Sprache ändern: English

Leak: Data retention and encryption: EU Government’s “Going Dark” program to attack citizen’s rights with PR

Freedom, democracy and transparency Press releases

A German diplomatic correspondence that was leaked by netzpolitik.org on Friday and other documents reveal the insistence by EU member state governments in blanket mass surveillance in the form of data retention and ideas to make secure encryption illegal. The fundamental rights jurisdiction of the highest EU Court is seen as a problem, while Governments are wishing for a new narrative that would change the way we look at privacy and surveillance.

The documents talk about the Swedish Presidency’s “Going Dark” program that aims to extend law enforcement capabilities with a focus on over-the-top (OTT) media services, End-to-end encryption (E2EE), the Electronic Evidence Regulation, the ePrivacy Regulation, the Media Freedom Act, the retention of citizen’s communications meta data and access to Whois data. According to the German diplomatic correspondence member state governments share a “a largely homogeneous opinion” about that program.

Data retention: Insisting in illegal mass surveillance

The Swedish Presidency complains that “the impact of limitations to data retention requires to be aware of the loss of data” (PDF). This interpretation is in line with the overall debate in the Council but ignores the actual situation: The ECJ has constantly expanded the exceptions to the general rejection of blanket retention of citizen’s communication data over the years. Nevertheless, governments repeatedly violated the Court’s rulings causing a crisis of the Rule of Law in the EU. As a consequence, too much rather than too little of citizens’ communications data is being stored for no reason. Addressing a “loss of data” in this situation ultimately refers to the Government’s actual desire: a nation- and EU-wide, round-the-clock retention of everybody’s communications meta data, which has consistently been ruled illegal. The Belgian government that has again passed a law that provides for illegal mass surveillance only recently, declares in a Council document: “we need to strike the right balances (…) but also with regard to commercial interests and business models that guide the industry”. Likewise, the Czech Republic proposes a new argument as an attempt to justify the retention of citizen’s communication meta data to “distinguish legitimate calls from fakes using combination of contact number spoofing with AI voice manipulation.” Member state governments appear to have no other idea of how to design police work on the Internet but by means of mass surveillance.

The German correspondence notes: “Currently, an “outcry” from law enforcement agencies is clearly perceptible.” In March this “Outcry” became publicly visible when the European Police Chiefs released a Joint Declaration that likewise blames jurisprudence: “The case law of the CJEU (…) presents a significant hurdle to Law Enforcement Agencies” (PDF). Seen from a fundamental rights perspective the opposite is true.
Case law allows for extensive retention of citizen’s communication data and provides law enforcement agencies a legal frame for their work. Neither the CJEU’s jurisdiction nor citizen’s rights present a hurdle but Governments that repetitively passed illegal laws on data retention that foreseeable failed in courts created that hurdle over a course of 15 years. The representative of the Estonian government for example completely rejects the Court’s jurisdiction: “it is not possible to implement the solutions proposed by the ECJ.” The ignorant will to mass surveillance has prevented reliable solutions as digital rights experts have explained.

Unsubstantiated claims in the loop

The Joint Declaration of the European Police Chiefs keeps following a downward spiral by repeating unsubstantiated claims: “Unclear and insufficient retention periods in the case of storage of data for commercial purposes. This is particularly problematic in countries that do not (in accordance with the rulings of the CJEU) have any legal obligation for service providers to retain non-content data (…).” Fact is, that data retention laws have no measurable effect on the crime rate or the crime clearance rate in any EU country as a study by the European Parliament’s Research Service (EPRS) finds.

Public relations against fundamental rights

Because there is a great deal of resistance from civil society and from constitutional courts when it comes to data retention, the Presidency wants to develop “a better and more complete narrative” (PDF) to achieve its goals.

Responding to that, the Austrian Government suggest to add rules of criminal procedure to Single Market Dossiers and emphasises that it is of importance to not only take legislative action but also to do “Public Relations” work, for example to raise awareness accordingly in the European Parliament. The representative of the Lithuanian government welcomes that PR approach as “it offers the opportunity to change the narrative (…) turn around the wrong impression that law enforcement is the main source of risk to the fundamental rights.” (PDF)

Is the door weaker if someone has the key?

Referring to the Member States debate of the “Going Dark” program, the German diplomatic correspondence reads: “The question arises whether legal adjustments might be necessary in view of the fact that encryption technologies such as Encrochat could be legally distributed up to now. (…) With end-to-end encryption, it is impossible to intercept information, which is why, for example, there are discussions about the Media Freedom Act. (…) There is therefore a need for good instruments that are in line with EU values and do not prevent encryption altogether.” Adding to the ongoing debate, the representative of Estonia is asking: “is the door weaker if someone has the key?”

A Crisis of the Rule of Law

The documents show a considerable distrust of fundamental rights and the Rule of Law on the part of the member state governments. The German diplomatic correspondence refers to the view of the Swedish government: “It was astonishing how much the ECJ prioritized privacy over other legal rights and principles. The IRL und LVA also commented accordingly on the ECJ decision.” The representative of Estonia is of the opinion that the CJEU is “forced to always refer to the Charter of Fundamental Rights (…) until the EU comes up with a solution that would allow them to reassess the principles and approach to this”.

“Going Dark” is a myth

The notion of “Going Dark” refers to the phenomena that “criminals can commit crimes in ways that law enforcement cannot detect and intercept.” This is a myth created by US intelligence agencies. In truth authorities have never had access to information on our private lives as comprehensive and all-encompassing as in today’s digital era.

Instead of concentrating on repeatedly successful means of targeted investigations that focus on suspects and perpetrators, the EU member state governments try to interfere with the foundation of the Internet and the Rule of Law in a way that affects everybody’s privacy and fundamental rights. Alternatives, amongst others, a democratic improvement of policing through better trained and equipped personnel and better child protection through more competent and better equipped authorities are not considered. This gap is all the more problematic as there is no evidence that there is a legal lack of law enforcement capabilities in the European Union. Laws were much more tightened and expanded and with the new Electronic evidence regulation yet another tool for law enforcement will help to improve investigations which are in general already highly successful, if governments provide sufficient personal and technical resources.