Why there can be no “encryption bans”

What is encryption in simple words?

In general, encryption can be understood as a technical procedure to make the readability of information contained in data more difficult – or ideally to prevent it. Encryption is therefore a core element of cybersecurity because it ensures the confidentiality of information by allowing only authorized people to access it. Technically, a distinction is made between different types of encryption, which can sometimes be confusing.

Two terms we often hear in the context of encryption are transport encryption and content encryption. Transport encryption deals with communication processes involving data that is sent from one data carrier to another over web connections. The problem is that transport encryption only encrypts the message channel, that is, the communication between the message sender and the respective provider who forwards the message. Transport encryption is also known as “point-to-point encryption” (P2PE) or “line encryption.” Transport encryption thus provides protection against unauthorized interception of the data line, but the message is decrypted again at the intermediate stations – for example, on the provider’s server.

Thus, the more intermediate stations a message passes through, the more intermediate recipients have access to the message. This risk can only be prevented by using content encryption. A subset of content encryption is “end-to-end encryption” (E2EE), which has become increasingly popular as a communications standard in recent years. Its major advantage is that, in contrast to P2PE, data is encrypted even when it is “at rest” on the terminal or at the intermediate stations of a message transmission. The data itself is thus encrypted “in its content.”

Encrypted communication is a civil right

But what about the legal issues of encryption? The most important insight here is that the right to encryption is a civil right! The European Union recognized the right to encryption early on and enshrined it in the European Charter of Fundamental Rights – which applies to over 450 million citizens. Although encryption as a technical procedure is not explicitly included in the text of the law, what is included is a right to respect for private and family life and a right to the protection of our personal data. The recognition of these rights not only prohibit unauthorized interference with our privacy but also give us the right to ensure that the confidentiality and integrity of digital data processing and data transmission are protected and that anyone may use the appropriate technical means to do so. Political debates that seek to ban the use of encryption technology, as is currently the case in the USA, for example, are therefore inadmissible from a European perspective. In addition, other countries outside the European Union must also observe the strict legal requirements of the EU law if they want to process data coming from the EU.

Such a global legal position on a right to encryption also makes sense beyond the legal issues. Just as I can write an analog letter in a secret script so that unauthorized people cannot read the content, I must be able to encrypt my digital communications and store digital data in encrypted form on my smartphone or PC.

Security through encryption and security despite encryption?

Just as long as we have had a right to the encryption of our digital communication, governments have made an effort to restrict the initially technically limitless possibility of secure and confidential communication and data storage. The political reasons given for the restriction are varied and sometimes appear more or less legitimate. And it is not just authoritarian regimes such as the People’s Republic of China, where the fundamental right to data protection is unknown, that are involved in the global debate about the use of encryption.

In Western countries in particular, such as the USA or the United Kingdom with its legal push for an “Online Safety Bill,” there is concern that increasingly sophisticated and easy-to-use technical options for encryption could deprive public security, police, and law enforcement agencies of access to data that is important for their investigations. And these concerns are well-founded.

That’s why approaches are being discussed to restrict the use of encryption. These range from special government access, encrypted communication channels, and a technical weakening of encryption to a complete legal ban on encrypted communication. These political efforts are the reason why we also talk about “security through encryption and security despite encryption.” On the one hand, citizens should be able to communicate confidentially in terms of cybersecurity, and on the other hand, the state does not want to torpedo opposing public security interests, for example, to prevent terrorist attacks or to solve crimes.

In the future, it will be the task of governments and legislators worldwide to strike an appropriate balance between the interests of public security and the right of citizens to data security and data protection without jeopardizing people’s privacy. The weighing of interests includes engaging with providers of encryption and security software instead of creating unilateral and impractical legal regulations.

Ways out of the “encryption dilemma”

The way out of the “encryption dilemma” does not seem easy. One thing is certain, however: European countries are not allowed to include warrantless mass surveillance of their citizens in their laws and are therefore not allowed to prohibit encrypted communications or technically circumvent them per se. Security authorities are also not allowed to interfere with our intimate digital privacy.

Of course, a right to encryption is a legal privilege that does not apply in all countries worldwide, because a constitutionally protected right to encryption does not exist everywhere. And it is to say, even with a right to encryption, the state is not prohibited from attempting to access encrypted data in certain cases, for example, if there is a concrete suspicion of serious crime. However, it is up to the state to decide how to do this – in other words, the security authorities must figure out how to technically “crack” the encryption without compromising citizens’ right to privacy. The more effective the chosen encryption method is, the more difficult it is for the state to gain access to the transmitted or stored data.

What’s more, if I encrypt my data and my communications, I am signaling that their confidentiality and security are particularly important to me and that they therefore automatically enjoy greater constitutional protection. So as you can see, it always pays to encrypt your data.