Lettre ouverte sur le projet de loi sur le chiffrement

sam 6 Nov

Open Letter : 100 organizations and cybersecurity experts call on the Belgian Government to halt legislation to undermine end-to-end encryption.

29 Sep­tem­ber 2021

Depu­ty Prime Minis­ter and Minis­ter of Public Admi­nis­tra­tion, Public Enter­prises, Tele­com­mu­ni­ca­tion and the Pos­tal Ser­vices Mrs. Petra De Sutter

Depu­ty Prime Minis­ter and Minis­ter of Jus­tice and the North Sea Mr. Vincent Van Quickenborne,

Minis­ter of Defense, Mrs. Ludi­vine Dedonder

Dear Minis­ters De Sut­ter, Van Qui­cken­borne, and Dedonder,

End-to-end encryp­tion keeps Bel­gium safe.

Encryp­tion pro­tects eve­ry­day acti­vi­ties, like hand­ling bank accounts online, secu­ring confi­den­tial data like sala­ry slips or tax infor­ma­tion, and com­mu­ni­ca­ting with your friends and fami­ly. End-to-end encryp­tion also pro­tects vul­ne­rable com­mu­ni­ties and pro­fes­sions where pri­vate com­mu­ni­ca­tions are essen­tial, such as for jour­na­lists, lawyers, and medi­cal professionals.

The Bel­gian govern­ment is consi­de­ring new legis­la­tion, the most dan­ge­rous being consi­de­red among Euro­pean Union Mem­ber States, that would under­mine the secu­ri­ty and pri­va­cy pro­vi­ded by end-to-end encryption.

The Draft law on the col­lec­tion and sto­rage of iden­ti­fi­ca­tion, traf­fic and loca­tion data in the elec­tro­nic com­mu­ni­ca­tions sec­tor and their access by the autho­ri­ties,1 or “the Data Reten­tion Legis­la­tion,” would require ope­ra­tors of encryp­ted sys­tems to enable law enfor­ce­ment to be able to access on request content pro­du­ced by spe­ci­fic users after a spe­ci­fied date in the future. That is, they would have to be able to “turn off” encryp­tion for spe­ci­fic users. There is no way to sim­ply “turn off” encryp­tion ; pro­vi­ders would need to create a new deli­ve­ry sys­tem and send tar­ge­ted users into that sepa­rate deli­ve­ry sys­tem. Not only would this require signi­fi­cant tech­ni­cal changes, but it would the­re­by break the pro­mises of confi­den­tia­li­ty and pri­va­cy of end-to-end encryp­ted com­mu­ni­ca­tions services.

Far from making Bel­gians safer, these requi­re­ments would under­mine the use of end-to-end encryp­tion in Bel­gium and, as the Bel­gian Data Pro­tec­tion Autho­ri­ty wrote in its opi­nion against the Data Reten­tion Legis­la­tion, would force com­pa­nies to create a “de fac­to back­door.”2 The consen­sus among cyber­se­cu­ri­ty experts is clear : there is no way to pro­vide third par­ty access to end-to-end encryp­ted com­mu­ni­ca­tions without also crea­ting encryp­tion back­doors and vul­ne­ra­bi­li­ties that can be exploi­ted by anyone that finds them.3 In other words, there is no way for only law enfor­ce­ment to have access to back­doors, without ris­king bad actors from gai­ning access to the same. Crea­ting encryp­tion back­doors wea­kens the secu­ri­ty of the whole sys­tem and puts all its users at risk.4 Under­mi­ning encryp­tion by intro­du­cing back­doors to encryp­ted com­mu­ni­ca­tions would leave Bel­gium expo­sed to attacks, inclu­ding its jour­na­lists, doc­tors, lawyers, public sec­tor employees, and other citi­zens, as well as busi­nesses and ins­ti­tu­tions, inclu­ding governments.

Beyond intro­du­cing back­doors into exis­ting end-to-end encryp­ted sys­tems, the Data Reten­tion Legis­la­tion would also dis­cou­rage com­pa­nies from offe­ring new end-to-end encryp­ted pro­ducts. As seen in other coun­tries that have pas­sed simi­lar legis­la­tion,5 the legis­la­tion will have a nega­tive impact on trust in Bel­gian tech­no­lo­gy com­pa­nies and damage their abi­li­ty to com­pete in the inter­na­tio­nal and Euro­pean mar­kets. Fur­ther, the legis­la­tion also threa­tens to have a wider impact on the Euro­pean Digi­tal Single Mar­ket, as com­pa­nies in other Mem­ber States may be for­ced to consi­der these new requi­re­ments if they want to offer their pro­ducts in the Bel­gian market.

If the Data Reten­tion Legis­la­tion is sup­po­sed to make Bel­gians safer, it can­not do so by under­mi­ning the strong pro­tec­tions we all rely on to live our lives ; end-to-end encryp­tion should not be threa­te­ned or under­mi­ned by this legislation.

  1. https://ibpt.be/index.php/operateurs/publication/annexe-1-dispositif
  2. https://www.autoriteprotectiondonnees.be/publications/avis-n-108‑2021.pdf
  3. https://academic.oup.com/cybersecurity/article/1/1/69/2367066
  4. https://www.globalencryption.org/2020/11/breaking-encryption-myths/
  5. https://www.internetsociety.org/news/press-releases/2021/new-study-finds-australias-tola-law-poses-long-term-risks-to-australian-economy/

Listes des signa­taires

Tactic asbl - Rue van Elewyck 35, 1050 Ixelles
info(arobase)tacticasbl.be - +32 2 318 07 72
Hébergé par domainepublic.net