrounding encryption requires close monitoring.

“What I find particularly important is the coining of the term ‘security despite encryption.’ It is both unfortunate and ingenious. But the problem with this technology policy term is that it may consciously conflate policy understanding of (physical?) security with technology security, as guaranteed today by encryption. This puts the two in direct opposition,” he said, adding: “Where the fallout would lead is anyone’s guess. I believe this process is far from over.”

Could There Be a Push to Implement a ‘Lawful Intercept Mechanism’ Across the EU?

Such a step would face significant challenges given the numerous EU legal principles and rights that any mechanism would need to respect.

The CoEU’s draft resolution reiterates this point multiple times—emphasizing the need for security activities to respect fundamental rights like privacy of communication and principles of legality, transparency, necessity, and proportionality, for example.

Recent rulings from Europe’s highest court have also found domestic surveillance laws in several EU Member States to be deficient in this regard—creating a clear legal avenue to challenge any security overreach in the courts.

This means that even if a lawful intercept mechanism could be enacted through an EU legislative process, driven by sufficient political will, it would undoubtedly face fierce legal challenges and the potential for being overturned by the courts.

https://twitter.com/maxschrems/status/1325576358957879299

Asked for his opinion on the idea presented in the draft resolution—of seeking a “better” balance between security and privacy—and whether it might be a move towards something like the ‘ghost protocol’ advocated by GCHQ in recent years as an “exceptional access mechanism” (but which critics argue would both undermine user trust and introduce a widespread security risk equivalent to a backdoor)—Olejnik told us: “Undermining encryption is a precarious area because modern technology is moving in a direction of increased security, not less. In modern security ecosystems, it would be difficult to envision a lawful intercept functionality as it existed in the telecommunication infrastructure. For private businesses, it is also a matter of trust. Can individual users freely continue their online social interactions? It’s a question measured in billions of dollars.”

What is the Commission’s Response? 

The Commission declined to comment on the CoEU draft resolution—but a spokesperson provided general comments on encryption, describing the technology as “an important tool to enhance cybersecurity and for the protection of fundamental rights, such as privacy, including the confidentiality of communications, and personal data”.

The executive body also acknowledged the concerns raised by the Council, stating: “At the same time, it can also be used by perpetrators seeking a secure channel to conceal their actions from law enforcement and the judiciary, making it difficult to investigate, detect, and prosecute criminal offenses.”

“Member States have, on numerous occasions, in various forums within the Council, discussed the challenges linked to the use of encryption for criminal purposes. They have called for solutions that allow law enforcement and other competent authorities to gain lawful access to digital evidence, without prohibiting or weakening encryption directly or indirectly, and in full respect of privacy and fair trial guarantees consistent with applicable law,” it also said.

The executive body added that following its Security Union Strategy, presented in July—which outlines a plan to “further strengthen cooperation and information exchange, with all the necessary safeguards” as a strategy for combating crime in the digital age—it will “explore and support balanced technical, operational, and legal solutions, and promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to serious crime and terrorism”.

This report was updated with comments from the Commission after we received them