Jakubowska, who reviewed the document, says that several countries appear to say they would give police access to people’s encrypted messages and communications. Comments from Cyprus, for example, say it is “necessary” that law enforcement authorities have the ability to access encrypted communications to investigate online sexual abuse crimes and that the “impact of this regulation is significant because it will set a precedent for other sectors in the future.” Similarly, officials in Hungary say “new methods of data interception and access are needed” to help law enforcement.
“Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge,” Jakubowska says. “They are seeing this law is going far beyond what DG home is claiming that it’s there for.”
Officials in Belgium said in the document that they believe in the motto “security through encryption and despite encryption.” When approached by WIRED, a spokesperson from Belgium’s Ministry of Foreign Affairs initially shared a statement from the country’s federal police saying its position has evolved since it submitted comments for the document and that Belgium is adopting a position, alongside other “like-minded states,” that it wants encryption weakened. However, half an hour later, the spokesperson attempted to retract the statement, saying the country declined to comment.
Security experts have long said that any potential backdoors into encrypted communications or ways to decrypt services would undermine the overall security of the encryption. If law enforcement officials have a way to decipher messages, criminal hackers or those working on behalf of governments could exploit the same capabilities.
Despite the potential attack on encryption from some countries, many nations also appeared to strongly support end-to-end encryption and the protections it provides. Italy described the proposal for a new system as disproportionate. “It would represent a generalized control on all the encrypted correspondence sent through the web,” the country’s representatives said. Estonia cautioned that if the EU mandates the scanning of end-to-end encrypted messages, companies are likely to either redesign their systems so they can decrypt data or shut down in the EU. Triin Oppi, a spokesperson for Estonia’s Ministry of Foreign Affairs, says the country’s position had not changed.
Finland urged the EU Commission to provide more information about the technologies that can fight child sexual abuse without jeopardizing online security and warned that the proposal could conflict with the Finnish constitution.
Representatives from Germany—a country that has staunchly opposed the proposal—said the draft law needs to explicitly state that no technologies will be used that disrupt, circumvent, or modify encryption. “This means that the draft text must be revised before Germany can accept it,” the country said. Member states need to agree on the text for the draft bill before the negotiations can move forward.
“The responses from countries such as Finland, Estonia, and Germany demonstrate a more comprehensive understanding of the stakes in the CSA regulation discussions,” Stanford’s Pfefferkorn says. “The regulation will not only affect criminal investigations for a specific set of offenses; it affects governments’ own data security, national security, and the privacy and data protection rights of their citizens, as well as innovation and economic development.”