The European Commission has “suggested” to its staff they use the Signal messaging app. The move is part of EU’s efforts to beef up cybersecurity, after several high-profile incidents shocked diplomats and officials.
21 February 2020 (Brussels, Belgium) – The European Commission has told its staff to start using Signal, the end-to-end-encrypted messaging app, in a push to increase the security of its communications. I have a number of inside sources at the Commission I use for some of my “spicier” posts and we have always used Signal to communicate. Plus I have a large number of regular Commission folks in my mobile contacts directory with whom I communicate on rather mundane matters. But over the last two weeks I have received a flood of notices on Signal that “X is now on Signal!” from that pick of “mundane” contacts and I could not figure it out until one of them told me instructions appeared on the Commissions internal messaging boards about one week ago: “Signal has been selected as the recommended application for all public instant messaging. Please use it.”
NOTE: the Signal app is favored by privacy activists because of its end-to-end encryption and open-source technology. Because it’s open-source, you can check what’s happening under the hood.
Signal’s development was funded by a combination of donations and grants. And, no, not the U.S. government as many believe. The U.S. has invested some money in the Open Technology Fund, which provided a grant to Signal, but that Fund is one of many organizations that draws U.S. government investment. The U.S. government doesn’t have any say as to which projects the Open Technology Fund decides to fund. This is comparable to how the early version of the internet was developed for the US Military before it was given to university researchers. So, yes, indirect government funding in origin, but that doesn’t mean in any way that there is influence or control by the U.S. government.
Privacy experts consider that Signal’s security is superior to that in other apps. Signal proudly flashes on its website “We can’t read your messages or see your calls, and no one else can either.” Well, hold on. Signal still relies on a centralized server so the server operator can access metadata. But ok, point taken.
While WhatsApp’s technology is based on Signal’s protocol (known as Open Whisper Systems), it isn’t open-source. And if you follow cyber media, it is rife with vulnerabilities. Another popular messaging app, Telegram, meanwhile, faces similar concerns over the lack of transparency on how its encryption works.
As to Signal’s specific architecture and encryption protocols, my Chief Technology Officer and I wrote a brief for my work-in-progress “The Death of Data Privacy” but Wikipedia does a nice summary which you can read by clicking here.
After a series of high-profile incidents that shocked diplomats and officials in Brussels and across the Continent, the European Union has been beefing up its cybersecurity standards, part of the “digital agenda” it launched this week which I will write about over the weekend. For instance, in December 2018, cybersecurity research firm Area 1 Security found that thousands of diplomatic cables were downloaded from the EU’s COREU (or Courtesy) system, which is used by national governments and EU institutions to exchange day-to-day information on foreign policy. Then in June 2019 the news broke that the EU’s delegation in Moscow had suffered what appeared to be a cybersecurity breach in 2017, with two computers allegedly hacked to steal diplomatic information. The Commission investigated the issue and informed its top diplomats.
So, after a fairly detailed examination of messaging apps, the use of Signal was recommended for communications between staff and people outside the institution. Much of this was discussed this past Wednesday at a briefing I attended on the soon-to-be-released draft of a new European cybersecurity strategy.
To be sure, Commission officials are already required to use encrypted emails to exchange sensitive, non-classified information. Classified documents fall under tighter security rules. The use of Signal was mainly recommended for communications between all staff and people outside the institution. An insider told me “the move to use Signal is meant to show the Commission really is working on improving its security policies”.
But … some issues
Promoting the app, however, is antagonizing the European law enforcement community. And officials in Brussels, Washington and other capitals have been putting strong pressure on Facebook and Apple to allow government agencies to access to encrypted messages saying that if these agencies refuse, legal requirements could be introduced that force firms to do just that. So now you have the EU Commission opting for encryption.
And, American, British and Australian officials (I now see why the EU Commission opted out) published an open letter to Facebook CEO Mark Zuckerberg asking that he call off plans to encrypt the company’s messaging service. Tell-tale sign? Dutch Minister for Justice and Security Ferd Grappehaus said at the end of last year “the EU needs to look into legislation allowing governments to access encrypted data. It’s complicated”.
But cybersecurity officials are rallying around the Commission, dismissing calls to weaken encryption, arguing that it would put the confidentiality of communications at risk across the board.
The encryption debate in the European Union
This topic deserves a more lengthy brief, but just a few points:
The question of what role the EU should play in managing encryption-related issues within its borders is a contested one, and recent debates are tied up in zero-sum equations reminiscent of the first Crypto War in the 1990s. Were the EU to mandate that law enforcement be granted access to encrypted data and devices to help prevent terrorism and solve crimes, what would be the potential implications for the fundamental rights of its citizens and the integrity of its cross-border networks and markets? Conversely, how can the EU promote strong encryption in the name of privacy and security without enabling a safe haven for crooks and terrorists, thereby further impeding the role of intelligence and law enforcement authorities in preventing terror and solving crime?
As in other governments around the world, the EU is confronted with multiple perspectives on each encryption issue – but no viable policy solution is in sight. As such, the current European Commission is not likely to legislate on encryption in the short term but a fairly detailed draft of a new European cybersecurity strategy is due out by year end. And the last Commission did execute some provisional, non-legislative measures, such as increasing investment in Europol, funding police trainings across member states, and consulting with different stakeholders. These moves did help all stakeholders gain a deeper understanding of the technical and legal aspects of the issues and explore options for possible future legislation on these issues.
One of the problems that sparked and ostensibly fueled recent EU policy debates on encryption is terrorism. Several terror attacks hit Europe in 2014, with more following in 2015 and 2016 and they continued through 2019. As fears of terrorism intensified, EU member states called for stronger collective measures to prevent and counter it. According to the 2019 Europol Internet Organized Crime Threat Assessment, member states’ law enforcement authorities pointed to encryption as a key threat and serious impediment to the detection, investigation, and prosecution of such criminal activity. With this mantra, several member states demanded a European policy solution, igniting a contested EU policy debate around encryption.
Although terrorism has been the main driver of recent debates around encryption at the EU level, there are other serious tensions shaping the discourse. Encryption has risen to become an essential component of Europe’s open societies and markets. The European Commission’s 2017 cybersecurity strategy recognized encryption as a vital tool for the protection of personal data and fundamental rights, such as privacy and the freedom of expression. Encryption has been hailed by the EU Fundamental Rights Agency as a means to reinforce security and privacy, cornerstones of EU policy, as it allows those who need it—from journalists to human rights defenders, banks to ordinary internet users—to shield their internet communications and safeguard personal data against unauthorized access or leaks.
And as we know, encryption has risen as a strong component of the EU’s new legal framework to ensure digital privacy for EU citizens through e-privacy (as demonstrated by the proposed draft of the E-Privacy Directive) and data protection (as seen in the General Data Protection Regulation).
But despite this, encryption has been caught in the crosshairs of that proposed regulation on e-privacy. While the regulation was intended to ensure the confidentiality of calls, chats, and emails – encrypted or not – it also includes a public interest exception for wiretap provisions, as intended for telecommunications services, which opens questions on how wiretapping surveillance would actually work in digital and, further, encrypted spaces and services.
So allow me to end with a milquetoast last paragraph. As long as Europe is responding to terrorism and other major crimes, the question of whether to regulate encryption and law enforcement’s access to data will remain under scrutiny from all sides. Further, as the technology continues to evolve, the debate will have to take into account new technological realities. It is very hard to keep up with this stuff. To legislate on encryption will take us down a slippery slope. Every call to build and support technical measures for addressing and breaking encryption has increased counter calls for greater transparency and regulations – and the hoary toad of government surveillance and increased hacking capabilities. With everybody yelling for adequate safeguards to protect European fundamental rights.
So being the cynic I am left with this feeling of “A Europe of encryption. But transparent, too. Harnessing security, but mindful of freedom, too. With citizens at the heart of it. If we can keep safe from them.” Or something like that.
I will have more in the coming months.