European lawmakers have set their sights on a new target in the battle against terrorism: encryption.
Bernard Cazeneuve, France’s interior minister, will meet his German counterpart Thomas de Maizière in Paris on Tuesday to discuss new measures that would limit the use of encrypted communications across the EU. “It’s a central issue in the fight against terrorism,” Mr Cazeneuve told reporters last week.
Measures such as phone taps have long been used by counter-terrorism officials to track terror suspects and monitor their communications. But the growth of online platforms and apps with end-to-end encryption as a standard feature means messages exchanged on the likes of Facebook’s WhatsApp and Apple’s iMessages are now almost impossible for Europe’s intelligence services to read.
As details of the interlocking Isis terror cells responsible for the Paris and Brussels attacks have emerged, it has become evident that such encrypted messages are vital to how jihadis prosecute their violence in Europe. EU spymasters are now lobbying for a law change, as the debate in Europe shifts more towards that in the US.
Officials in Washington have bemoaned the spread of encryption since the Edward Snowden leaks in 2013 triggered a backlash against intelligence agencies’ vast and previously secret internet snooping operations. James Comey, FBI director, warned in May that “the use of encryption is at the centre of terrorist trade craft”.
Patrick Calvar, French homeland security chief, says that while gigabytes of data were collected after November’s mass shooting in Paris “it is often encrypted, and impossible to decipher.” The Isis cell responsible for the attack used WhatsApp and Telegram, another messaging app, both of which offer end-to-end encryption.
Faced with the problems posed by encryption, European counter-terrorism officials have sometimes gone to unusual lengths to get round it.
In a recent terror raid in the UK, undercover police posed as human resources officials at the target’s employer so they could ask to see his work phone. A trove of information was retrieved, including communications with Isis operatives in Syria.
Though progress has been made, one senior European intelligence official says chasing leads from the recent spate of terror attacks has hit walls “again and again” due to encrypted messages.
“The scale of the threat is huge and we’re effectively having to fight with one hand tied behind our backs all the time,” he says. “Even when we know someone is a member of the network, it takes so much longer to join the dots because we simply cannot see everything they’re saying.”
An outright ban on encryption technology could be difficult to enshrine in European law, and would probably be fiercely resisted by Europe’s vociferous digital privacy lobby.
But an ongoing review of EU online privacy rules have caused unrest among Silicon Valley groups who fear it could accomplish the same thing and lead in effect to a ban on the encryption used in popular services.
At the moment, so-called over-the-top services are not covered by the EU’s e-privacy directive, which dictates how customer data are handled and how they respond to requests from security services.
However, Facebook has warned it “would no longer be able to guarantee the security and confidentially of the communication through encryption” if it was roped into the proposed rules. This would have the “undesired consequence of undermining the very privacy it is seeking to protect,” the US group added.
The review is still subject to internal wrangling. The same European Commission officials who in public note the importance of strong encryption also highlight the need for the security services to be able to access encrypted data.
“Encryption is widely recognised as an essential tool for security and trust in open networks,” a commission spokesperson says. “However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.”
Agreeing a common European position has been hobbled by differences in attitudes to privacy across the continent.
While citizens in France and Britain have traditionally had a relatively benign view of their internal security services, the reverse has been true in Germany and its eastern neighbours, where memories of Communism are fresh.
Jan Philipp Albrecht, a German MEP and privacy campaigner, believes a ban on encryption is wrong, and says security services simply have to become more savvy — and more precise — when trying to access data themselves rather than relying on big internet groups to hand it over en masse.
“It’s not like the GDR [former East Germany] where you can open every letter and read what’s in it,” he says.
However, the spate of terror attacks in the country may have had the effect of shifting Berlin’s position.
While German police have powers to tap phones, they are much more restricted in their ability to monitor internet communications. But, speaking after the attacks, Mr de Maizière said this distinction was obsolete.
“There’s no difference if a criminal makes a phone call or uses the voice telephony function of a messenger service, writes messages or communicates over social media,” he said.
Get alerts on Terrorism when a new story is published