After many debates on the issue of backdoors and end-to-end encryption in the U.S. and the European Union, Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), made it clear that all European Union citizens should be able to use end-to-end encryption with no backdoors.
Revising The ePrivacy Directive
Buttarelli is responsible for advising EU institutions on data protection legislation and how they can implement it properly. Giovanni reviewed the existing ePrivacy directive (passed in 2002) in a recent document and outlined how he believes the EU can revise and improve the ePrivacy Directive.
He began by calling for a new legal ePrivacy framework that’s smarter, stronger, and better enforced, so that the EU can guarantee that citizens’ communications are private, considering it’s a right enshrined in the Charter of Fundamental Rights of the European Union.
Buttarelli also believes that the General Data Protection Regulation (GDPR), which will soon unify the general privacy laws in the EU, should be complimented by a more specific and detailed ePrivacy framework. The new framework should bring stronger privacy safeguards online and clearer mechanisms for cooperation between law enforcement across EU member states.
Prohibiting Backdoors, Encouraging E2E Encryption
One example of how a new ePrivacy framework could extend the GDPR is by making it clear that EU citizens can use end-to-end encryption to protect their communications, and that it should prohibit backdoors in online services and electronic products.
“The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited," said Giovanni Buttarelli, the European Data Protection Supervisor in a recently published document.
Buttarelli not only wants backdoors, compelled decryption, and abusive spying prohibited, but he also recommended to the European Commission (the EU executive body that also proposes laws to the European Parliament) to encourage the adoption of end-to-end encrypted communications wherever possible. He also wants the European Commission to support the development of new encryption standards.
Buttarelli added that the confidentiality of users’ communications should be protected on all publicly accessible networks, including mobile carriers’ networks and Wi-Fi networks operated by hospitals, universities, and by other public administrations.
The framework should even protect machine-to-machine communications, such as communications between IoT devices, because those communications often include user data. Also, protections such as HTTPS encryption and other authentication protocols can ensure that it’s harder for bad actors to infect the devices with malware.
Tracking Only With Consent
The European Union has always put great emphasis on consent for giving out personal data, although it hasn’t always properly implemented legislation surrounding it (case in point: the EU cookie law). However, the European Data Protection Supervisor believes that consent should play an even bigger role in future privacy frameworks.
For instance, Buttarelli believes there shouldn’t be any “cookie walls.” That means sites shouldn’t offer a “take it or leave it” approach to tracking their visitors with cookies. Most websites have adopted the approach in the past because the EU hasn’t done a good job at enforcing its “cookie law.”
That led many people to believe that the law was pointless because they couldn’t access the sites without accepting the cookies. Therefore, at best, the cookie acceptance prompt became a nuisance for websites served on EU territory, despite the good intentions behind it.
However, the EDPS believes that future privacy laws should allow only first-party analytics without consent, while all third-party tracking tools will require specific and genuine consent from the user before the site enables it.
If there’s also going to be better enforcement, then we may see fewer sites that only allow users to visit them after they’ve accepted all the tracking tools they’re throwing at them. Buttarelli also recommended that browsers or operating systems should allow users to revoke the given consent as well.
Right now, the ePrivacy Directive only covers unsolicited communications for “commercial purposes,” but not all spam can fit into that category. For instance, current legislation would not cover spam that is actually a phishing attack, a financial fraud attempt, or other criminal attempts. The European Data Protection Supervisor recommended an update to ePrivacy Direct to include all types of unsolicited communications.