Council of the European Union Brussels, 18 September 2020 (OR. en) 10728/20 LIMITE COSI 132 ENFOPOL 214 CYBER 157 DATAPROTECT 86 IXIM 90 COPEN 247 JAI 707 NOTE From:                Presidency To:                  Delegations Subject:             Security through encryption and security despite encryption 1.    Introduction The topic of encryption was a main topic during the Slovak Council Presidency in 2016. It was discussed in various Council committees and by the ministers of Justice at the Justice and Home Affairs Council of December 2016 on the basis of a report setting out a four step  approach . 1 Ministers expressed different views both on the technical and political aspects of the matter, all underlining the need to approach this issue carefully. They were in favour of continuing the discussion in order to identify solutions that struck a balance between individual rights/citizens' security and privacy and allowing law enforcement agencies to do their work. 1       14711/16 10728/20                                                                  MP/dk                      1 JAI.1             LIMITE                          EN

This led to a consultation process by the Commission services involving experts, from Europol, ENISA, Eurojust, the European Judicial Cybercrime Network (EJCN) the Fundamental Rights Agency (FRA), Member States’ law enforcement agencies, industry and civil society organisations (CSOs) to discuss the role of encryption in criminal investigations, addressing both technical and legal aspects. The results were published in the 11th Progress     report 2 towards an effective and genuine Security Union of 11 October 2017. It outlined various measures such as supporting Europol to further develop its decryption capability and establishing a network of points of expertise and a toolbox of alternative investigation methods. Europol and Eurojust have issued two reports in 2019 and    2020 3 of the observatory function on encryption, analysing the legal framework across Member States and identifying concrete operational challenges. In March 2019, Facebook CEO Mark Zuckerberg announced plans detailing a privacy-focused vision for social  networking .4  This includes plans to implement end-to-end encryption on Facebook’ s messaging services. This would result in a considerable loss of electronic evidence for law enforcement authorities, e.g. in detecting child sexual abuse material. A pointed response to this in an open letter by the Five Eyes nations showed that we urgently need to seek technical solutions at a global level to deal with end-to-end encryption in                   5 investigations . The discussion on this topic is ongoing specifically as regards possible technical solutions for detecting and investigating crimes and the regulatory and operational challenges and opportunities involved in end-to-end encrypted electronic communications and encrypted devices. Therefore, on the basis of the work already done during the previous presidencies, the German Presidency would like to revisit the issue on the basis of this note, together with the contributions from Commission services and the EU CTC. 2        https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european- agenda- security/20171018_eleventh_progress_report_towards_an_effective_and_genuine_security_ union_en.pdf 3        https://www.europol.europa.eu/publications-documents/first-report-of-observatory-function- encryption https://www.europol.europa.eu/publications-documents/second-report-of-observatory- function-encryption 4        https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social- networking/10156700570096634/ 5        https://www.justice.gov/opa/press-release/file/1207081/download 10728/20                                                                      MP/dk                   2 JAI.1              LIMITE                        EN

2.    Present state of play / latest documents on encryption In his paper on “Law enforcement and judicial aspects related to       Encryption”, 6 the EU CTC recommends exploring a legal framework that would allow lawful access to encrypted data for law enforcement without dictating technical solutions for providers and technology companies. The paper describes the increasing challenges for law enforcement in the light of modern encryption technologies and suggests that possible solutions at various levels of action could be a basis for discussion. The Five Eyes statement in 2019 already called on technology companies to consider in the design of their encrypted products and services possibilities for governments, acting with appropriate legal authority, to obtain access to data in a readable and usable format. The note of the European Commission’s       services 7 reiterates that encryption is an important tool for protecting cybersecurity and fundamental rights. It also states that due to the widespread use of encryption, the challenges for law enforcement and prosecutors will continue to increase. The paper proposes a set of key considerations on the basis of which further discussion may take place. It recommends that orders to access encrypted data or communication must be strictly targeted to specific individuals or groups of individuals. Technical solutions weakening or directly or indirectly banning encryption will not be supported. Technical solutions for accessing encrypted data must be used only where necessary and used in a targeted and least intrusive. The transmission of data to law enforcement must be supported by state-of-the-art security measures. In that respect there is no single technical solution for providing access to encrypted data (technical neutrality). However, the support of industry, civil society and academia is indispensable, as well as that of EU bodies on cybersecurity and data protection. 6       7675/20 7       10730/20 10728/20                                                                      MP/dk                        3 JAI.1                 LIMITE                        EN

3.     Scope The "digital life" is a source not only of great opportunities but also of considerable challenges: the digitisation of modern societies brings with it greater vulnerability and the potential for abuse in cyberspace. In addition, citizens' privacy is becoming increasingly vulnerable. Clear legal frameworks, confidence building and greater resilience within the EU lead to better protection for all Member States. Encryption is also a key tool to safeguard data              8 transfers . Technology companies’ ability to develop and produce secure and powerful encryption products needs to be strengthened. At the same time, we need to safeguard the lawful powers of law enforcement authorities. It is therefore crucial that technical capabilities in relation to law enforcement are enhanced just as support is given to encryption. The degree of encryption is constantly increasing; encryption technology has entered many areas of our lives. In practice, end-to-end encryption renders analysis of the content of communications in the framework of telecommunications interception not just technically challenging but nearly impossible. At the same time, law enforcement authorities rely on lawful interception of telecommunications, particularly in the areas of counterterrorism, organised crime and cybercrime but also in the investigation of most crime types. Given that there is currently no complete technical substitute for classical lawful access to the unencrypted telecommunications data, it is crucial to ensure that the existing legal instruments are equally applicable in the new technical environment. The principle of "security through encryption and security despite encryption" must be upheld. Any weakening, modification or prohibition of encryption or the compromising of security standards in digital communication should be avoided. We need to seek and improve technical and legal solutions to safeguard the investigative capabilities of law enforcement in the digital world. The legal powers of law enforcement must not be undermined, also taking into account that the existing legal landscape across EU Member States is very diverse. 8       EDPB letter, https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-response- mep-moritz-korner-regarding-relevance-encryption_en 10728/20                                                                     MP/dk                      4 JAI.1              LIMITE                         EN

In view of the Presidency, the weakening of encryption by any means (including backdoors) is not a desirable option. Instead, we should seek a coordinated, consistent EU position that balances the divergent public interests, taking into account the legal, technical, ethical and political aspects involved. 4.     Way Forward It is extremely important to protect the privacy of communications and data stored in technological devices through encryption on the one hand and uphold the investigation powers of law enforcement and judicial authorities in the digital world to gather relevant evidence on the other. Any actions to gain lawful access must balance these interests carefully. Member States play a crucial role in this. They are the ones with the essential capacities and powers in the area of cybersecurity. There should be a common understanding of the diverse concerns and a way forward in this area. In view of the Presidency, focus should be placed on the following in particular:    Our joint objective is to effectively and efficiently combat terrorism, organised crime, cybercrime, while respecting data protection rules, fundamental rights, states’ obligations under international law, as well as IT-security. New solutions may be required with the support of service providers to achieve this objective. The increasing shift from traditional nationally located services to more online based and internationally located services should be also taken into account.    The required legal and technical solutions should benefit from the transparent and legitimate support of service providers and offer improvements that encompass the tactics and technical skills and tools necessary for law enforcement and judicial authorities to face the challenges of digitisation and internationalisation.    There is a need for a regulatory framework that safeguards the advantages of end-to-end encryption without compromising the ability of law enforcement agencies and judicial authorities to protect the general public taking into account the legal, technical and political aspects involved.    We need to identify solutions that set out the conditions for targeted lawful access for legitimate law enforcement purposes and must find technical solutions to safeguard that access with minimum impact on fundamental rights and data protection. 10728/20                                                                     MP/dk                        5 JAI.1             LIMITE                          EN

5.    Conclusion Delegations will be invited to present their views on all of the measures above, as well as the key considerations set out in the note of the Commission services note. We also wish to hear delegations' views on:      the need to aim for a coordinated, consistent EU position;      the need to acknowledge and highlight that encryption presents us with a common challenge when it comes to fighting terrorism, organised crime, child sexual abuse, etc., while at the same time we must protect and safeguard fundamental rights, privacy and the value of encryption as an important technology for the digital life of today;      mandating the German Presidency to initiate the preparation of an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption;      presenting the results of this process for endorsement by COSI at one of its subsequent meetings. The Presidency would be grateful to receive written comments to COSI.DE2020@bmi.bund.de and cosi@consilium.europa.eu by 7 October. 10728/20                                                                  MP/dk                      6 JAI.1             LIMITE                         EN