Belgian Government Wants To Add Encryption Backdoors To Its Already-Terrible Data Retention Law
from the it-can-always-get-worse dept
Earlier this year, a data retention law passed by the Belgian government was overturned by the country's Constitutional Court. The law mandated retention of metadata on all calls and texts by residents for one year, just in case the government ever decided it wanted access to it. Acting on guidance from the EU Court on laws mandating indiscriminate data retention elsewhere in the Union, the Constitutional Court struck the law down, finding it was neither justified nor legal under CJEU precedent or under Belgium's own Constitution.
[T]he Constitutional Court finds that the Data Retention Act aims at broader objectives than safeguarding national security, combating serious crime and preventing serious threats to public security and that the interference is thus not limited to what is strictly necessary. In addition, the Constitutional Court points out that such requirement to retain traffic and location data should be the exception, not the rule, must set out clear and precise rules regarding the scope and application of such measure, whereby certain minimum requirements should be implemented, and should ensure that the interference is limited to what is strictly necessary.
That prompted an immediate rewrite and a hasty propulsion of the law through the legislative process. This ruling was handed down in April. By May 10th, the government had another legislative proposal ready to go. Then it expanded it, adding encrypted messaging services to the list of entities obliged to collect and retain communications metadata.
But the demands go even further than metadata. Either incapable or unwilling to understand how end-to-end encryption works, legislators want a form of encryption that can be stripped away whenever the government wants access to communications. This is from an open letter sent to the Belgian government by 81 organizations and cybersecurity experts.
The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities, or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users.
If you can't see where this is going, you might be a Belgian legislator.
There is no way to simply “turn off” encryption; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.
It's a backdoor. Backdoors don't work. Or rather, they do, but then the encryption doesn't work. Legislators and those pressuring legislators to mandate encryption backdoors don't like to use that term, so they dance around it. In the US, they call it technical assistance or whatever the opposite of "warrant-proof encryption" is. In Belgium, they stuff it into a bill that originally targeted phone service providers and call it "data retention."
It's unclear how the legislature thinks this version will be found constitutional by the courts, unless it's relying on the addition of some minimal targeting requirements to change it from a bulk data collection the government can access at any time to a slightly smaller bulk data collection the government can access at any time -- one that now includes metadata collected by encrypted communications platforms which will have to backdoor their own encryption to comply with demands for data.
If this is allowed to become law, everyone's communications will be less secure, not just those belonging to people the state wants to surveil or lock up.
Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.
If that's an acceptable tradeoff for the government, the bill will become law. But it will have to survive another legal challenge once it goes live. And from what's seen here, it looks like more of the stuff that was already struck down by the court, only with bonus encryption backdoors. If Belgian legislators aren't willing to protect their constituents, hopefully the courts will pick up the slack.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, belgium, data retention, encryption, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
I wonder how many politicians would vote for a law like that if it contained a provision that there must be a one year trial period where the new law is in effect only the politicians. The law would not apply to the rest of the population until after that trial period.
Oh, and just to make the example clear, create an archive site where copies of all the encrypted messages are required to be made publicly available.
[ link to this | view in chronology ]
Re:
Some of them might agree to that in the event they actually buy what they're shovelling.
It brings me to mind Jeremy Clarkson, who in his typically brash, faintly ignorant bluster, responded to concerns about a CD containing peoples' bank account numbers being lost by claiming it was all worry over nothing since there was no danger of ID theft from that data. To prove it, he printed his own bank account number. He was forced to eat his words soon after when someone made a £500 charity donation for him...
I suspect it would be the same thing here - they'd be happy to allow such a thing, right up to the point where people prove the problem to them. Whether they then backtrack or they double down on claims that this doesn't mean that backdoors are a concern would remain to be seen.
[ link to this | view in chronology ]
All animals are equal but some animals are a little more equal
A 'You first' provision/requirement in various legal systems would shut down so many corrupt and/or idiotic laws which is why you'll never see it.
Everyone knows politicians are a privileged class that deserves more protections than they would graciously grant the public, so the mere thought that they would or should suffer the same hardships that they would inflict on others is simply unthinkable.
[ link to this | view in chronology ]
The big problem with government in the modern age is that a majority of career politicians (at least in my anecdotal experience in the US, I’d love to see to see data on the subject) have degrees in non-technical fields like history, law, political “science,” etc. The closest they might get to a field that would give them even a solid background in math is economics.
This is all fine and dandy in 1890 or 1950, but in our increasingly technological society where math, computers, and science have become so ubiquitous, government is increasingly incapable of responding to modern challenges because politicians are woefully unprepared to even understand the problem, let alone solve it. They don’t understand the concept of something being mathematically impossible (just like they didn’t a century ago in Indiana during the Pi bill debacle), so to them tech people “just aren’t trying hard enough to find an answer, and if we legislate enough, they’ll be forced to work harder and they’ll find an answer for us.”
[ link to this | view in chronology ]
'Okay but what if we made it even worse?'
Belgian Government: Passes law mandating X.
Constitutional Court: 'You cannot have a law mandating X.'
Belgian Government: 'Fine, what about a law that mandates X and a supercharged version of X?'
Constitutional Court in short order: 'Did you listen to a word we said?'
[ link to this | view in chronology ]