EU LIBE proposes end-to-end encryption in e-Communications; and, re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

This post shortly highlights two developments regarding EU internet privacy/security.

1. EU LIBE proposes amendment of draft e-Communications regulation to promote end-to-end encryption, seeks prohibition of Member State legislation that would “[weaken] security and encryption”

The EU LIBE Committee released a draft report (.pdf), dated June 9th 2017, on the proposed e-Communications regulation, and specifically promotes end-to-end encryption in Amendment 116:

“The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. (…)”

The remainder of that amendment seeks prohibition of nation-level legislation that would “[weaken] security and encryption of their networks and services”:

“The Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

This, of course, is at odds with interests regarding intelligence & security, which range from the ability to detect & thwart computer network attack/exploitation to the ability to detect and monitor plans to sabotage or steal military equipment or dual-use goods (Wassenaar). It is certainly different from the direction where the European Commission has been heading for years; to that end, also take a look at the The Effect of Encryption on Lawful Access to Communications and Data (.pdf, February 2017, Center for Int’l Security Studies; by Lewis, Cheng & Carter).

The promotion of end-to-end encryption by EU LIBE is not unexpected: part 2 of the STOA study “Mass Surveillance”, dated January 2015, recommended the promotion of end-to-end encryption, and provided several policy options for that. Specifically, see the last paragraph of the following section in the management summary (all emphasis is original) :

(…)

Policy options for the ‘Promote adoption’ scenario

Promote end-to-end encryption

Stimulate awareness of the necessity of using encryption by initiating a media campaign, as awareness of privacy risks is quite low.

Increase the knowledge level of end-users, both individuals and responsible departments in organisations, by setting up an independent platform where users can find information on tools, implementation, do’s and don’ts etc.

Support product security tests by independent institutions such as the Electronic Frontier Foundation that help users make better-informed choices. Support can be a financial contribution, but also promotion of the results. Alternatively the EU can set up its own regular product security test programme.

A parallel option is to stimulate user-friendliness of end-to-end encryption solutions, for instance by promoting existing user-friendly end-to-end encryption solutions for e-mail, messaging, chat etc. Dedicated funding or participation in open-source software end-to-end encryption solutions is also an option to specifically improve user-friendliness.

If the market does not provide security with end-to-end encryption by itself, regulation should be considered, obliging service providers and/or Internet service providers to provide end-to-end protection as standard for data in transit. An additional benefit of regulation would be a concrete political discussion on the balance between privacy and law enforcement and national security, at European and/or national level. The outcome of this debate should be implemented in national legislation.

(…)

I’m not sure what LIBE’s intent / expectation is wrt Amendment 116; to me, it looks like something that is not intended to be adopted “as is” as part of the e-Communications regulation, but rather as something to stimulate debate, which could have a beneficial effect on the final regulation. But I may be wrong.

2. Re: Privacy Shield, WP29 seeks, i.a., “precise evidence” from U.S. that bulk collection is “as tailored as feasible”, limited and proportionate

On June 13th 2017, the Article 29 Working Party (“WP29”) released a press statement (.pdf), entitled “Preparation of the Privacy Shield annual Joint Review”, that references bulk collection, e.g. of communication or databases containing data about persons, in relation to the EU/US Privacy Shield:

“Regarding the law enforcement and national security part, the WP 29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate. In addition, the WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB as well as on the appointment of the Ombudsperson and the procedures governing the Ombudsperson mechanism, as they are key elements of the oversight architecture of the Privacy Shield.”

Tip of the Hat to Bavo Van den Heuvel (Twitter: @BavoCranium), who highlighted this in a post on LinkedIn.

Unrelated side note: the revision of the Dutch Intelligence & Security Act of 2002 (“Wiv2002”), tentatively referred to as “Wiv20xx”, expands the Wiv2002 such that the Dutch intelligence and security services (domest: AIVD; military: MIVD) can perform untargeted / bulk search interception of cable communications, and explicitly allows acquisition of bulk data sets through hacking or voluntary cooperation (for instance through remote access); not unlike the bulk powers in the U.K. (more). The oversight framework is significantly revised as well, for instance through addition of ex ante oversight. The Wiv20xx was adopted by the Dutch lower house in Q1/2017 and is now being evaluated by the Dutch senate; its status in the legislative progress can be seen here.

EOF