Author: Danaja FABČIČ POVŠE (KU Leuven)
Cryptography may look like the art of transforming text into unintelligible gibberish, but in a digital society it is absolutely necessary. In very simple terms, cryptography, through the technique called encryption, prevents unauthorised third parties from seeing the original text or information. Instead, they can only access a seemingly random sequence of numbers and letters.
Relevance of cryptography and encryption
More formally, cryptography is defined by the Encyclopaedia of Cryptography and Security as the discipline of writing a message in ciphertext…, usually by a translation from plaintext according to some (frequently changing) keytext. Its aim is to protect the secret text from adversaries and enemies. Encryption, inversely, is the process of obscuring information to make it unreadable without special knowledge (the decryption key). Imagine some services that we conveniently carry out through a phone or a computer. For example, HelloFresh will deliver groceries to our doorstep so that we don’t have to go to a crowded supermarket; bank offices are remote or have inconvenient opening hours, so we use online and mobile banks. Call your mother? Open up WhatsApp or Telegram. All those transactions mean that data, such as communications on business plans, credit card information, the shipping address and the shopper’s current location, are transferred through various servers. This kind of information would be quite useful, if a cyber criminal wanted to use this credit card to commit card fraud, or for example to gain insight on a competitor’s new sales strategy, in a case of so-called industrial espionage. Therefore, both protecting these data from unauthorised parties, as well as making sure we have the means of verifying who actually sent them, is quite essential. Here, encryption plays an important role, and policy-makers and global actors are more and more aware of that.
Crypto in EU legislation
Where can encryption requirements be found in European Union-level legislation?
General Data Protection Regulation (GDPR)
In the GDPR, encryption plays a double role. Under its Article 32, data encryption and pseudonymisation are listed as relevant measures to ensure security of data processing. Of course, the actors are required to adopt measures according to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity to human rights. Effectively, this means that the higher the risks (for example, when processing credit card information, or healthcare records), the higher the complexity of cryptographic measures. On the other hand, as we explained in a previous blogpost, encrypted data could under certain circumstances fall outside the definition of ‘personal data’, and therefore outside the scope of the GDPR. However, considering that public encryption keys could sometimes be considered personal data (see the paper, and the blogpost on the subject), GDPR’s potential applicability must be carefully considered case-by-case when dealing with encrypted data.
ePrivacy Directive and proposal for the new ePrivacy Regulation
The so-called ePrivacy Directive (more formally, Directive on privacy and electronic communications) also provides for security measures to protect personal data and metadata, processed on publicly available electronic communications services. However, while its Recital 20 explicitly calls for encryption, its Article 4 refers to security measures in general. Similar provisions can be found in the proposal for a new ePrivacy Regulation.
Telecommunications code
In the recently-adopted European Electronic Telecommunications Code, which divides the competence between the EU and the member states on regulating public telecoms, Article 40 requires member states (as opposed to private actors in GDPR and ePrivacy legislation) to adopt organisational and technical security measures. Moreover, Recital no. 97 strongly endorses the use of encryption, including end-to-end encryption, in order to facilitate compliance with design principles of security and privacy by design.
Military use of cryptography
The military also uses cryptographic products, the most famous example being Enigma from WWII. In that case, export restrictions under dual use regulation, and the Wassenaar agreement, apply (see the Commission website). Since this is a topic whose intricacies would require much more screen space, it will not be covered in this blogpost.
Trouble in paradise?
Some governments still restrict the use of cryptography, or weaken it on purpose. Usually, this is done in the name of investigating serious crime or terrorism, or protecting domestic cryptographic industries, for example in China. For example, new legislation in Australia, the Assistance and Access Act, mandates secret backdoors. By order of the government, systematic vulnerabilities could be introduced into the product design, which would then enable government agencies to decrypt and access data on the device. The penalty for disclosing the mandate’s existence is imprisonment.
In the US, the FBI fears ‘going dark’ (the term made famous by James Comey’s 2014 speech) – effectively, it fears that if criminals use encryption to pass messages onto each other, detection of serious crime or terrorist activities will become impossible. However, as cryptographic research has shown, trying to weaken encryption for specific cases like these weakens overall cybersecurity. Effectively, weakening encryption exposes everyone to government surveillance and possible cyberattacks (see e.g. Kerr, Schneier; Landau 2017), while the content of intercepted or decrypted communications does not contribute significantly to the investigation process (Landau 1998). The issue was discussed in the last presidential election, but seems to have quietened down during the new administration.
On our side of the Atlantic, the European Commission is exploring alternative means of access to encrypted evidence, even though it’s not quite clear what kind of measures are foreseen in practice (see the Commission’s Eleventh Progress Report on Security Union).
In any case, legal developments in the field of cryptography require strict oversight in the future in order to ensure that cybersecurity, privacy and law enforcement interests are carefully balanced.