Late last year, the French government was on the receiving end of a backlash when its law enforcement agencies proposed that Tor and public Wi-Fi should be banned. The government quickly retracted those proposals, saying it’s not going to do that, but now it’s coming back with a proposal that’s just as bad: banning strong encryption.
This time, the proposal is actually an amendment to the “Digital Republic” bill that was introduced in France’s lower house of Parliament by 18 politicians from the right-wing Republican party (former UMP). The whole bill will be debated this week along with over 400 amendments to it.
The amendment banning strong encryption requires “equipment manufacturers” to build in decryption capability, so when law enforcement asks the manufacturers to decrypt a device, they would be able to do so. This could be a response to recent moves by Apple and Google, who have made it so only the users can decrypt the device with their own passphrases or fingerprints.
The amendment was written with the idea that it would stop future attacks such as the recent one in Paris. However, soon after the attacks, it turned out that the Paris attackers used unencrypted SMS and phone calls, and some of them were even known to the authorities as extremists. Therefore, perhaps the reason for why the attacks couldn’t be stopped can be found elsewhere.
While France has been weakening civil liberties with new surveillance and censorship laws even since before the Charlie Hebdo attack, the Dutch government recently made public its support for encryption and at the same time committed half a million euro in donations to open source encryption libraries such as OpenSSL, PolarSSL and LibreSSL.
The European Commission’s Vice-President, Andrus Ansip, recently spoke against backdoors and the weakening of encryption, arguing that the EU needs strong data protection legislation and tools to protect users’ data.
A requirement to force companies to decrypt devices would mean those devices aren’t as well protected as they could be. When the data of millions of users is protected by a single entity, then that entity becomes an important target for attackers, and it makes the data more vulnerable to attacks. This is also why it’s better to have fingerprint data stored and encrypted locally on each individual device than in a centralized database, regardless of whether it’s stored by a private company or a government.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.