গোলাম রাব্বি 
The European Union, once praised for its pro-privacy legislation, is now leading the charge toward a future with less privacy, one where the government can use your devices to spy on you.
The EU has increasingly targeted encrypted communication as part of its Going Dark initiative, an effort to address criminals using technology to evade investigation and prosecution. As part of its efforts, the bloc has repeatedly introduced its Chat Control legislation, aimed at weakening the encryption that protects messaging services and force providers to provide a client-side backdoor for law enforcement.
While each attempt has been blocked by nations within the EU that still value privacy—such as Germany and Finland—the EU continues to push for what it calls “lawful access by design” to not only encrypted messaging, but now casting its net to include VPN providers.
In its final report, the High-Level Group (HLG) tasked with investigating the issue on behalf of the EU Commission, acknowledges the benefits digital communication has brought, along with a number of significant challenges.
Digital technologies are changing our lives – from the way we communicate to how we live and work – and the societal aspects of this shift are profound. Digitalisation has the potential to provide solutions for many of the challenges Europe and Europeans are facing, and it offers a great many opportunities – opportunities to create jobs, advance education, boost competitiveness and innovation, fight climate change, facilitate the green transition and more.
However, digitalisation also provides the conditions for criminals to exploit technological advances in order to commit crimes both online and offline. Encrypted devices and apps, new communications operators, Virtual Private Networks (VPNs), etc. are designed to protect the privacy of legitimate users. But they also provide criminals with effective means to hide their identities, market their criminal products and services, channel payments and conceal their activities and communications, effectively avoiding detection, investigation and prosecution. While there are tools and services purposely built and primarily used to carry out illegal activities, there is evidence that criminals are increasingly taking advantage of privacy-protecting measures made available by legitimate electronic communications services (ECS). Law enforcement agencies often lag behind criminals in this regard, as they lack the appropriate staff, tools and means to address this challenge effectively. As a result of these developments, access to data for law enforcement purposes has emerged in recent years as a key challenge for criminal investigations and prosecutions.
HLG’s Recommendations
While the HLG’s full report covers three broad areas: Digital Forensics, Data Retention, and Lawful Interception.
Digital Forensics
The HLG targets encryption by default, highlighting some of the challenges it poses law enforcement agencies (LEAs).
The HLG experts have been clear: encryption by default of data on devices is a core challenge that LEAs encounter. Data stored on certain types of modern devices protected by crypto chips18 or protected by strong encryption algorithms and complex passwords cannot be accessed by LEAs, even using the most powerful decryption platforms. Encryption and other cybersecurity and privacy measures are necessary to protect information systems and communication and personal data, but these measures – and in particular the increasing use of encryption by default – reduce the ability of law enforcement to gather evidence.
The report goes on to say that LEAs currently lack the resources and expertise to overcome this issue when it arises. When LEAs do face this challenge, they must rely on vulnerabilities and commercial software—such as Cellebrite or NSO Group’s Pegasus—to break into devices.
After expounding on the need to dedicate more resources to enable LEAs to have the expertise and tools needed, the report emphasizes the need for LEAs to be able to gain “lawful access” and provide a way to bypass device encryption.
A key action under this technology roadmap would be to assess the technical feasibility of built-in lawful access obligations (including for accessing encrypted data and encrypted CCTV recordings) for digital files and devices37, while ensuring strong cybersecurity safeguards and without weakening or undermining communications security. This assessment would be carried out involving all relevant stakeholders.
The HLG even proposes that device manufacturers be forced to provide the source code to the operating systems that power their devices so LEAs can better understand how to access the data.
Data Retention
The HLG highlights the challenges involved in investigating cases without regulation that requires data retention, a state that exists thanks to the EU’s previous commitment to user privacy.
Data retained by providers may be of crucial importance to effectively fight crime, and preserving such data is a precondition for enabling subsequent law enforcement access and ensuring LEAs can carry out investigations. At the same time, the principle of data minimisation laid down in the ePrivacy Directive and the General Data Protection Regulation (GDPR)41 stipulates that providers should only store (or otherwise process) traffic data as long as necessary for the purposes of the communication itself, for billing or, in specific situations, for the purpose of marketing ECS. Any other storage must be governed by a legal framework meeting the requirements set out in Article 15 of the ePrivacy Directive. This regime reflects the need to balance the fundamental rights to privacy and data protection with the purposes of law enforcement measures.
Proposed solutions include forcing companies to implement minimum data retention requirements, along with a framework for companies and LEAs to work together to handle the data.
Minimum requirements for retention of specific categories of data would need to be applicable (and enforceable) to any (present or future) economic operator providing ECS, to make the data retention framework effective both now and in the future. In order to take into account future technological developments, entities subject to data retention obligations should include telecommunication providers, OTT providers and other operators collecting data connected with a specific individual or legal person who uses their service, such as car manufacturers or LLM AI systems. These obligations must be enforceable, and there must be accountability for providers; this could be achieved using a variety of solutions, which could include market barriers (licences to operate) and administrative sanctions.
The HLG acknowledges this proposal would effectively destroy online anonymity, forcing users to register for services that may not currently have that requirement.
While for most providers, obligations to retain and provide data would require mainly technical implementation (i.e. making data collected or processed for business purposes available to competent authorities), this would entail imposing user registration procedures by default on providers which do not currently register their users because they have no business need to do so (such as OTT providers). Obligations of this kind were considered positive by the HLG experts in the context of the discussions on the need to increase transparency and accountability for providers with regard to the data they collect and store, and for how long. Existing obligations for categorisation under other instruments (GDPR) can provide insights on the data processed by these providers.
Lawful Interception
The third area the HLG covers is “lawful interception of communications.” The report goes on to highlight the difference between traditional communication methods, such as phone and SMS, versus non-traditional methods like end-to-end encrypted messaging platforms.
The reports sums up the HLG’s recommendation, saying traditional and non-traditional providers should be subject to the same rules.
As a result, the HLG experts consider it a priority to ensure that obligations on lawful interception of available data apply in the same way to traditional and non-traditional communication providers and are equally enforceable. The harmonisation of such obligations should serve to overcome the challenges related to the execution of cross-border requests.
After discussing the need for various jurisdictions with the bloc to improve cross-border cooperation, the HLG takes direct aim at encrypted content, making the case for a way to access it.
To foster a shift from a reactive approach to a more proactive one, technological challenges need to be addressed in a structured, forward-looking and multi-disciplinary way, with two main priorities: from the perspective of national authorities, it is essential to ensure that law enforcement has access to the relevant capacities to acquire and process available data in transit; while for operators and technology providers, it is vital that they are able to meet their obligations as regards access to data, privacy and cybersecurity, and that their interests are preserved.
Experts therefore suggest anticipating technological challenges through a comprehensive and forward-looking policy, based on a technology roadmap for lawful access that will set objectives and frame activities with associated funding to achieve those objectives.
The Underlying Issue
As we have stated at WPN many times, what regulatory and law enforcement authorities often fail to understand is that there is SIMPLY NO WAY to simultaneously provide strong encryption that protects individuals’ rights and safety, while also providing a backdoor to access their data. If a backdoor or data access mechanism is in place for authorities, there will forever be a risk of bad actors exploiting it.
Signal President Meredith Whittaker pointed this out in response to the EU’s repeated Chat Control legislation attempts.
Rhetorical games are cute in marketing or tabloid reporting, but they are dangerous and naive when applied to such a serious topic with such high stakes. So let’s be very clear, again: mandating mass scanning of private communications fundamentally undermines encryption. Full stop. Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted. We can call it a backdoor, a front door, or “upload moderation.” But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.
As Whittaker points out, the issue of security is not one of policy or procedure—it is an issue of mathematical, scientific fact.
What Others Are Saying
Whittaker is not alone in sounding the alarm over the EU’s fixation with undermining encryption. Mullvad—WPN’s top VPN recommendation— has been outspoken as well.
Similarly, Harvard cryptography professor Matthew Green warns that if the EU’s efforts to force a backdoor into chat encryption succeeds, the bloc will go down in history as creating “the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR.”
The Reason For Cautious Optimism
There may be reasons for critics of the EU’s approach to remain cautiously optimistic. Not only has the EU courts routinely struck down efforts to undermine privacy tools, but the HLG’s own report acknowledges the need to tread carefully and evaluate the feasibility of the recommendations.
On lawful access by design, law enforcement experts suggested a cautious approach, as industry actors should not be asked to integrate any system likely to weaken encryption in a generalised or systemic way for all users of a service; lawful access should remain targeted, on a communication-by-communication basis. They agreed on the relevance of the overall objective, but they insisted on the need to advance gradually and to involve all relevant categories of stakeholders, including technology, cybersecurity and privacy experts, taking into account the potential risks and the sensitivity of public debate. In particular, they strongly advised taking an evidence-based approach and carefully assessing the availability of technical solutions that do not weaken the cybersecurity of communications or negatively impact the cybersecurity of operators.
Upon further investigation, the powers that be may eventually recognize the impossibility of keeping people safe while also undermining strong encryption, privacy, and security.
