Jakubowska, who reviewed the document, said many countries appear to have said they will give police access to people’s encrypted messages and communications. Comments from Cyprus, for example, said it was “necessary” for law enforcement authorities to have the ability to access encrypted communications to investigate online sexual abuse crimes. and that the “effect of this regulation is significant because it will set a precedent for other sectors in the future.” Similarly, officials in Hungary said that “new methods of interception and access to data are needed” to help law enforcement.
“Cyprus, Hungary, and Spain clearly see this law as their opportunity to get into encryption to destroy encrypted communications, and that to me is huge,” Jakubowska said. “They see that this law is more than what the DG house says it is.”
Belgian officials said in the document that they believe in the motto “security through encryption and despite encryption.” When approached by WIRED, a spokesperson from Belgium’s Ministry of Foreign Affairs initially shared a statement from the country’s federal police that said its position had improved since it submitted comments for the document and that Belgium adopted a position, along with other “like-minded states,” that it wants to weaken encryption. However, half an hour later, the spokesman tried to retract the statement, saying that the country refused to comment.
Security experts have long said that any potential backdoor in encrypted communications or ways to decrypt services would weaken the overall security of encryption. If law enforcement officials have the means to decipher the messages, criminal hackers or those working for governments can exploit the same capability.
Despite the potential attack on encryption from some countries, many countries also appear to strongly support end-to-end encryption and the protections it provides. Italy describes the proposal for a new system that is not the same. “This will represent a general control of all encrypted mail sent through the web,” the country’s representatives said. Estonia has warned that if the EU mandates the scanning of end-to-end encrypted messages, companies will likely redesign their systems so they can decrypt the data or will be shut down in the EU. Triin Oppi, a spokesperson for the Ministry of Foreign Affairs of Estonia, said that the country’s position has not changed.
Finland urged the EU Commission to provide more information about technologies that can combat child sexual abuse without harming online security and warned that the proposal could conflict with the Finnish constitution.
Representatives from Germany—a country that strongly opposes the proposal—said that the draft law should clearly state that no technologies will be used that can disrupt, circumvent, or change encryption. “This means that the draft text will have to be revised before it can be accepted by Germany,” the country said. Member states must agree on the text for the draft bill before negotiations can continue.
“Responses from countries like Finland, Estonia, and Germany show a more comprehensive understanding of the stakes in CSA regulatory discussions,” said Stanford’s Pfefferkorn. “The regulation not only affects criminal investigations for a specific set of violations; it affects the government’s own data security, national security, and the privacy and data protection rights of its citizens, as also in innovation and economic development.”