The draft proposal from the Committee on Civil Liberties, Justice, and Home Affairs seeks to modernize data protection rules introduced in previous years, with privacy protection in the 2002 Regulation on Privacy and Electronic Communications not providing sufficient protections across the board. Under the proposal, the regulation will be amended to even out these protections across the board.
The 2002 regulations also doesn’t cover newer services and systems, including apps using end-to-end encryption and the machine-to-machine communication systems used for the “Internet of Things,” something the proposal seeks to rectify.
Stressing the confidentiality of personal electronic communications, and the long-standing fundamental right for privacy for individuals, the amendments note that the member states of the European Union are largely prevented from interfering with any encryption-related protections. Any interference “must be limited to what is strictly necessary and proportionate in a democratic society.”
The proposed amendments also specifically rule out the possibility of government-mandated insertion of backdoors or weakening of such systems entirely.
“When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited,” reads one amendment. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.”
Some governments and their agencies have called for backdoors and weaker encryption for messaging services, including WhatsApp and iMessage, under the belief these systems protect criminal organizations and terrorists. In March, U.K. Home Secretary Amber Rudd called the use of end-to-end encryption by tech companies a “completely unacceptable situation,” claiming intelligence services should have access to encrypted services to intercept secretive terrorist communications.
Despite the use of encryption in their products, tech companies have offered their assistance during major events. Earlier this month, Apple CEO Tim Cook confirmed Apple was working with the U.K. government to aid law enforcement investigations into recent terrorist attacks, though didn’t go into detail about what was provided.
Due to Apple’s extensive use of encryption in its products, the company would not have been able to provide conversations between terrorists or other explicit data, but Cook advised “It doesn’t mean no information” is being provided. “Metadata exists and that’s very important for building a profile.”
Metadata is effectively all the information surrounding data, and is largely viewable regardless of whether the core data itself is encrypted or not. This information can include details about the sender and recipient, timestamps, and other logs, which can be put together to establish the identities of people involved, and possibly the intent of the encrypted message itself.
The report also suggests increased protection of metadata, with the proposed changes expected to keep existing rules in the General Data Protection Regulation (GDPR) the same or improve them. The GDPR itself was adopted by the EU in 2016, as a replacement for existing data protection directives dating back to 1995, and will be in force from May 2018.
“Communications data (both content and metadata) are extremely sensitive as they reveal sensitive aspects of the private life of individuals (sexual orientation, philosophical or political beliefs, freedom of expression and information, financial situation, health condition), therefore they deserve a high level of protection,” the report states.
The most well known use of metadata is through PRISM, the US National Security Agency’s data mining project that extracted data from documents, media, and other potential sources of logs to track individuals and contacts in real time.
The amendments that relate to the GDPR also cover location tracking of equipment via Bluetooth or Wi-Fi, such as through iBeacons, as well as the privacy settings of devices regarding Do Not Track mechanisms, including web browser tracking and the functionality of cookies.
Due to being a draft proposal, the suggestions provided by the committee will still need to be approved by the European Parliament itself, then put under review by the EU Council, before being used to amend directives. As such, there is a possibility for the proposals to be changed or removed before being accepted.
If the proposals pass through in their current state, it could give tech companies a clear mandate to use end-to-end encryption across the board, even in areas outside of Europe. Companies that encrypt communications would have more of an incentive to keep their apps secure and not weaken encryption in certain markets.
For the UK, such changes would make laws such as the Investigatory Powers Act difficult to enforce, such as the provision that requires communication providers to assist with targeted interception of data, including the requirement for UK firms to strip away any encryption they apply to data by request.
A previous version of the Investigatory Powers Act had elements in place that would force firms to weaken encryption or install backdoors into their products for law enforcement officials to use. This was successfully challenged by privacy advocates and tech companies, including Apple, with these elements removed from the bill before passing the House of Commons.
Once the UK leaves the EU, an event expected to take place in March 2019, the country won’t be subject to the EU’s rules, and could therefore put in place legislation forcing such backdoors to exist. Even so, it is unlikely for a tech company to make a hampered version of an app specifically for the UK market that would also be able to communicate with users in other markets, due to the need to keep EU traffic encrypted.