Encryption debate rolls on - European police chiefs do not accept ‘binary choice between cyber security and privacy’

The great end-to-end encryption debate continues to roll on in Europe, as police chiefs from the region released a joint declaration stating that they fundamentally do not believe in a binary choice between cyber security and privacy. The statement, which is supported by Europol and European Police Chiefs, comes as Meta has begun rolling out end-to-end encryption across all of its messaging platforms (previously it was limited to WhatsApp as default, but will now be extended to Instagram and Facebook Messenger chats too). 

End-to-end encryption allows two or more users to communicate without anyone else seeing the content of those messages, even the messaging service provider (e.g. Meta). Governments and police authorities argue that this level of protection reduces their ability to intercept illegal activities online, particularly when it comes to the exploitation of children; whilst privacy campaigners believe the introduction of a ‘back door’ for encrypted services would allow governments to undertake mass surveillance of citizens’ data. 

It’s a Catch-22 in many respects: do you accept total privacy across messaging services and acknowledge that this will inevitably lead to some illegal activity? Or do you introduce a back door that reduces everyone’s hard fought for privacy principles as a result? Whilst some will argue that ‘If you’re not doing anything wrong, what does it matter?’; many will be reluctant to introduce mechanisms that allow for the potential of mass surveillance by the state and policing authorities. 

The debate was seemingly quashed late last year after the British Government was seen to back down in a row with technology companies over ‘client-side scanning’ technology, which would have allowed for the analysis of a message’s content on the user’s device before the message was sent. Again, privacy campaigners argued that this opened the door to mass surveillance, but equally it was claimed that effective technology in this area didn’t yet exist for this purpose. The government conceded after WhatsApp and Signal threatened to pull out of the country all together and British officials said that the clause in question in the Online Safety Bill wouldn’t be enforced. 

However, with Meta now rolling out expanded encryption services, and with Britain’s amended Investigatory Powers Act in the final stages of being introduced in Parliament, which would require technology companies to notify the government of any changes that could impact the state’s surveillance activities (and allow the Home Office to enforce changes), the debate regarding end-to-end encryption has been reignited. 

‘Not a binary choice’

With this context in mind, European police chiefs are pushing for technology companies to reconsider their position and go as far to argue that they have a ‘social responsibility’ to develop a ‘safer environment where law enforcement and justice can do their work’, as criminals move more activities online. 

The joint declaration released in recent days states that two key capabilities are crucial to supporting online safety: 

First, the ability of technology companies to provide to law enforcement investigations – in response to a lawful authority with strong safeguards and oversight – the data of suspected criminals on their service. This is known as ‘lawful access’.

Second, the ability of technology companies proactively to identify illegal and harmful activity on their platforms. This is especially true in regards to detecting users who have a sexual interest in children, exchange images of abuse and seek to commit contact sexual offences. 

The companies currently have the ability to alert the proper authorities – with the result that many thousands of children have been safeguarded, and perpetrators arrested and brought to justice.

Currently, British police forces, for example, receive data on suspicious activity from Meta, which leads to hundreds of arrests a month and hundreds of children identified as safeguarding concerns. European police chiefs argue that these mechanisms help ‘save many lives’ and ‘protect the vulnerable’ on a daily basis. 

The declaration adds that policing authorities are “deeply concerned” that end-to-end encryption is being rolled out in a way that will undermine both these capabilities. It states that companies will not be able to respond effectively to a lawful authority, nor will they be able to identify or report illegal activity on their platforms. This means, the police claim, that they will not be able to keep the public safe. 

The declaration continues:

Our societies have not previously tolerated spaces that are beyond the reach of law enforcement, where criminals can communicate safely and child abuse can flourish. They should not now. We cannot let ourselves be blinded to crime. We know from the protections afforded by the darkweb how rapidly and extensively criminals exploit such anonymity.

We are committed to supporting the development of critical innovations, such as encryption, as a means of strengthening the cyber security and privacy of citizens. However, we do not accept that there need be a binary choice between cyber security or privacy on the one hand and public safety on the other.

Absolutism on either side is not helpful. Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments. We recognize that the solutions will be different for each capability, and also differ between platforms.

However, it’s worth noting that whilst the police chiefs call on the technology industry to ‘build in security by design’, they do not explicitly outline what technology solutions exist to enable end-to-end encryption and still allow for technology companies to monitor messages for illegal activity. Privacy campaigners argue such technologies do not exist, without compromising the privacy principles for all citizens. 

My take

The challenge, as I see it, is that even if governments, police authorities and technology companies all have the best intentions in the world currently, we can’t be sure that future authorities and state leaders will have the same intentions. Whilst everyone can agree that protecting people and children online is critical, it becomes more difficult when regulating to undermine everyone’s privacy principles. Do we want a scenario where those in power have mechanisms by which to access private communications data forevermore, if they see fit? I’d argue that that is a very serious compromise that many wouldn’t feel entirely comfortable with.