EU Council urged: Get internet giants to hand-over encryption keys

News by Doug Drinkwater

The European Council is being encouraged to consult with internet companies to find a way around encryption in order to stop terrorists. But, at the same time, the EU Parliament continues to review how NSA's spying impacts upon the privacy of citizens.

In a leaked meeting document which came to light late on Friday, the EU Counter-Terrorism Coordinator, Gilles de Kerchove, detailed Europe's “unprecedented, diverse and serious terrorist threat”, highlighting last month's Charlie Hebdo attacks in Paris as one recent example.

Addressing the Council's Standing Committee on Internal Security (COSI) ahead of the meeting between Justice and Home Affairs ministers in Riga, Latvia on 29 January, the EU CTC detailed everything from the prevention of radicalisation on the internet and the engagement of internet companies, to the removal of illicit content and the need for information sharing between member states. 

It also proposed a new anti-terrorism unit, the European Counter-terrorism Centre, which would potentially be based at Europol, along with the European Cybercrime Centre (EC3).

But it was on encryption where the EU CTC was most controversial, suggesting – as British Prime Minister David Cameron did earlier this year – that law enforcement must find ways around encryption.

“Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralised encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible,” the meeting document reads on page 10.

“The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide (keys) under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities, to communications (ie share encryption keys).” This news came only days after it was claimed that GCHQ had obtained private encryption keys after hacking Gemalto's internal networks.

It is perhaps unsurprising then that the EU CTC also calls for a deeper relationship between the EU and internet companies as well as the EU and the US in general. The US – and Silicon Valley – is at the forefront of technology innovation, after all.

“The Commission should deepen the engagement with the internet companies. The Forum, with representatives from the EU institutions, Member States and industry counterparts to discuss terrorism in full compliance with human rights, should be set up quickly. The Forum could also explore joint training and workshops for representatives of the law enforcement authorities, internet industry and civil society.

“A dialogue with the internet companies is necessary at both EU and at international level. In this context, further cooperation with the US could be explored. Working with the main players in the internet industry is the best way to limit the circulation of terrorist material online.”

The report goes onto note that law enforcement - such as Europol – should have a greater role in flagging illegal content, something which has traditionally been left to commercial enterprises such as Twitter and Facebook. CTC suggests Europol's own 'Check the Web' project should be ‘beefed up' for monitoring social media communications.

“Member States should implement all measures that may be helpful with respect to the sharing of information on the different forms of the threat, notably foreign terrorist fighters, on knowledge of their movements, and the support they receive, wherever they are, with a view to improving the effectiveness of the fight against these phenomena.

“To that end, Member States should use fully the resources of Europol, Eurojust and Interpol, as well as consider other measures."

Meanwhile, at the same time, the EU Parliament has issued a working document as a follow-up to the LIBE Enquiry on Electronic Mass Surveillance of EU Citizens. This document attempts to detail how the widespread spying impacted citizens.

“The tension between law enforcement agencies wanting to circumvent traffic encryption and concerns over mass and indiscriminate surveillance is exemplified by this massive difference of opinion between two institutions of the European Union,” Jon Baines, chairman of NAPDO (National Association of Data Protection and Freedom of Information Officers), told

“The Council of Ministers want ISPs to be forced to share encryption keys, at the same time as the LIBE Committee of the European Parliament notes a catalogue of privacy-invasive events at odds with the principles of the "European Digital Habeas Corpus".

“No one says the institutions of the European Union always have to agree, but people can hardly be blamed for being a bit confused about where priorities lie."

Rafael Laguna, CEO of German open-source company Open-Xchange, added in an email to SC that encryption is essential in protecting privacy.

“That organisations like the NSA, GCHQ and the EU are so concerned about encryption demonstrates how effective it is as a means of protecting the right to privacy,” he told us. “The reality is that even if the EU was successful in forcing all service providers to hand over encryption keys, there would still be nothing to prevent users from employing their own methods for message content encryption, such as PGP, that service providers would be unable to decrypt in any case.”

He added: “There has been almost no acts of terrorism carried out in the last decade by people not already known to authorities. It would suggest that intelligence services would be better served by making the most of the wealth of information already available to them than looking to create an ever growing mountain of data by having access to all our communication.”

A spokesman for the European Council confirmed that the meeting took place on 20 January, but was just a proposal and wasn't heard in full during the ministers meeting. The spokesman said that the EU was looking at other matters a result, such as illegal content on social media platforms.

Future legislation on encryption, said the spokesman, “may be decided in the future at an EU-level” but “is not something that will be enacted tomorrow.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews