Endwall 08/28/2016 (Sun) 18:51:03 No. 448 del
Security Affairs
France, Germany calls for European Decryption Law: What’s next?
http://securityaffairs.co/wordpress/50707/laws-and-regulations/france-germany-decryption-law.html
August 28, 2016 By Pierluigi Paganini
Amidst of Apple vs. FBI debacle and successful attempt of a breach at NSA headquarters by a hacker group, a new torch has flamed internationally by France and Germany calling for a European Decryption Law.

Months after the FBI-Apple encryption case standoff in the U.S. and NSA headquarters breach by hackers has started a global debate on encryption between governments and pro-security supporters. On Tuesday, a joint press conference “Franco-German initiative on internal security in Europe” in Paris was held by Germany’s Interior Minister Thomas de Maizière and France’s Interior Minister Bernard Cazeneuve, they called on the European Commission to think for possible new legislative act to force operators offering products or telecommunications services to decrypt messages or to remove illegal content for government investigators. A directive, if issued by the European Commission, is a kind of EU decryption law that must pass through the interpretation stage of European Union’s member states to become a national law at European level. Meanwhile, at the international level, they also called for the signing and ratification of the Budapest Convention on Cybercrime. These propositions by the two ministers were issued based on the incidents of terrorist attacks happened in their countries, and the attackers were said to be using the highly encrypted communications apps. That being said, there is already a directive in practice for national security pointed out by Commission spokesperson Natasha Bertaud. In an email statement to the Fortune she said, “The current data protection directive (which also applies to the so-called over-the-top service providers) allows member states to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences,” she further added that “The new general data protection regulation (which will apply as from 25 May 2018) maintains these restrictions.” In an opinion based statement on encryption, the German minister talked about “good practices” and “innovative ideas” to tackle encryption. Whereas, his fellow French minister stepped the press conference up by specifically naming the Telegram app and criticizing it. Whatsapp and Telegram took their stance by stating that they cannot decrypt the data because of the encryption mechanism where only users have the access to their conversations. Even though a data protection directive is in practice, the explicit agenda upon access to encryption may be to have control over such apps internationally and EU-wide.Giving her opinion on the matter of encryption, in a French editorial Le Monde, Isabelle Falque-Pierrotin, President of the National Commission on Informatics and Liberties, France’s data protection authority. “It is through encryption that we can make a bank transfer safely. It is through encryption that we can store our health data in a shared medical file (DMP) online. It is also thanks to this tool that investigations on “Panama Papers ” were possible. For companies, encryption is now the best protection against economic espionage,” she wrote. Earlier this year in the U.S., over the debate in FBI-Apple encryption suit we saw telecommunication providers backing up Apple and the anti-encryption hardliners such as Senator Lindsey Graham, switching sides in favor of Apple after realizing the technical reality of the case. “I was all with you until I actually started getting briefed by the people in the intel community,” Graham told Attorney General Loretta Lynch during Senate Judiciary Committee hearings. “I will say that I’m a person that’s been moved by the arguments about the precedent we set and the damage we might be doing to our own national security.” The strong of the anti-backdoor and pro-encryption opinion came from European Commission Vice-President, Andrus Ansip who supported Apple’s decision for refusing to unblock the iPhone of the terrorist. “Identification systems are based on encryption. I am strongly against having any kind of backdoor to these systems. In Estonia, for example, we have an e-voting system. If people trust an e-banking system, they can also trust an e-voting system. This trust is based on a strong single digital identity guaranteed by the government, which is based on encryption. The question is who will trust this e-voting system if there are some back doors and someone has the keys to manipulate the results. The same goes for the e-banking system.” European Parliament resolution on September 2015 on “human rights and technology” turns out to be in favor of strong encryption. As the debate is heating up, the next step could be the revision of “e-privacy” directive of European Union. Refreshing the memory of may 2016, the EU executive body set out new e-privacy proposal, that would significantly change the telecommunication regulation, to create a “level playing field”  between traditional and online telecommunications services like Skype and Whatsapp. According to the Financial Times quoted documents, the European Commission will further proceed the e-privacy revision and bring Microsoft’s Skype and Facebook’s WhatsApp to same regulatory fold as traditional telecommunication operators and may explicitly ask for decryption orders. That would affect Google, Netflix, Amazon and Apple as well in the EU. There are also some news of possible opinion that French and German governments are running into elections next year, and are using this tactics to strong arm them. The press release has started a global tug of war but there is no easy answer to what’s come next.