Messaging apps may face new EU security obligations after terror attacks

WhatsApp, Signal and other messaging services may face new EU obligations to cooperate with law-enforcement agencies as EU governments consider how to crack down on suspected terrorists who use end-to-end encryption services.

A call today between the leaders of France, Germany and Austria is expected to kickstart the process of developing a new EU regulatory framework, which would be proposed at the European Council meeting in mid-December, MLex understands. The impetus follows deadly Islamist attacks in both France and Austria in recent weeks.

Germany, which is chairing meetings of EU governments until the end of the year, said in a draft resolution last week that there is a need to review the existing rules to develop a “consistent” regulatory framework “that would allow competent authorities to carry out their operational tasks effectively.”

The draft resolution, as reported by the Austrian press, says governments should work with companies to develop technical solutions. These would allow authorities to use their investigative powers so that they have access to encrypted services, while preserving fundamental rights and “the advantages of encryption.”

Discussions on the EU's response to recent attacks began in earnest today with a meeting in Paris between French President Emmanuel Macron and Austrian Chancellor Sebastian Kurz. Later in the day, they were scheduled to hold a videoconference with European Council President Charles Michel, European Commission President Ursula von der Leyen and German Chancellor Angela Merkel to plan the next steps.

The leaders are expected to consider new regulations targeting radicalism and hate speech online, and creating a legal process for intelligence services to access end-to-end encryption services in limited circumstances. A draft regulatory framework could be put to the European Council as early as next month; France hopes to get it approved in the first half of 2022, when it will be chairing EU talks.

France’s calls to strengthen authorities' investigative powers against terrorism have become louder since a Paris-area teacher, Samuel Paty, was murdered last month. A parent of a student mounted a Facebook campaign against Paty after he showed cartoons of Mohammed in class. Later, a video labeling the teacher an “enemy of Islam” was circulated online.

Following Paty's death, the French government asked tech companies such as Facebook, Twitter, Google, TikTok and Snapchat to increase their scrutiny of terror-related content.

Previous high-profile terrorist incidents in Europe — including the 2015 Paris attack that left 137 people dead, and the 2016 incidents in Brussels, Nice and Berlin — are believed to have been planned using encrypted apps.

In France itself, a security law to be presented on Nov. 17 to the National Assembly is expected to include new measures to tackle hate speech and terrorist content online.

EU Council proposal

The draft EU resolution, marked as "restricted," warns against the potential for off-the-shelf, readily available encryption services to be exploited for criminal purposes, even though they are designed for legitimate ends. Given this, tech tools to give authorities access to data should be developed, but safeguards must be put in place, it says.

"Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality," it says.

The proposed text of the resolution recognizes that there is "no single way of achieving the set goals," and calls on governments, industry, research and academia to work together to "strategically create this balance."

The language of the document seems to reflect that of last month's statement by the Five Eyes intelligence alliance. Australia, Canada, New Zealand, the UK and the US, along with Japan, together called for app developers to "embed the safety of the public in system designs," and to "enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued, is necessary and proportionate”.

Some privacy campaigners have raised concerns that this move would mark the end of widespread use of encryption and weaken the protection of people's privacy. A spokesman for Germany's interior ministry sought to address those concerns by saying the draft resolution "does not contain any solutions or demands for weakening encryption systems."

"It is intended as a first step towards a trustful discussion," he said.

He further highlighted that the final proposal would need to "strike a balance between the protection of trade secrets and personal data and the needs of security services."

Additional reporting by Giulia Bedini.