American Tech Giants Face Fight in Europe Over Encrypted Data

http://www.nytimes.com/2016/03/28/technology/american-tech-giants-face-fight-in-europe-over-encrypted-data.html

Version 0 of 1.

ROME — Silicon Valley’s battle over encryption is heading to Europe.

In the United States, the F.B.I.’s demands that Apple help “unlock” an iPhone used by a mass killer in California opened a heated debate on privacy. After recent attacks on the Continent, like the bombings in Brussels last week and the wave of violence in Paris last November, governments across the European Union are increasingly pushing for greater access to people’s digital lives.

This week, French lawmakers are expected to debate proposals to toughen laws, giving intelligence services greater power to get access to personal data.

The battle has pitted Europe’s fears about the potential for further attacks against concerns from Apple and other American technology giants like Google and Facebook that weakening encryption technologies may create so-called back doors to people’s digital information that could be misused by European law enforcement officials, or even intelligence agencies of unfriendly countries.

The recent attacks have pushed many Europeans to favor greater powers for law enforcement over privacy. But opponents say such measures should not undermine the region’s tough data protection rules that enshrine privacy on par with other rights like freedom of expression.

This balance between national security and privacy has put major countries in the region on opposite sides of the debate, with Germany and the Netherlands dismissing encryption laws being considered by Britain and France.

“Fundamental rights are just that, fundamental,” said Nico van Eijk, a data protection expert at the University of Amsterdam. “Of course, there are exceptions for national security reasons. But governments have to be pragmatic.”

That pragmatism has led to a series of new proposals across Europe that, if approved, would give national intelligence agencies renewed powers to compel the likes of Apple, Google and Facebook to hand over encrypted information.

In Britain, lawmakers are completing legislation that could force tech companies to bypass encryption protections in the name of national security. The law — called a “snooper’s charter” by opponents — may compel companies to aid the country’s law enforcement agencies by hacking people’s smartphones and computers, among other powers.

And on Tuesday, French politicians will debate proposals to update antiterrorism laws that may hand tech executives prison sentences of up to five years, as well as fine their companies around $390,000, if they refuse to provide encrypted information to the country’s investigators.

Amendments to the French law — itself a response to the attacks in November — may still pass without the encryption proposals, which are opposed by France’s left-wing government.

But politicians and industry executives say Apple’s fight with the F.B.I. has focused a spotlight on how companies’ efforts to protect users’ messages and other data have made it increasingly difficult for European intelligence agencies to obtain such information.

“When we’re able to recover a cellphone, but authorities have no way of accessing its data, it obviously cripples the work of our surveillance agencies,” said Philippe Goujon, a French politician behind the recent encryption proposals.

“Sure, this could have repercussions internationally,” he added. “But there are other countries in the world that have similar legislation.”

Europe’s attempts to get access to encrypted data have not gone unchallenged by Apple.

Timothy D. Cook, Apple’s chief executive, has, for instance, met with a string of European politicians, including France’s prime minister, Manuel Valls, and Britain’s home secretary, Theresa May, in recent months to lobby for tough encryption technology.

And to show that the company is trying to be cooperative, Apple’s executives have also provided unencrypted information, including so-called metadata on people’s phone calls and GPS coordinates, as part of terrorism investigations in Europe, according to a person with knowledge of the matter, who spoke on the condition of anonymity because he was not authorized to speak publicly.

Such efforts, in part, have paid off with some European governments that remain skeptical of plans to weaken companies’ encryption technology in the name of national security.

Germany, which has some of the world’s toughest privacy rules, has balked at the proposals Britain and France are considering, while the Dutch government published an open letter this year expressly stating its opposition to back doors in encryption services provided by the likes of Apple.

Such loopholes, the Dutch government said, would “also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services.”

As pressure in parts of Europe mounts over access to encrypted data, industry watchers say attention is expected to focus on Britain — a top international market for most American tech companies — where expanded powers for the country’s intelligence services are likely to come into force by the end of the year. The legislation is the brainchild of the ruling Conservative Party, which has a sufficient parliamentary majority to enact the regulatory changes.

Under the proposals, the Investigatory Powers Bill would force Internet and telecommunications companies to hold records of websites visited by people in Britain over the last 12 months. It also would provide the country’s intelligence agencies with a legal mandate for the bulk collection of large quantities of data, while allowing them to hack individual devices under certain situations.

Ms. May, Britain’s home secretary, told lawmakers this year that such powers were required to defend the country’s security. She added that the legislation offered sufficient transparency and oversight about how British spies conducted their activities to calm people’s privacy concerns.

But for Apple and other Silicon Valley companies, the proposal also includes new powers that can permit the British government to demand that companies remove encryption protections where “reasonably practicable” to gain access to digital communications.

The British government stresses that such rules would not undermine companies’ services because they may not apply to so-called end-to-end encryption, technology used by the likes of Apple’s iMessage and FaceTime services, as well as Facebook’s WhatsApp Internet messenger.

But in a series of appeals to the British Parliament, several American tech giants, including Microsoft, Twitter and Yahoo, have complained that the proposals could force them to create backdoor access for the country’s spies, or face falling afoul of the new national security rules.

“A key left under the doormat would not just be there for the good guys,” Apple wrote in its recent statement to British lawmakers. “The bad guys would find it, too.”

Such concerns, security experts say, could be compounded if other national governments — either in Europe or farther afield — followed Britain’s lead by passing similar legislation.

“If these encryption plans go through, then who’s to stop France or other countries’ asking for the same thing?” said Ross Anderson, a professor of security engineering at the University of Cambridge who wrote a paper with other experts last year that criticized the American and British governments’ plans to weaken encryption. “When you give one country backdoor access, where do you stop?”