The European Data Protection Supervisor (EDPS) Giovanni Buttarelli has been making headlines to reaffirm his pro-privacy anti-backdoor standpoint. To clarify, Buttarelli is of the opinion that “privacy versus security” is a contradiction in terms.
Buttarelli insists that there should never be a case where cyber-security protection measures are used (or indeed, misused) to justify measures that weaken the data protection rights of individuals.
A new paper, entitled Preliminary EDPS Opinion on the review of the ePrivacy Directive, has been published this July to express extended views on areas including ePrivacy. Buttarelli and team have said that a new legal framework for ePrivacy is required, one which is smarter, clearer and stronger.
Essentially, the assertion is that we need more clarity but also better enforcement.
“The scope of the new legal framework must be extended. This is to take account of technological and societal changes and to ensure that individuals be afforded the same level of protection for all functionally equivalent services, irrespective [of how] they are provided,” reads the summary.
No backdoors for Buttarelli
The EDPS has called for new rules that clearly allow users to use end-to-end encryption, without 'backdoors', to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited, they say. New rules should also unambiguously continue to cover machine-to-machine communications in the context of the Internet of Things.
Jacob Ginsberg, senior director at Echoworx (an end-to-end encryption company) told SCMagazineUK.com, “Compared to some of the other rhetoric coming out of politicians in the UK, US, Brazil and too many other countries, Buttarelli's comments are music to security providers' ears.”
Ginsberg said that with technology providers such as Apple and Google digging their heels in and resisting the implementation of backdoors into their technology, it's encouraging to see the European Data Protection Supervisor follow suit.
“However, it's unfortunate that Buttarelli's comments are not more widely supported, as a government official acknowledging that security and specifically encryption, are a necessary component of today's digital economy,” he added.
Me no want cookie
Also of note here, EDPS insists that there should be an end to 'cookie walls', ie, the stipulation that users accept cookies as an inherent and implied behavioural aspect of using any individual website. Beyond a clear set of exceptions, such as first-party analytics, no communications should be subject to tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting or other technological means, said Buttarelli and team.
Darran Rolls, CTO at identity and access management (IAM) provider SailPoint, said the trade-off between consumer privacy and combating the evolving threat to public safety is a huge challenge for organisations.
Rolls insists that this is particularly significant in light of the increasing demand from security services to view encrypted consumer messages as part of their endeavour to ensure national security.
“Rather than changing existing procedures and protocols in order to open up a revolving backdoor, organisations and governments worldwide need to focus on strengthening the protection they offer to the consumer, through greater encryption,” said SailPoint's Rolls.
The full paper on this topic is downloadable/viewable at the above shown link and here.