What is the CNIL's position in terms of encryption?
The question of the balance between the protection of personal data, technological innovation and monitoring is at the centre of numerous concerns, especially following the revelations of Edward Snowden on mass surveillance.
Encryption: security element of information assets
The Internet is a public, open network, which has become the medium of the majority of our communication. Against a backdrop of the increasing digitisation of our societies and the exponential growth of cyber-threats, encryption is a vital element of our security. It also contributes to the robustness of our digital economy and its basic elements, namely data of a personal nature, the protection of which is guaranteed by article 8 of the Charter of Fundamental Rights of the European Union.
Consequently, it is essential to:
- Protect individuals and their private lives in order to guarantee their fundamental rights;
- Protect the information systems of companies and States, as breaches of these systems may lead to grave economic or political harm or grave consequences in terms of public security;
- Promote the rise of the digital economy, via the notions of confidence and security, in order to stimulate innovation and growth;
- Maintain the competitiveness of national stakeholders in the cybersecurity industry to support the economy.
Cybersecurity is a vehicle for confidence and innovation. Protecting personal data in the digital world, with the help of encryption, is also about protecting a fundamental right and, beyond that, exercising individual freedoms in this world.
Accessing data in the context of legal proceedings
In France, there are already regulations relating to cryptology methods and a well-established legal framework concerning different types of access to computer data in the context of legal proceedings.
This framework authorises digital requisitions, access to connection data, the interception of correspondence, audio-visual recordings, capturing computer data displayed on the screen or entered by keyboard, and even the recourse to technical experts in the case of encrypted data. These measures are applicable without prejudice to the possibility, for the legal authorities, of relying on the technical means that judicial police bodies have.
The obligation, for individuals, to cooperate with the authorities
In addition, criminal law has incentives concerning the handing over of decryption keys, regarding defendants or third parties such as cryptography service providers if they have knowledge of the secret decryption agreement.
The law can require the communication of any data, whether computing or not, whatever its medium (software, file, processing, cloud, etc.), from any individual. It is the same for the provision of decryption keys or decrypted data to the legal authorities, by the individuals concerned or by third parties, and strengthened sentences are in place for individuals refusing to hand them over.
However, these measures cannot force the defendants to provide the data useful to the investigation. The right to not self-incriminate is a fundamental right which has its origin in the European Convention on Human Rights and in the case law of the European Court.
The limits on using backdoors
Recent news has led to a debate on the relevance of introducing, via national law, backdoors or a master key, ultimately allowing access to data contained in a system protected by an encryption solution presented as in the hands of the user. Such a measure would raise numerous questions:
- It would create a collective risk tending to weaken the security level of individuals faced with the extent of the cybercriminal phenomenon, while it would not technically stop people with malicious intent from continuing to use encryption solutions on an individual basis to protect the confidentiality of their communications and their stored data;
- It would not, in all probability, be very robust over the long-term, faced with attacks from States or organised crime, all the more so given that it would be necessary to exchange the secret or the keys between authorities;
- It would be very complex to implement, in a safe way, while the applications are wide-spread and globalised.
Robust encryption solutions, completely under the user's control, contribute to the balance and the security of the digital ecosystem. The introduction of backdoors or master keys would lead to a weakening of the security of technical solutions deployed currently, which would be damaging to the information assets of companies, the stability of the digital economy's ecosystem and the protection of individual freedoms.
Consequently, the CNIL considers that:
- Encryption contributes to the resilience of our digital societies and our information assets;
- In the context of legal proceedings, there are already numerous means allowing the authorities to access and analyse the content of interest to an investigation or useful to the establishment of the truth;
- Defendants and third parties are required to cooperate with the authorities;
- The implementation of backdoors or master keys would weaken the future of the digital ecosystem.