ProtectEU Internal Security Strategy Seemingly Sets the Stage for Attack on EU Encryption

The strategy was first announced as part of EU Commission President Ursula von der Leyen’s political guidelines for the 2024-2029 five-year period, where she announced a new “European Internal Security Strategy.” However, only recently did the Commission put out a fleshed out document detailing what the strategy will entail.

The document covers many security proposals, including transforming InterPol into an agency more akin to the American FBI, and allocating more manpower to Frontex, the Union’s border and coast guard agency. Most concerning, though, the strategy seems to set the stage for yet another assault on end-to-end encryption.

“The Commission will prioritise an assessment of the impact of data retention rules at EU level and the preparation of a Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner, safeguarding cybersecurity and fundamental rights.”

— EU Commission President Ursula von der Leyen

Although the document qualifies that the goal is to access encrypted data while safeguarding existing privacy rights, this is a fairytale. Cryptography experts have long warned that creating any kind of system to bypass end-to-end encryption opens the door wide open for abuse. 

Not only can this result in violations of civil liberties at the hands of law enforcement, it also creates an incredibly dangerous attack vector that can potentially be used by cybercriminals and other bad actors.

What makes this even more concerning is that traditionally, the European Union has been a defender of digital privacy rights — at least when compared to the admittedly low bar of other large countries like the U.S., China, Russia and the U.K. 

Although EU data regulations like the GDPR are far from perfect, the EU has always seemed much more willing to place safeguards in place to protect people from surveillance and unwarranted data collection.

This most recent attack on encryption comes just weeks after the French legislative assembly struck down a controversial provision in its new drug trafficking law that would have required every secure messaging and email service to provide a backdoor into its encrypted data for law enforcement. It’s a bit of good news that might end up meaning little if French law gets outflanked by larger EU policy.

At the same time, the U.K. Home Office has been in a months-long battle with Apple over access to its client-side encryption service Advanced Data Protection (ADP), going so far as to remove encryption advice from government websites. 

After the U.K. Home Office issued an order for Apple to provide a backdoor to the encryption, the tech giant pulled the ADP feature for British users, expressing its disappointment with the U.K. government and an intention to challenge the order in court.

It remains to be seen what an implementation of this new strategy might look like, but according to the document we can expect more details sometime next year when the Commission releases its “Technology Roadmap” on encryption.