Law Library Stacks

Back to Government Access to Encrypted Communications

Summary

At the European Union (EU) level, there is no requirement that keys to encrypted materials be disclosed to law enforcement authorities, or that companies decrypt communications in response to a government request. A 2001 nonbinding resolution merely calls upon the Member States in cooperation with telecommunications companies to take into consideration the operational needs of law enforcement authorities when data are encrypted. Electronic surveillance is regulated at the EU Member State level.

The EU agencies dealing with security, terrorism, cybercrime, and organized crime have not reached consensus on access to encryption by law enforcement authorities. The EU’s cybersecurity agency, the European Union Agency for Network and Information (ENISA), is against creating backdoors in encryption products, whereas the EU Counter-Terrorism Coordinator believes the Commission should contemplate introducing legislation on this matter. In a similar vein, the EU’s law enforcement agency, Europol, favors enacting legislation on disclosure as the only practical solution for handling encryption when the keys are held by individual users.

I. Introduction

The European Union (EU) and its Member States share competence in enacting legislation to combat serious crime, including terrorism and organized crime, and to reinforce cooperation between police and judicial authorities to protect people in the EU, while at the same time ensuring compliance with EU rules on personal data protection and privacy. [1] Electronic surveillance conducted by national law enforcement authorities to detect and investigate crimes and the parallel cooperation of telecommunications and Internet service providers to allow access is an issue that is regulated at the Member State level. [2] The Paris and Brussels terrorist attacks reignited the debate across Europe over whether to expand monitoring by law enforcement authorities in light of concerns about potential violations of the privacy and personal data of individuals. A number of Member States have shown a keen interest in granting their law enforcement authorities greater access to personal data. [3]

Back to Top

II. Legal Framework

At the EU level, two measures deal with access to personal data by law enforcement authorities: a 2001 nonbinding Resolution [4] establishing guidelines concerning cooperation between law enforcement authorities and the telecommunications industry, and the Authorization Directive (2002/20/EC), which, inter alia, makes lawful interception by law enforcement authorities a condition for granting electronic networks and services the authority to operate.[5]

The 2001 Resolution on Law Enforcement Operational Needs with Respect to Public Telecommunication Networks and Services,[6] similarly to its predecessor Resolution adopted in 1995 on the Lawful Interception of Telecommunications,[7] contains in the Annex a detailed list of the operational needs of law enforcement authorities. [8] The Resolution calls upon the EU Member States to cooperate with communications service providers and to take into account law enforcement operational needs in the development and implementation of any measures concerning legally authorized forms of interception of telecommunications.[9] It is up to the discretion of the Member States to adopt legislation requiring telecommunications industries to decrypt materials.

The Resolution, which contains language specific to encrypted materials, calls on the Member States to provide that,

[i]f network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair [in a readable format]. [10]

Directive 2002/20/EC contains a number of conditions that may be attached to the general authorization for providing electronic communications networks or services,[11] among them the “[e]nabling of legal interception by competent national authorities in conformity with Directive 97/66/EC and Directive 95/46/EC . . . on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”[12]

Back to Top

III. Encryption

Currently, the EU does not require that keys to encrypted material be disclosed to law enforcement authorities or require companies to decrypt encrypted communications on request of a government, nor have its critical agencies on cybersecurity, organized crime, and terrorism reached a clear and uniform position on this issue.

A. Europol

The 2015 Internet Organised Crime Threat Assessment (IOCTA) prepared by Europol, the EU’s law enforcement agency, estimates that more than three-quarters of cybercrime investigations in the EU confront the use of some form of encryption to protect data and avoid interception. Both TrueCrypt and BitLocker are commonly and increasingly encountered, despite the cessation of TrueCrypt’s development in May 2014. Almost half of all Member States also noted an increased use of encrypted email, typically through PGP (Pretty Good Privacy) software.[13]

The IOCTA explored various options in its debate on encryption, such as using “key escrow” systems, using weakened encryption, or introducing legislation on the mandatory disclosure of encryption keys. It concluded that legislation was the only practical solution for handling encryption, especially in instances where the keys are held by individual users.[14]

In addition, the IOCTA made the following two specific recommendations:

  • Law enforcement would benefit from a central database of VPN [Virtual Private Network] and proxy services used by cybercriminals to determine if any are suitable for either information exchange with law enforcement or intervention if criminal in nature.

  • Legislators and policy makers, including industry representatives and academia, must implement a workable solution to the issue of encryption which allows legitimate users to protect their privacy and property without severely compromising government and law enforcement’s ability to investigate criminal or national security threats.[15]

Regarding the enactment of “obligation to disclose” laws, which would oblige individuals to disclose their encryption keys or be subject to a criminal penalty, the IOCTA noted that “this tends to be effective only when data remains on the suspect/criminal’s computer. If the keys are transient, especially if they are system generated, it can be practically impossible to recover these.”[16]

Finally, the Director of Europol, Rob Wainwright, declared that encrypted communications are the biggest obstacle to monitoring terrorists’ actions, adding that “there is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat.”[17]

B. EU Cybersecurity Agency

On March 26, 2016, the EU’s cybersecurity agency, the European Union Agency for Network and Information (ENISA), declared that it is against forcing Internet and telecommunications companies to create backdoors for authorities to unlock encrypted messages. ENISA’s director, Udo Helmbrecht, pointed out that the EU has sufficient legislation on information sharing among the national intelligence agencies of the Member States, and emphasized that available information is not used sufficiently and effectively.[18]

C. EU Counter-Terrorism Coordinator

The EU Counter-Terrorism Coordinator, Gilles de Kerchoven, in a 2015 document addressed to EU Justice and Home Affairs Ministers, expressed the view that the European Commission “should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide . . . access of the relevant national authorities to communications (i.e. share encryption keys).”[19]

D. EU Internet Forum

In 2015, the Commission announced in its Communication on Security Agenda the creation of an IT forum where Europe’s major IT companies would be invited to discuss a number of concerns, including “deploying the best tools to counter terrorist propaganda on the internet and in social networks” and “the concerns of law enforcement authorities on new encryption technologies.”[20] The EU Internet Forum was established on December 3, 2015, through the joint efforts of Dimitris Avramopoulos, the EU Commissioner for Migration, Home Affairs and Citizenship, and Věra Jourová, the Commissioner for Justice, Consumer and Gender Equality.[21]

Back to Top

IV. Conclusion

Currently, there is no EU legislation that requires tech companies to disclose the keys to encrypted materials to law enforcement authorities, or to decrypt communications upon the request of a government.

Back to Top

Prepared by Theresa Papademetriou
Senior Foreign Law Specialist
May 2016


[1] Consolidated Version of the Treaty on European Union art. 3, para. 2, 2012 Official Journal of the European Union [O.J.] (C 326) 13, updated version available at http://data.consilium.europa.eu/doc/document/ST-6655-2008-REV-8/en/pdf , archived at https://perma.cc/7Z7R-5RQ4.

[2] Consolidated Version of the Treaty on the Functioning of the European Union art. 4, para. 2(J), 2012 O.J. (C 326) 47, updated version available at http://data.consilium.europa.eu/doc/document/ST-6655-2008-REV-8/en/pdf , archived at https://perma.cc/7Z7R-5RQ4.

[3] Patrick Howell O’Neill, Dutch Government Backs Strong Encryption, Condemns Backdoors, The Daily Dot (Jan. 4, 2016), http://www.dailydot.com/politics/dutch-encryption-cabinet-backdoor , archived at https://perma.cc/CTR7-C7GK; Thorsten Benner & Mirko Hohmann, How Europe Can Get Encryption Right, Politico (Apr. 13, 2016), http://www.politico.eu/article/how-europe-can-get-encryption-right-data-protection-privacy-counter-terrorism-technology , archived at https://perma.cc/9N7W-786H; see also Paul Hockenos, Europe Considers Surveillance Expansion After Deadly Attacks, The Intercept (Jan. 20, 2015), https://theintercept.com/2015/01/20/europe-considers-surveillance-expansion , archived at https://perma.cc/6VHP-WLGP.

[4] Resolutions adopted by EU institutions are non-binding and are published in the “C” series of the Official Journal (O.J.) of the EU rather than in the “L” series of the O.J. where all legislation is published. Legislation, EUR-Lex, http://eur-lex.europa.eu/collection/eu-law/legislation/recent.html (last visited Apr. 21, 2016), archived at https://perma.cc/P2FA-NXZW.

[5] Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the Authorization of Electronic Communications and Services (Authorization Directive), 2002 O.J. (L 108) 21, http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=OJ:L:2002:108:0021:0032:EN:PDF , archived at https://perma.cc/V49P-2RDA.

[6] Council of the European Union, Council Resolution on Law Enforcement Operational Needs with Respect to Public Telecommunication Networks and Services, June 20, 2001, available at http://www.statewatch.org/ news/2001/sep/9194.pdf, archived at https://perma.cc/66XC-ZP3R. This Council Resolution was not published in the Official Journal.

[7] Council Resolution of 17 January 1995 on the Lawful Interception of Telecommunications, 1996 O.J. (C 329) 1, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31996G1104:EN:HTML , archived at https://perma.cc/QRY9-VXAU.

[8] Council Resolution, supra note 6.

[9] Id ., Annex.

[10] Id. , Annex, para. 3.3.

[11] Directive 2002/20/EC, supra note 5, art. 6, para. 1.

[12] Id. , Annex(A), para. 11.

[13] Europol, The Internet Organised Crime Threat Assessment (IOCTA) 2015, at 50, available athttp://statewatch. org/news/2015/oct/eu-europol-iocta-2015.pdf, archived at https://perma.cc/CPA4-58W3.

[14] Id. at 69.

[15] Id . at 51.

[16] Id. at 69.

[17] Europol Chief Warns on Computer Encryption , BBC (Mar. 29, 2015), http://www.bbc.com/news/technology-32087919, archived at https://perma.cc/Q9FQ-JL55.

[18] Catherine Stupp, EU Cybersecurity Agency Slams Calls for Encryption Backdoors, EurActiv (Mar. 30, 2016), http://www.euractiv.com/section/digital/news/eu-cybersecurity-agency-slams-calls-for-encryption-backdoors , archived at https://perma.cc/K9U3-NRFW.

[19] Council of the European Union, General Secretariat, EU CTC Input for the Preparation of the Informal Meeting of Justice and Home Affairs Ministers in Riga on 29 January 2015, DS1035/15 (Jan. 17, 2015), available at http://www.statewatch.org/news/2015/jan/eu-council-ct-ds-1035-15.pdf , archived at https://perma.cc/XA4T-CF2B.

[20] European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: The European Agenda on Security , at 13–14, COM (2015) 185 final (Apr. 28, 2015), http://ec.europa.eu/dgs/home-affairs/e-library/documents/basic-documents/docs/eu_agenda_on_security_en.pdf , archived at https://perma.cc/9NXB-SHLK.

[21] European Commission Press Release IP/15/6243, EU Internet Forum: Bringing Together Governments, Europol and Technology Companies to Counter Terrorist Content and Hate Speech Online (Dec. 3, 2015),http://europa.eu/rapid/press-release_IP-15-6243_el.htm, archived at https://perma.cc/H225-L5CQ.

Back to Top

Last Updated: 10/01/2016