As I have been writing in my articles since I started at TechGenix, I have tried to hammer home the dangers of government threats to encryption. Countless times in the post-9/11 era we have seen privacy overreach from nation-states against international citizens and governments, as well as reprehensible invasive actions against their own citizens. Especially here in the United States, security professionals have had to deal with federal agencies like the FBI assaulting encryption standards. Such examples include the FBI attempting to force Apple into giving a “master key” to the iPhone of San Bernardino shooter Syed Farook, as well as the NSA attacking Cisco servers with a zero-day that allowed mass spying and data collection.
There have been government representatives of various types that have occasionally spoken out against these practices, but nothing quite like what the European Parliament has just done. As reported in The Hacker News, The Civil Liberties, Justice and Home Affairs Committee of the European Parliament has released a proposal to strengthen global encryption, at least in the EU, by banning government backdoors and enforcing a standard of end-to-end encryption. All of this is to protect the privacy rights of EU citizens, and, perhaps, set a precedent for other world governments to follow suit.
As the proposal reads:
“Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union,everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU)”
From this legal basis, the Committee strongly states that:
“When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited… Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”
This is an amazing step forward, but it is not without its issues. As Mohit Kumar states in the previously cited Hacker News article, most major tech companies that have clout in the encryption game are under U.S. law. U.S. officials have made no major effort, either from Democrats or Republicans, to truly fight against the assault that encryption has faced from the government in the public and private sector. Silicon Valley has often been complicit in helping the Feds weaken encryption standards, and as InfoSec experts we have tried and failed so far to fight this effectively.
Perhaps this is the start of something better.