Internet security

European Commission sends signals in favor of encryption

Schermata 2020-02-27 alle 09.10.14

The European bubble in Brussels is currently rumbling about a story concerning Instant Messaging. The European Commission is reported to have sent guidelines to its employees regarding the use of Instant Messaging (the various Whatsapp, Messengers, Skype, Telegram etc.) for service purposes. In summary, the European Commission recommended to its employees the use of open source applications – such as “Signal” for instance – for these communications which are not requiring a stricter level of security (in the latter case Eurocrats are instead obliged to use dedicated corporate communicated systems, included an adapted version of Skype for Business). So, the important news here is not so much the favor expressed to Signal as a default communication tool for all Eurocrats, but rather the disfavor directed towards the most popular alternatives consisting of Whatsapp and Messengers, both owned by Facebook.

The attack to Facebook has caused quite a stir. The Commission’s guidelines praise Signal’s characteristics in terms of security, confidentiality and privacy, due to its effective open source encryption system. Signal uses an encryption system that protects end-to-end communications, ensuring inviolability by third parties (hackers, criminals or onlookers of any kind) as well as by the operator itself. In other words, neither Signal nor third parties can access the content exchanged between users. However, one should consider that Signal encryption system was also adopted by Facebook for its Instant Messaging systems since 2016, therefore one would question why the European Commission does not take account of it in its guidelines. Where is the difference between Signal on one side, and Whatsapp/Messenger on the other side, provided that both platforms use the same encryption technology?

It looks like that the technical offices of the European Commission would not trust Facebook too much, even if the latter uses the best technology to protect its users’ communications. The guidelines are reported to allude to Facebook’s non-neutral position as a “monetizer” of data, to the various privacy incidents that have affected its reputation, and to its supposed inability to systematically solve these problems. Furthermore, there is the subject of the US jurisdiction (the Patriot Act) and therefore the power for the Trump administration to have easy access to data held by Facebook when US security requires it. There is enough to ask Eurocrats to move their communications, even if not necessarily confidential, to somewhere else.

So this is not a good story for Facebook and it is to be expected that the US company is already engaged to recover the damage. In this respect, it is worth-noting that the position of the European Commission is purely technical, not public and therefore unlikely to affect the immense Facebook market (73% of estimated global IM market share). The individuals involved by the guidelines are just the professionals of the Eurocracy – a small number of users but which nevertheless weighs in terms of reputation and credibility. Looking further, one wonders what the Commission’s next “technical” position may be given that the issue of security has become so important in Brussels. An important matter could be about ordinary e-mail. European officials only use their internal mail system, however they exchange tons of communications with external users in a market which is dominated by US platforms, from gmail (Google) to hotmail / outlook (Microsoft), for which privacy and US jurisdiction remain open issues.

Beyond the reputational incident for Facebook, this story is also surprising for another aspect: although the guidelines are a technical and non-public position, they however reflect the Commission’s endorsement towards an effective encryption system (i.e. the main characteristic of Signal). The issue of encryption is starting to be highly debated in Brussels: on the one hand encryption allows protection and safety for users, on the other it limits the possibility for law enforcement and police authorities to carry out their investigative activities. Traditional communication systems (phone calls and text messages) cannot be encrypted since law enforcement authorities have the legal power to have access over them, while Instant Messaging systems are not regulated. Some European governments would therefore like to ban encryption for Instant Messaging services, however a clear approach to the problem has not yet been formalized. This subject was also included in the European debate on the e-privacy regulation (the online side of the GDPR) but, as well all know, the entire procedure derailed so far. The European Commission will sooner or later have to take a position in this regard, taking into account, on the one hand the users’ interests (confidentiality, trust and security of communications), on the other hand the position of the Member States (and especially of their law enforcement agencies). However, after the endorsement granted to Signal with the recent guidelines, the “technical” position of the European Commission appears to be in favor of encryption, the “political” one ….. still has to be seen.

Categories: Internet security, Privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s