Civil society organisations, including European Digital Rights (EDRi), Privacy International and Statewatch, have submitted written comments, hereinafter ‘the Comments’ on the work of the High-Level Group (HLG) on “access to data for effective law enforcement“.

The HLG was set up to allegedly find solutions to law enforcement ‘modern challenges’ in the digital era. Three reasons for data not being available are identified by the HLG: data is not stored/retained, data is encrypted and data is not released by the service provider and proposes more access for law enforcement. The civil society organisations, hereinafter ‘the NGOs’, have commented on the HLG-documents.

The comments

The NGOs are critical about HLG’s presumption that increased data access (transparency) in itself is an objective of general interest, and that the current situation systematically prevents law enforcement authorities from carrying out their tasks [1]. They explain that people have to protect themselves against data hungry companies [2]:

With the pervasive use of online services and smartphones, and the predominant business model of surveillance capitalism which leads to massive data collection for commercial purposes (e.g. behavioural advertising and training large AI models), law enforcement is literally enjoying a golden age of surveillance with access to more data about European citizens than ever before. Before mobile phones became ubiquitous, people didn’t carry electronic devices which allow law enforcement to track the physical movement, social networks, preferences and habits of everyone. This, by itself, should call into question the necessity of proposals for general and indiscriminate data retention or restrictions on encryption. Such measures constitute particularly serious interferences with the fundamental right to privacy and data protection, as well as other fundamental rights, and they generally fail to meet the legal requirements for necessity and proportionality in Article 52(1) of the Charter of Fundamental Rights.

The basics of privacy are explained by the NGOs:

We agree, however, that the contrast between privacy and security is wrong given that both people’s privacy and security are attacked when digital infrastructures are undermined. Enjoying our right to privacy online allows us to do our jobs, organise, exercise our free expression and hold power to account while remaining safe from arbitrary intrusion, persecution or repression.

The NGOs understand the wish of law enforcement to take advantages of the treasure trove of information about individuals which did not exist fifteen years ago. They stress the importance of not granting unfettered surveillance powers to law enforcement authorities; all intrusive investigative measures must be subjected to public scrutiny for an assessment of their necessity and proportionality. They comment that currently in the EU there is no adequate protection against law enforcement accessing mobile devices.

Encryption backdoors
According to the NGOs the HLG proposes solutions that in practice mean that encryption backdoors should enable access to the device by law enforcement. They point out that it is technically impossible for manufacturers to design an encryption backdoor for a specific actor without creating a substantial risk that the same backdoor will be abused by others.

Data retention
Law enforcement is interested in the data held by providers of electronic communications services, even though the European Charter prohibits general and indiscriminate retention obligations for the purpose of combating serious crime, with some limited exceptions. Ten years after the annulment of the relevant directive in April 2014, the national data retention laws are still in place in the majority of Member States [3].
The HLG-documents reveal an interest in extending data retention laws to OTT (over the top) providers like Whatsapp and Signal. The NGOs are of the opinion that law enforcement has already a lot of information sources and does not need the information from OTT-providers.

Real time access to data in transit
The third subject is real time access to data in transit. Due to the lack of encryption, traditional telephone communications can be intercepted by other parties than law enforcement authorities. In today’s cybersecurity threat landscape, traditional telephone services must be regarded as insecure and highly vulnerable to unlawful surveillance.
Considering this it is only logical that interpersonal communications are rapidly moving from traditional telephone services to OTT apps. E2EE is probably the most effective way to protect our electronic data and offers the best security for individuals the NGOs write. It protects against commercial surveillance by the service provider, unlawful surveillance by governments and cyberattacks against the provider’s server infrastructure [4].

Here the same problems apply as with encryption and access to the device. A backdoor will be abused by malicious actors, and [5]:

There is general agreement among scientific researchers and cybersecurity practitioners that it is simply not technically possible to build a backdoor which will only be used by “the good guys”. (…)

In other words, an encryption backdoor to allow targeted surveillance by law enforcement comes at the heavy price of undermining the cybersecurity of all individuals and making them vulnerable to unlawful surveillance and other abuse. (…)

Relegating the responsibility to private companies may appear as an attractive solutions for policymakers who do not know how to solve the problem (because no solution exists). However, it is not an acceptable solution because service providers are left with the choices of either undermining the security of their systems for all users or refusing to comply with the legislation requiring backdoors.

The HLG-documents show that HLG has not come to this realisation. It also ignores discussions around chatcontrol / ‘Client-Side Scanning’ (CSS).

Safeguards
The civil society organisations advocate a system with safeguards for every citizen, where their digital security is not undermined.

Undemocratic process

In EDRi’s article on their site the process is criticized:

This contribution follows from EDRi’s participation in a public consultation organised by the European Commission, which in no way constituted a genuine and meaningful engagement with civil society. We already pointed out that the HLG process does not meet the European Union (EU) standards of transparency, fairness and accountability, given its work behind closed doors and the persistent secrecy kept around its members and participants. In that regard, we still have not received any official reply from the HLG co-chairs to the letter we sent on 15 January 2024 calling for greater transparency and participation of all stakeholders. 

EDRi’s written contribution does not amount to a tacit agreement with the objectives of the HLG. What it does instead is to point to the narrow political agenda of the HLG which focuses on law enforcement interests solely. In particular, how law enforcement can get more access to data, without proper regard for the fundamental rights implications of the suggested solutions.

This one-sided approach might lead to poorly designed and non-future-proof legislation, such as the Data Retention Directive annulled by the Court of Justice in 2014 and the Commission’s current CSA Regulation proposal. That’s why EDRi called for the dismantling of the HLG.

Notes:

[1] From the Comments, page 4: “In the discussions on data retention for the past two decades, governments have claimed that absence of general and indiscriminate data retention (mass surveillance) has a negative effect on law enforcement’s ability to combat crime. However, evidence to support this claim has never been presented. There is no measurable effect from data retention on crime rates or crime clearance rates in EU Member States“.
[2] Page 4 of the Comments.
[3] More information on pages 9 and 10 of the Comments.
[4] Page 13 of the Comments.
[5] Page 14 of the Comments.

More information:

Read the Comments:

• Article by EDRi on the written submission
• Full civil society written submission
• Position paper on state access to encrypted data

Background:

• EDRi article on the HLG: European Commission discusses “Going Dark”: Behind closed doors, January 11, 2024, referring to an open letter (pdf), that calls for greater transparency and participation of all stakeholders.
• EDRi article: Mass surveillance and encryption backdoors have no future in Europe, February 20, 2024.

Addition 27-4-2024
Europol: European Police Chiefs call for industry and governments to take action against end-to-end encryption roll-out. Citizens may not protect themselves from criminals, adtech companies and other unsavoury folk.

Addition 20 June 2024
Netzpolitik on 10 June: Going Dark: EU-Staaten wollen Zugriff auf verschlüsselte Daten und mehr Überwachung.