EU security agency Enisa has released a new paper recommending that policy-makers promote “privacy friendly” services – a move that appears to set it at odds with British PM David Cameron. The UK leader pledged yesterday to ban the use of strong encryption in communications.
The European Network and Information Security Agency, to give it its full name, argued in its report that privacy is a “fundamental human right” according to the European Convention on Human Rights and the Universal Declaration of Human Rights.
Privacy-Enhancing Technologies (PETs) like encryption are an important technical means of fighting off challenges to privacy, Enisa said in its report, Privacy and Data Protection by Design – from policy to engineering.
However, thus far, efforts to turn PETs into “privacy-friendly systems and services” – for example via a ‘privacy by design’ development approach – have not met with much success, the report claimed.
Enisa’s list of recommendations includes the need for policy-makers to “support the development of new incentive mechanisms for privacy-friendly services” and to promote them. It also urged lawmakers “to promote privacy and data protection in their norms.”
Lengthy sections of the report on “secure private communications” and “communications anonymity and pseudonymity” make clear the agency’s views on encryption.
It explained:
“Any information from a user to a service or between users should preferably be encrypted using modern cryptographic techniques to render it unintelligible to eavesdroppers. All types of communications from the user should be protected: personal information or sensitive user input should be encrypted to preserve its privacy (and security); however, even accesses to otherwise public resources should be obscured through encryption to prevent an eavesdropper from inferring users’ patterns of browsing, profiling, service use or extracting identifiers that may be used for future tracking.”
While not a policy document, the security agency’s stance provides some interesting insight into Brussels’ thinking on the topic of privacy – more of which will be known when the EU General Data Protection Regulation is finally enforced in a couple of years.
It also puts David Cameron firmly at odds with his European masters.
The prime minister this week echoed the sentiments of US attorney general Eric Holder, FBI director James Comey and GCHQ boss Robert Hannigan, who have all spoken out against strong encryption in communications systems.
Their argument is that encryption effectively helps criminals and terrorists because the security services can’t monitor these communications.
However, security experts have branded Cameron’s plans idiotic and completely unenforceable, as they’d effectively require changes to services like iMessage and WhatsApp. They could also stifle innovation in the UK’s burgeoning IT sector, it has been argued.
James Lyne, global head of security research at Sophos, told Infosecurity that Cameron's remarks could "harm our position in the global economy as a trusted country."
"Cameron’s proposal suggests a strong shift towards security through the ability to ban or prohibit some of the stronger PETs,” he argued.
“This new view from the prime minister seems at odds with the direction most other countries are taking, notably the US and EU, and could be seen as a rather simplistic, knee-jerk reaction to the recent events in Paris. We therefore hope that further clarification of his comments will come in due course.”
Richard Moulds, vice president of strategy at Thales e-Security, argued that the genie is already out of the bottle when it comes to encryption.
"Governments could try to make encryption illegal or employ measures such as limiting the size of encryption keys or requiring people to register their keys, but realistically none of these approaches is practical," he added.
"At some point governments have to accept that encrypted communications can’t reliably be broken, and that lawful interception will become less useful over time. Other intelligence-gathering techniques will need to be developed.”
Wael Aggan, CEO of CloudMask, agreed, adding that Cameron’s proposals would be a “disaster for all of us.”
“Mr. Cameron is trying to convince the world that some fantasy version of security is possible —where ‘good guys’ can have a back door or extra key to your home but bad guys could never use it,” he argued.
“Anyone with even a basic understanding of security can tell you that's just not true.”