Open Letter : 100 organizations and cybersecurity experts call on the Belgian Government to halt legislation to undermine end-to-end encryption.
29 September 2021
Deputy Prime Minister and Minister of Public Administration, Public Enterprises, Telecommunication and the Postal Services Mrs. Petra De Sutter
Deputy Prime Minister and Minister of Justice and the North Sea Mr. Vincent Van Quickenborne,
Minister of Defense, Mrs. Ludivine Dedonder
Dear Ministers De Sutter, Van Quickenborne, and Dedonder,
End-to-end encryption keeps Belgium safe.
Encryption protects everyday activities, like handling bank accounts online, securing confidential data like salary slips or tax information, and communicating with your friends and family. End-to-end encryption also protects vulnerable communities and professions where private communications are essential, such as for journalists, lawyers, and medical professionals.
The Belgian government is considering new legislation, the most dangerous being considered among European Union Member States, that would undermine the security and privacy provided by end-to-end encryption.
The Draft law on the collection and storage of identification, traffic and location data in the electronic communications sector and their access by the authorities,1 or “the Data Retention Legislation,” would require operators of encrypted systems to enable law enforcement to be able to access on request content produced by specific users after a specified date in the future. That is, they would have to be able to “turn off” encryption for specific users. There is no way to simply “turn off” encryption ; providers would need to create a new delivery system and send targeted users into that separate delivery system. Not only would this require significant technical changes, but it would thereby break the promises of confidentiality and privacy of end-to-end encrypted communications services.
Far from making Belgians safer, these requirements would undermine the use of end-to-end encryption in Belgium and, as the Belgian Data Protection Authority wrote in its opinion against the Data Retention Legislation, would force companies to create a “de facto backdoor.”2 The consensus among cybersecurity experts is clear : there is no way to provide third party access to end-to-end encrypted communications without also creating encryption backdoors and vulnerabilities that can be exploited by anyone that finds them.3 In other words, there is no way for only law enforcement to have access to backdoors, without risking bad actors from gaining access to the same. Creating encryption backdoors weakens the security of the whole system and puts all its users at risk.4 Undermining encryption by introducing backdoors to encrypted communications would leave Belgium exposed to attacks, including its journalists, doctors, lawyers, public sector employees, and other citizens, as well as businesses and institutions, including governments.
Beyond introducing backdoors into existing end-to-end encrypted systems, the Data Retention Legislation would also discourage companies from offering new end-to-end encrypted products. As seen in other countries that have passed similar legislation,5 the legislation will have a negative impact on trust in Belgian technology companies and damage their ability to compete in the international and European markets. Further, the legislation also threatens to have a wider impact on the European Digital Single Market, as companies in other Member States may be forced to consider these new requirements if they want to offer their products in the Belgian market.
If the Data Retention Legislation is supposed to make Belgians safer, it cannot do so by undermining the strong protections we all rely on to live our lives ; end-to-end encryption should not be threatened or undermined by this legislation.
Listes des signataires