ProtonBlog(new window)
An illustration of the EU anti-encryption proposal.

EU’s resolution on encryption foreshadows likely anti-encryption push

Share this page

On Dec. 14, 2020, the Council of the European Union, which is made up of government ministers from the 27 EU member countries, released a vague, five-page resolution that calls for new rules to govern the use of encryption in Europe.

The resolution, titled “The Council Resolution on Encryption(new window),” is non-binding and does not provide any specifics for new laws or regulations and, on the surface, seems fairly innocuous. But it represents a significant shift in tone and puts pressure on the European Commission to propose anti-encryption legislation in the near future.  

This resolution justifies the need for new rules on encryption by stating, “law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organized crime, child sexual abuse (particularly its online aspects).” It calls on tech companies to find technical ways to bypass encryption so that police and security agencies can quickly access a suspect’s messages or device.

Something must be done to address the blight of pedophiles and terrorists coordinating online, but weakening encryption is not the solution. Pressuring widely used services, like WhatsApp or Proton Mail, to have a backdoor in their encryption would not prevent criminals from creating their own encryption services, as happened in 2019 when it was discovered that drug traffickers had started their own company(new window) adding aftermarket encryption to Android smartphones. Tackling these issues requires increased funding for law enforcement agencies and the adoption of more effective policing policies. 

Not only does weakening encryption fail to address these issues, it is counterproductive. The “technical solutions” this resolution calls for would instead put citizens’ private data at risk, reduce the overall security of the internet, and enable potential government mass surveillance.

What does the resolution say?

This resolution may be non-binding and diplomatically worded, but it is still an attack on encryption. This is not the first time the EU has considered anti-encryption legislation, but previous attempts in 2015(new window) and 2016(new window) floundered in the face of protests by tech companies, academics, and everyday people. This time, the Council of the EU appears to be taking a more subtle approach. There are no clear proposals for how encryption should be treated in this proposal. Instead, it calls for a new legal framework and technical solutions to allow competent authorities to access data in a lawful manner. 

While the resolution does not once mention the word “backdoor,” the “technical and operational solutions” it calls for to provide access to encrypted data are backdoors in all but name. According to the resolution, any technical solution would have to preserve encryption’s security and uphold fundamental human rights. Unfortunately, as appealing as it might sound in theory, there’s simply no way to have it both ways in practice. Once a vulnerability has been built into an encryption system, it is no longer secure. We have made this argument many times, but it continues to be true: There is no such thing as a backdoor that only lets the good guys in

This inconvenient fact also undermines the resolution’s promise that EU authorities will transparently cooperate with tech companies to develop these technical solutions. Security and privacy companies would never accept willingly weakening their technology; Proton certainly wouldn’t. Therefore, it seems more likely that cooperation will someday become coercion. 

If the EU does force tech companies to develop ways to break through their encryption, hackers will not rest until they have discovered and exploited these new vulnerabilities. This has already happened: a group known as the Shadow Brokers(new window) stole zero-day (previously undiscovered) hacks for Windows and the SWIFT international banking system from the NSA. More recently, the cybersecurity firm FireEye was breached(new window), and its tools have been used in hacks.

Therefore, if implemented, this resolution poses a substantial risk to privacy and security, endangers human rights around the world, sets a dangerous precedent, and fundamentally undermines many core European values. 

Does this resolution affect Proton?

This resolution is non-binding. On its own, it does not change the current EU framework but rather points the direction the EU may take in the future. Proton Mail is also protected by Swiss jurisdiction (Switzerland is not a member of the EU). Any request for us to develop a backdoor to Proton Mail under this hypothetical anti-encryption law would need to pass the scrutiny of Switzerland’s strict criminal procedure and data protection laws.

However, as an organization dedicated to protecting the fundamental human right of privacy, we condemn this resolution and the direction the EU seems to be taking. Encryption is a powerful tool to protect privacy, but for the right to privacy to be safe, it must be enshrined in strong privacy laws.

Encryption makes us all safer

The fact the EU seems likely to consider legislation that will backdoor end-to-end encryption is a distressing development for the global state of privacy. Until recently, the EU had been a leader in promoting services, tools, and legislation that protect the privacy of its citizens, but it now risks losing its reputation as a jurisdiction that takes privacy seriously. If the EU continues to go down the path laid out by this proposal, it will be the latest democratic institution to try to undermine its citizens’ privacy, joining Australia(new window), the UK(new window), and the US(new window).

After this past year, policymakers should be pushing for stronger encryption, not backdoors. The Covid-19 pandemic accelerated our society’s shift online, meaning billions of people worldwide now rely on the internet for work, entertainment, and communication. If the internet’s encryption is weakened, it will become easier for hackers to monitor private conversations or steal financial information, which could bring the internet — and the global economy — to a halt.

Encryption helps ordinary citizens preserve their right to privacy in the face of surveillance capitalism, governmental intrusion, and cybercrime. Given that privacy is a requirement for democratic self-government, strong encryption is also essential to a functioning democracy, especially in an age when so much business and communications are conducted online.

As the Council of the EU itself admits in this resolution, “Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry, and society.” We call on the EU to halt its move toward anti-encryption legislation and return to providing strong legal privacy protections. 

What you can do

If this resolution concerns you, you can sign up for a free email account(new window) with Proton Mail, which is outside the jurisdiction of any potential EU law. This account will also give you access to the free version of Proton VPN(new window), which you can use to encrypt your online browsing.

You can also help by sharing this article in order to raise awareness about this issue. If you are a European who is worried about your right to privacy, you should call or write to your MEP and tell them you are against the Council Resolution on Encryption. By voicing your support for strong encryption, you are fighting for an internet that is secure, private, and free.

UPDATE Jan. 27, 2021: We were not the only European-based end-to-end encrypted service that was alarmed by the EU’s sudden shift against privacy. Along with Threema, Tresorit, and Tutanota, we released a joint statement(new window) calling on the EU to rethink any attacks on end-to-end encryption.

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail
what is a digital footprint
What you do online isn’t private. Everything you do leaves behind some kind of mark. This trail is often referred to as a digital footprint, and it’s used to track you in many different ways. In this article, we go over what a digital footprint is, h
In February 2024, media reported that Indian authorities may decide to block Proton Mail. Proton Mail is still available in India despite any reports suggesting otherwise.  In response to hoax bomb threats that were sent through Proton Mail, some me