This post is also available in: heעברית (Hebrew)

The Council of the European Union wants secure encryption and lawful data access. The organization has adopted a resolution calling for what they dub “security through encryption and security despite encryption”. In this resolution, the Council underlines its support for the development, implementation and use of strong encryption as a necessary means of protecting fundamental rights and the digital security of citizens, governments, industry and society. At the same time, the Council notes the need to ensure that competent law enforcement and judicial authorities are able to exercise their legal powers, both online and offline, to protect our societies and citizens.

In other words, it supports robust encryption whilst arguing that targeted, lawful access to encrypted data is essential in order that electronic evidence can be gathered (to “effectively” fight criminal activity such as terrorism, organised crime, child sexual abuse and other cybercrime and cyber-enabled crimes).

The resolution says that the “right balance” must be struck between these two facets, while also ensuring that core EU legal principles are taken into consideration — in order that “the principle of security through encryption and security despite encryption [can be] upheld in its entirety”, the resolution says, as cited by techcrunch.com.

The Council also characterizes it as “extremely important” that the privacy and security of comms through encryption is protected — whilst simultaneously “upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes”.

“Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality including protection of personal data by design and by default,” the Council goes on, defining what ‘lawful’ access means in this context (and in so doing making it abundantly clear that mandatory backdoors can’t apply; since they would be disproportionate, unnecessary, according to techcrunch.com).

“Possible solutions should be developed in a transparent manner in cooperation with national and international communication service providers and other relevant stakeholders,” the Council writes, apparently rejecting secret agreements between policymakers and tech providers to serve up the hoped-for ‘targeted and lawful’ access — unless they somehow want cooperation to be transparent to policymaker and industry stakeholders (and potentially also relevant academic researchers) but just not to the public/comms service users themselves.