Laws on encryption backdoors around the world

Encryption is a method of securing information. Thanks to encryption, text becomes ciphertext, which can only be read with a special decryption key. Modern algorithms use 256-bit keys and are virtually uncrackable — not even supercomputers can break them.

Encryption has become instrumental in everyday digital communication. Apps and services handle a lot of sensitive user data like passwords, banking credentials, private communications. These services widely employ encryption to protect user data from falling into the wrong hands.

A number of democratic governments claim that encryption interferes with effective law enforcement. They argue that criminals can use encryption to make digital evidence unreachable to authorities and protect themselves from criminal persecution. They suggest creating secure backdoors, which would allow the authorities to bypass encryption when there’s a lawful reason to do so.

While the need for effective law enforcement is understandable, there is no such thing as a secure backdoor. Encryption backdoors would force service providers to corrupt their encryption algorithms — to deliberately implement vulnerabilities that law enforcement agencies could use.

Unfortunately, once a vulnerability is put in place, it can be used by other persons. That means a cybercriminal could discover the backdoor and use it to spy on unsuspecting targets and steal sensitive information. The practical effect of encryption backdoors would mean the end of unbreakable encryption.

The Assistance and Access (A&A) law

The law was adopted on December 9, 2018. The law aimed to provide police with more latitude to investigate criminals who use encrypted communications software.

Assessment of the Assistance and Access Act

• It’s an attack on digital security
• The law endangers the security of everyone who uses online services
• The law also significantly weakens privacy

The Australian Computer Society, a trade association for IT professionals, laid out the drawbacks of the law: “It is likely not possible to build in functions to get around encryption without building in systemic weakness or vulnerability into a given product or service. The current approach of the legislation exposes internet and private telecommunications users – business and personal alike – to the potential for very real risks to their privacy and reliability of these services.”¹

The Electronic Frontier Foundation (EFF) also criticized the law. EFF explained that Australia now claims the right to “secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.”²

Digi, the Australian tech industry group, commented on the bill that would become the A&A law: “The Bill includes a specific safeguard that a Technical Assistance or Technical Capability Notice (collectively “Notices”) cannot require a service provider to build a systemic weakness or a systemic vulnerability into a form of electronic protection. However, a service provider can still be required to (i) provide assistance or build capabilities that impact the security of the service provider’s system, product or services in a non-systemic way, or (ii) to implement or build a systemic weakness or vulnerability into something other than “a form of electronic protection”. These requirements have potential to erode consumer trust and introduce weaknesses that malicious actors could exploit.”³

Surveillance Legislation Amendment (Identify and Disrupt) Bill

The bill was passed by the Senate of Australia on August 25, 2021. The bill grants law enforcement agencies the power to disrupt data by modifying, adding, copying, or deleting data in order to frustrate the commission of serious offences online.

Digital Rights Watch, an Australian charity organization that aims to educate and uphold the digital rights of Australian citizens, criticized the bill. They said, “The Australian government has new laws on the books to hack your computer, your online accounts, and just about any piece of technology and networks you come into contact with. It can happen without a warrant and without you ever knowing.”⁴

The bill provides new powers to law enforcement agencies: Data Disruption Warrants, Account Takeover Warrants, and Network Activity Warrants.

Digital Rights Watch explains how these powers will work: “A DATA DISRUPTION WARRANT enables the agencies to “add, copy, delete or alter” data on devices. And while it’s called a warrant, there is an emergency authorisation process for cases when it is “not practicable” to get a warrant.

<...>

AN ACCOUNT TAKEOVER WARRANT enables the law enforcement agencies to take control of an account, and even lock the account holder out of it. This can be done covertly and without consent, so the individual wouldn’t necessarily know what is going on until or if they are ever charged. It includes removing two-factor authentication and using one account to gain access to others (directly contradicting cyber security best practices for staying safe and secure online). The warrant is applicable for a maximum of 90 days (though extensions are possible) — so that is the length of time a law enforcement officer can impersonate you or use your accounts to monitor your activity and gather information.

<...>

NETWORK ACTIVITY WARRANTS allow access to networks where there is suspicion of serious online offences, although what qualifies as “serious” has a variety of definitions in the legislation.”

¹ ACS submission on the Assistance and Access Bill 2018 by the Australian Computer Society, accessible at https://www.acs.org.au/content/dam/acs/acs-public-policy/ACS%20submission%20on%20Assistance%20and%20Access%20Bill.pdf; viewed on May 14, 2021.

² “In the new fight for online privacy and security, Australia falls: What happens next?” by Danny O’Brien, accessible at https://www.eff.org/deeplinks/2018/12/new-fight-online-privacy-and-security-australia-falls-what-happens-next; viewed on May 14, 2021.

³ Comment to the Department of Home Affairs on the Telecommunications and Other Amendment (Assistance and Access Bill) 2018 provided by Digi, accessible at https://www.homeaffairs.gov.au/how-to-engage-us-subsite/files/assistance-access-bill-2018/digi.pdf; viewed on May 14, 2021.

⁴ “Australia’s new mass surveillance mandate”, a statement by Digital Rights Watch, accessible at: https://digitalrightswatch.org.au/2021/09/02/australias-new-mass-surveillance-mandate/; viewed on September 14, 2021.

Organic Law on the Intelligence and Security Services

The law (accessible here in French) was passed in 1998. It allows intelligence and security authorities to intercept and record communications with a prior authorization from an independent commission. Furthermore, if an electronic communications network is necessary for the interception, the head of the intelligence or security authorities can send a request for technical assistance to a network operator or provider. A failure to comply with such a request is considered a criminal offense and is punishable by a fine of up to 20,000 EUR.

Law on Electronic Communications

The law (accessible here in French) was passed in 2005. It allows the king to pass administrational and technical measures aimed at communications operators to identify end users and their location, listen to their communications, and record them. Under the royal Order of 12 October 2010, these measures include being able to transmit the content of a call when the operator has used encryption. To comply, operators and service providers need to be able to decrypt any encryption they use.

Code of Criminal Instruction

The code (accessible here in French) allows magistrates and other officials to order a special subject of a search warrant or services or applications that encrypt data to provide information on how to access encrypted content.

Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities

The draft law requires operators of encrypted systems to enable authorities to access future content from specific users on request. Basically, it requires the installation of backdoors in systems that use encryption.

An open letter⁵ to the Belgian government signed by various organizations and cybersecurity experts explained that the legislation: “would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users. There is no way to simply ‘turn off’ encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.”⁵

⁵ Open letter sent to the Belgian government, signed by cybersecurity experts. Accessible at: https://www.globalencryption.org/2021/09/open-letter-48-organizations-and-cybersecurity-experts-call-on-the-belgian-government-to-halt-legislation-to-undermine-end-to-end-encryption/; viewed on January 31, 2022.

The Constitution of the Federative Republic of Brazil

The Constitution was passed in 1988, and it’s the supreme law in Brazil. Article 5 of the Constitution guarantees “secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of criminal investigation or the fact-finding phase of a criminal prosecution.”⁶

General Data Protection Law

The law was passed in 2018. It’s a comprehensive data privacy law that aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”⁷

Lexology, a comprehensive source of international legal updates and analysis, wrote: “However no explicit right to encryption exists in Brazil, although its constitution guarantees the secrecy of correspondence and telegraphic, data, and telephonic communications.

Brazilian laws require telecommunication service providers to ensure this secrecy, noting that the right can be suspended only if competent authorities request the information by court order.”⁸

The Carnegie Endowment for International Peace, a think tank, wrote: “The encryption debate in Brazil focuses on balancing the needs of law enforcement and the promotion of secure encryption systems. One of the main issues is the use of end-to-end encryption by communications applications (apps). Some companies have adopted technological architecture that inhibits the government’s ability to obtain access to communications data that could be of use to officials investigating and prosecuting criminal activities. Brazilian judges have repeatedly ordered service providers to block the communications app WhatsApp in response to the company’s (which is owned by Facebook) noncompliance with judicial decisions requiring it to provide information related to ongoing investigations.”⁹

⁶ The Constitution of the Federative Republic of Brazil, accessible at https://www.constituteproject.org/constitution/Brazil_2017?lang=en; viewed on May 24, 2021.

⁷ “The LGPD: Brazil’s data privacy law gains more teeth”, accessible at https://www.reedsmith.com/en/perspectives/2020/09/the-lgpd-brazils-data-privacy-law-gains-more-teeth; viewed on May 21, 2021.

⁸ https://www.lexology.com/library/detail.aspx?g=41bce78b-f790-4901-ba88-7b9f6ffdd488

⁹ “The encryption debate in Brazil”, accessible at https://carnegieendowment.org/2019/05/30/encryption-debate-in-brazil-pub-79219; viewed on May 24, 2021.

The Canadian Charter of Rights and Freedoms

The Charter was signed into law in 1982. The Charter protects the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication” and provides that “everyone has the right to be secure against unreasonable search or seizure.” The government of Canada has recognized that these rights would also apply to possible restrictions on encryption.

The Criminal Code

The Criminal Code was passed in 1985. There is no legal act that can be used to require operators to facilitate the decryption of encrypted content. There are, however, special cases. The code allows that assistance orders or production orders against third parties may be used to facilitate attempts by law enforcement to access encrypted data.

The Quebec Court of Appeal in the criminal case R v. Boudreau-Fontaine (2010 QCCA 1108) found that an order compelling an individual to provide their password violated their constitutional rights, including the right to silence and protection against self-incrimination. The government has recognized that it has no legal grounds to compel individuals to provide a password in the course of a criminal investigation.

Council Resolution on Encryption

The draft was introduced on November 24, 2020 and adopted on December 14, 2020. In this resolution, “the Council underlines its support for the development, implementation and use of strong encryption as a necessary means of protecting fundamental rights and the digital security of citizens, governments, industry and society. At the same time, the Council notes the need to ensure that competent law enforcement and judicial authorities are able to exercise their legal powers, both online and offline, to protect our societies and citizens.”¹⁰

Assessment of the Draft Council Resolution

Ray Walsh, a digital privacy expert from ProPrivacy, wrote in response to the Draft Council Resolution: “Providing backdoors into people’s messages creates ongoing access for government agencies to everyone’s private messages, without reducing the ability for criminals to send encrypted messages via other covert means on the dark web. Removing strong encryption from consumer-facing platforms is detrimental to large numbers of people, including journalists, human rights activists, and even the politicians themselves who are rushing through this legislation.”¹¹

Access Now and EDRI published their opinion about the Draft Council Resolution: “The draft Council resolution points out that digital vulnerabilities create the potential for exploitation for criminal purposes. Indeed, any effort to mandate security flaws in technical systems will empower criminals and malicious state actors.” Access Now and EDRI urged the EU and its members to “abandon plans to weaken information security measures such as end-to-end encryption” and “refrain from mandating companies to build pre-encryption screening or other security flaws into their systems.”¹²

¹⁰ “Encryption: Council adopts resolution on security through encryption and security despite encryption” press release by the Council of the European Union, accessible at https://www.consilium.europa.eu/en/press/press-releases/2020/12/14/encryption-council-adopts-resolution-on-security-through-encryption-and-security-despite-encryption/, viewed on July 14, 2021.

¹¹ “EU moves closer to encryption ban after Austria, France attacks” by Alex Scroxton, accessible at https://www.computerweekly.com/news/252491755/EU-moves-closer-to-encryption-ban-after-Austria-France-attacks; viewed on May 14, 2021.

¹² EDRi draft response to Council on encryption”, accessible at https://edri.org/wp-content/uploads/2020/11/20201109-EDRi-Draft-Response-to-Council-on-encryption-SEND.pdf; viewed on May 14, 2021.

Policies that threaten encryption.

The Five Eyes is a state surveillance alliance that monitors and shares the activity of internet users among its members to protect national security. The Five Eyes countries are the US, UK, Canada, New Zealand, and Australia.

Members of the Five Eyes, along with representatives for Japan and India, have published their opinion on end-to-end encryption: “Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content. We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:

• Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
• Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
• Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.”¹³

¹² International Statement: End-To-End Encryption and Public Safety”, accessible at https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety; viewed on May 24, 2021.

Law No. 2004-575 of June 21, 2004 on confidence in the digital economy

The original text can be found here.

Before starting to supply cryptography services or export cryptography products and services, a person must inform the Prime Minister. The failure to do so can be punished by up to two years’ imprisonment and a fine of up to €30,000.

Internal Security Code

The original text can be found here.

Under certain circumstances, the code obliges the providers cryptology services to deliver to government agents the means of enabling the decryption of the data encrypted by their services within 72 hours or decrypt the data themselves.

Discussions about encryption

In 2017, President Emmanuel Macron stated: “We want to step up international cooperation, notably with the United States, to improve access to digital evidence in the investigations led by our police and judicial services regardless of where the data is stored.”¹⁴

Julien Lausson, a Numerama journalist, questioned Emmanuel Macron’s reasoning: “It is absolutely impossible to access encrypted content without decrypting it at some stage. <...> In the case of end-to-end encryption, messages are secured on the user’s device (a smartphone, tablet, PC, etc.). The keys used to protect discussions and allow legitimate correspondents to read them are stored on users’ devices. WhatsApp, iMessage, Signal, or Telegram operate in this way.

Therefore, a country’s legal or administrative authorities cannot request access to the keys from these services as they do not possess them and are not in a position to recover them. It would require a major overhaul of their architecture and operation to achieve this — in other words, abandoning end-to-end encryption and opting for weaker cryptographic solutions.”¹⁵

In 2021, Gérald Darmanin, the French Minister of the Interior, said it was necessary to allow the government “to enter and create security loopholes” within “encrypted messaging systems”. He argued that: “Terrorists have changed their way of communicating. They are using the internet, encrypted messaging and social networks, and we remain totally blind.”¹⁶

Olivier Blazy, a cryptography researcher, said: “Genuinely evil people with the appropriate technological know-how would not be concerned by such a law. There is nothing to prevent the use of additional encryption on end-to-end (E2E) software.”¹⁷

¹⁴ PM press conference with President of France Emmanuel Macron: 13 June 2017, accessible at https://www.gov.uk/government/speeches/pm-press-conference-with-president-of-france-emmanuel-macron-13-june-2017; viewed on June 16, 2021.

¹⁵ “Monsieur Macron, vous n’avez toujours pas compris ce qu’est le chiffrement” by Julien Lausson, accessible at https://www.numerama.com/politique/267141-monsieur-macron-vous-navez-toujours-pas-compris-ce-quest-le-chiffrement.html; viewed on June 18, 2021.

¹⁶ “Affaiblir le chiffrement n’est jamais une bonne idée, contrairement à ce qu’affirme Gérald Darmanin” by Corentin Bechade, accessible at https://www.numerama.com/tech/707469-affaiblir-le-chiffrement-nest-jamais-une-bonne-idee-contrairement-a-ce-quaffirme-gerald-darmanin.html; viewed on July 2, 2021.

¹ ⁷ “Affaiblir le chiffrement n’est jamais une bonne idée, contrairement à ce qu’affirme Gérald Darmanin” by Corentin Bechade, accessible at https://www.numerama.com/tech/707469-affaiblir-le-chiffrement-nest-jamais-une-bonne-idee-contrairement-a-ce-quaffirme-gerald-darmanin.html; viewed on July 2, 2021.

Discussions about encryption

In 2019, the German government started exploring the idea of enforcing encryption backdoors in communication platforms¹⁸. In response, numerous tech companies, organizations, and academics signed an open letter, which criticized these plans, arguing that: “We believe that the proposed reform would abruptly lower the security level of millions of German Internet users, create new entry points for foreign intelligence services and cybercriminals, and massively damage Germany’s international reputation as a leading location for a secure and privacy-driven digital economy.”¹⁹

In 2020, a regional court in Cologne ordered Tutanota, an end-to-end encrypted email provider, to monitor an account belonging to a user. According to Tutanota, it plans to appeal the ruling, but must abide by the court’s decision, meaning it must develop the monitoring functionality.²⁰

Matthias Pfau, the co-founder of Tutanota, said: “This decision shows again why end-to-end encryption is so important. According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”²¹

Sven Herpig and Julia Schuetze, cybersecurity experts, have summarized the public discourse and policy regarding encryption backdoors: “Public debates in the aftermath of violent events about extending the powers of law enforcement and intelligence agencies in cyberspace are limited to government hacking, not backdoors. From operational, institutional, policy, and legal views, Germany continues to adhere to the encryption policy it adopted in 1999: fostering strong encryption but enabling its intelligence and law enforcement agencies to conduct government hacking, at least on the national level. With its proposed EU council resolution and EU cyber diplomacy non-paper, Germany currently seems to be moving the backdoor and lawful access debate to the EU level—possibly because it knows its chances to pass these policies on the national level are very slim. Whether the EU will be an easier vector to broach these policies remains to be seen.”²²

¹⁸ “Seehofer will Messengerdienste zum Entschlüsseln zwingen” by Marcel Rosenbach and Wolf Wiedmann-Schmidt, accessible at https://www.spiegel.de/netzwelt/netzpolitik/horst-seehofer-will-messengerdienste-zum-entschluesseln-zwingen-a-1269121.html; viewed on July 5, 2021.

¹⁹ “Mozilla pens open letter to German policymakers over planned encryption law” by Catherine Chapman, accessible at https://portswigger.net/daily-swig/mozilla-pens-open-letter-to-german-policymakers-over-planned-encryption-law; viewed on July 5, 2021.

²⁰ “German court forces encrypted email provider Tutanota to provide messages in blackmail case” by Shannon Vavra, accessible at https://www.cyberscoop.com/germany-court-ruling-tutanota-email-monitoring/; viewed on July 5, 2021.

²¹ “German court forces encrypted email provider Tutanota to provide messages in blackmail case” by Shannon Vavra, accessible at https://www.cyberscoop.com/germany-court-ruling-tutanota-email-monitoring/; viewed on July 5, 2021.

²² “The Encryption Debate in Germany: 2021 Update” by Sven Herpig and Julia Shuetze, accessible at https://carnegieendowment.org/files/202104-Germany_Country_Brief.pdf; viewed on July 15, 2021.

Criminal Procedure Code

English translation of Criminal Procedure Code can be found here.

Lexology, a comprehensive source of international legal updates and analysis, wrote: “The Criminal Procedure Code provides that telecommunications carriers may be asked to cooperate in implementing the interception of electronic communications, which includes decryption. Although carriers are obligated to cooperate, they are not penalized for failing to do so or required to develop decryption systems or software.”²³

²³ “The International Encryption Debate: Privacy Versus Big Brother” by Robert J. Anello and Richard F. Albert; accessible at https://www.lexology.com/library/detail.aspx?g=41bce78b-f790-4901-ba88-7b9f6ffdd488; viewed on May 20, 2010.

The Constitution of the Kingdom of the Netherlands

The Constitution states that everyone shall have the right to respect for their privacy. The privacy of correspondence shall not be violated except in the cases established in law.

Intelligence and Security Services Act

The act (accessible here in Dutch) was passed in 2017. It allows the authorities to intercept, receive, record, and listen in on any form of communications or data transmission, including decrypting the intercepted data. The authorities may use this power with the prior permission of a relevant minister.

The Constitution of the Kingdom of the Netherlands

South Korea has no legal acts that pursue encryption backdoors. The country has strong data privacy safeguards, in particular stated in the Personal Information Protection Act (the PIPA) and the decree that implements the act.

The Spanish Constitution of 1978 states that the secrecy of communications is guaranteed, including postal, telegraphic, and telephone communications, and they can only be infringed upon by judicial resolution.

Spain has no legal acts or policies that pursue encryption backdoors.

Criminal Procedure Law

Article 588 of the Criminal Procedure Law (available here in Spanish) states that the providers and operators of telecommunications services and other persons of interest are obliged to provide the judge and other relevant authorities necessary assistance to facilitate compliance with the telecommunications intervention orders. That means that the authorities can request the decryption of data in particular cases and during criminal court proceedings when the judge has found substantial proof to enforce this duty to assist.

Swedish law does not require companies to decrypt communications. Furthermore, any searches or seizures require a prior proportionality test, which weighs the reasons for the measure against the right to privacy.

The Secret Data Reading Act

The act (available here in Swedish) came into force on April 1, 2020. The act allows authorities to install spyware on the devices of suspects of a crime. CPO Magazine, a website that covers data privacy and cybersecurity issues, commented on it: “the new expanded powers have attracted the attention of privacy advocates and human rights activists. They are concerned that Swedish law enforcement agencies will overstep their boundaries and eventually usher in a modern surveillance state in which anyone – even someone not suspected of a crime – might be the subject of digital surveillance … In the case of spyware, Swedish police will need physical access to the device in order to plant the spyware on. In the case of encryption backdoors, law enforcement would need a ‘backdoor’ into the entire communications platform. Thus, it might be possible to argue that spyware planted on devices to intercept encrypted communications is much less intrusive than gaining a backdoor into the entire communications platform.”²⁴

The Digital Freedom and Rights Association, an organization that promotes human rights online, was critical of this law: “If someone finds a new vulnerability, this person has a choice. … This gives the police the possibility to buy unknown vulnerabilities to hack into computers and smartphones. It is actually more profitable to not report them and sell them instead.”²⁵

²⁴ “Swedish police given green light for spyware” by Nicole Lindsey, accessible at https://www.cpomagazine.com/cyber-security/swedish-police-given-green-light-for-spyware; viewed on February 4, 2022.

²⁵ “Five things to know about Sweden’s new digital surveillance law” https://www.thelocal.se/20200304/what-you-need-to-know-about-swedens-new-digital-surveillance-law accessible at https://www.thelocal.se/20200304/what-you-need-to-know-about-swedens-new-digital-surveillance-law/; viewed on February 4, 2022.

The Investigatory Powers Act (IPB)

Also known as the Snooper’s Charter, the act came into force in 2016. It laid out and expanded the electronic surveillance powers of the UK government.

Assessment of the Investigatory Powers Act:

• The act allows the government to order a company to tamper with the security features in their products. The authorities can also prohibit the company from telling the public about the tampering.
• There’s no public knowledge of the UK government ever using the act in such a way.²⁶

Alec Muffett, a technical advisor and board member for the Open Rights Group, said that the government “will lose the battle because they will never (for instance) coerce the global open-source community to comply. <...> It would be an ugly battle, and (win or lose) it would be self-defeating. People would flee a less secure, less competitive Facebook and move to other platforms — ones with less cordial government relationships, or with no corporate presence at all.”²⁷

Tony Anscombe, a senior security evangelist at Avast, said: “Banning encryption in order to get to the communications of a select few opens the door to the communications of many, and renders us all less secure and our lives less private. If you build a backdoor, it’s there for everybody to access. And if you store that data you collect, even in encrypted form, how secure is it?”²⁸

Online Safety Bill

The draft of the Online Safety Bill was published on May 12, 2021. The bill aims to make the UK the safest place in the world to be online while also defending free expression.

Assessment of the Online Safety Bill

• “The UK government is trying to legislate the impossible – a safe Internet without strong encryption – in the face of clear and consistent technical analysis saying that it cannot be done.”²⁹
• The act could pave the way for banning end-to-end encryption.

Internet Society, a nonprofit organization, said, “Encryption technology keeps you safe: it secures your transactions, preserves your confidentiality, and in a world of connected objects, it protects your physical safety. Weakening, bypassing or removing encryption puts everyone, including children, at greater risk: it exposes their communications to third parties, and it deprives children of secure lifelines to help and advice.

Anyone advocating for encryption to be bypassed, removed, or omitted must show that doing so would not create points of access that put children and adults at risk of fraud, exploitation, and physical harm. This is simply not possible: there are no “safe back doors” to encrypted communication, and those calling for them cannot stop them from being discovered and misused.”³⁰

Heather Burns from the Open Rights Group, a digital campaigning organization that works to protect rights to privacy and free speech online, claimed that some petitioners “want the Online Harms regulator (likely Ofcom) to be able to ban online services from being able to use encryption unless they can meet the standards of a highly subjective “duty of care.”

We cannot stress enough how dangerous it is to even entertain the thought that the Online Harms Bill should create some sort of “licensing” system for the use of encryption – one where a regulator should have the power and the authority to suspend a company’s ability to protect its systems, and its users, through the use of encryption.”³¹

²⁶ “Give up the ghost: a backdoor by another name” by Nate Cardozo, accessible at https://www.eff.org/deeplinks/2019/01/give-ghost-backdoor-another-name; viewed on May 18, 2021.

²⁷ “UK government can force encryption removal, but fears losing, experts say” by Akex Hern, accessible at: https://www.theguardian.com/technology/2017/mar/29/uk-government-encryption-whatsapp-investigatory-powers-act; viewed on May 18, 2021.

²⁸ “UK government can force encryption removal, but fears losing, experts say” by Akex Hern, accessible at: https://www.theguardian.com/technology/2017/mar/29/uk-government-encryption-whatsapp-investigatory-powers-act; viewed on May 18, 2021.

²⁹ “Internet Society: UK Online Public Safety Bill is trying to legislate the impossible – a safe Internet without strong encryption”, accessible at https://www.internetsociety.org/news/statements/2021/internet-society-uk-online-public-safety-bill-is-trying-to-legislate-the-impossible-a-safe-internet-without-strong-encryption; viewed on May 18, 2021.

³⁰ “Internet Society: UK Online Public Safety Bill is trying to legislate the impossible – a safe Internet without strong encryption”, accessible at https://www.internetsociety.org/news/statements/2021/internet-society-uk-online-public-safety-bill-is-trying-to-legislate-the-impossible-a-safe-internet-without-strong-encryption; viewed on May 18, 2021.

³¹ “Online harms: encryption under attack” by Heather Burns, accessible at https://www.openrightsgroup.org/blog/online-harms-encryption-under-attack/; viewed on May 18, 2021.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT)

The bill was introduced on March 5, 2020. Actions overview. The bill aims to set best practices to detect and report child sexual exploitation materials.

Assessment of the EARN IT bill

• The act won’t achieve its goals of protecting children
• It attempts to restrict end-to-end encryption without restricting it directly
• It threatens the safety of millions who rely on strong encryption every day

ACLU's Senior Legislative Counsel Kate Ruane said: “The EARN It Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor.”³²

The Center for Democracy and Technology published a statement, stressing that “the bill, which purports to fight the spread of child sexual abuse material online, undermines not only encryption and the security of internet communications, but also future law enforcement investigations against predators of children.”³³

Matthew Green, a cryptographer and professor at Johns Hopkins University, called the bill a direct attack on end-to-end encryption. He wrote: “This bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn't come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they'll go bankrupt if they try to disobey this committee's recommendations.”³⁴

Lauren Sarkesian, a senior policy counsel at New America's Open Technology Institute, said: “While we support the bill's purported end goal of combating child exploitation online, the bill would not be effective in achieving that purpose, and instead appears to be an attempt to ban end-to-end encryption without actually banning it outright.”³⁵

Lawful Access to Encrypted Data (LAED) Act

The bill was introduced on June 23, 2020. Actions overview. The bill aims to provide police and security agencies with the ability to quickly access information contained on a suspect’s encrypted device.

Assessment of the LAED bill

• An explicit attack on encryption
• It would weaken the lawful use of encryption in communication services
• It might force companies to deploy weaker encryption

Richie Koch from ProtonMail said: “LAED targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to. <...> This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement. <...> The LAED Act would require a backdoor to HTTPS, the system that secures almost all websites with TLS encryption, so that law enforcement could access encrypted metadata.”³⁶

According to Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, the bill is “an actual, overt, make-no-mistake, crystal-clear ban on providers from offering end-to-end encryption in online services, from offering encrypted devices that cannot be unlocked for law enforcement, and indeed from offering any encryption that does not build in a means of decrypting data for law enforcement. The new bill applies to operating systems and apps and messaging and chat and social media platforms and email and cloud storage and videoconferencing and smartphones and laptops and desktops and your Xbox <...> this bill would require a mandatory built-in mass backdoor for practically every device or service you use that has a computer in it or touches the Internet at any point. If it passes, this bill marks the end of strong encryption for stored data on devices; those would now be illegal to sell in America.”³⁷

³² “Is the EARN-IT Act a backdoor attempt to get encryption backdoors?” by Cynthia Brumfield, accessible at https://www.csoonline.com/article/3531393/is-the-earn-it-act-a-backdoor-attempt-to-get-encryption-backdoors.html; viewed on May 14, 2021.

³³ “EARN IT Act Threatens Encryption, Free Expression, and Prosecutions of Child Exploitation”, accessible at https://cdt.org/press/earn-it-act-threatens-encryption-free-expression-and-prosecutions-of-child-exploitation/; viewed on May 14, 2021.

³⁴ “EARN IT is a direct attack on end-to-end encryption” by Matthew Green, accessible at https://blog.cryptographyengineering.com/2020/03/06/earn-it-is-an-attack-on-encryption/; viewed on May 14, 2021.

³⁵ “Is the EARN-IT Act a backdoor attempt to get encryption backdoors?” by Cynthia Brumfield, accessible at https://www.csoonline.com/article/3531393/is-the-earn-it-act-a-backdoor-attempt-to-get-encryption-backdoors.html; viewed on May 14, 2021.

³⁶ “The Lawful Access to Encrypted Data Act wants to ban strong encryption” by Richie Koch, accessible at https://protonmail.com/blog/usa-laed-act-anti-encryption/; viewed on May 14, 2021.

³⁷ “There is now an even worse anti-encryption bill than EARN IT. That doesn’t make the EARN IT bill ok.” by Riana Pfefferkorn, accessible at http://cyberlaw.stanford.edu/blog/2020/06/there%E2%80%99s-now-even-worse-anti-encryption-bill-earn-it-doesn%E2%80%99t-make-earn-it-bill-ok; viewed on May 14, 2021.