Insights Information Commissioner’s Office publishes paper on End-to-End Encryption and online safety

Contact

The ICO says that it is often asked about end-to-end encryption (E2EE). To help people consider the issues it has published a paper on E2EE and online safety. The paper provides a summary of the ICO’s current thinking on E2EE. It is aimed at supporting discussion on E2EE and does not necessarily represent the ICO’s final settled policy position.

The ICO notes that from a data protection perspective, E2EE acts as a key enabler for compliance with the requirements of data protection law. It is directly relevant to the data protection principle of integrity and confidentiality. More broadly, it underpins a key objective of data protection law which is to give citizens confidence about how their personal data is processed by digital services, including confidence that it is stored and shared securely.

The ICO has a long history of recommending encryption. Its current guidance recommends that organisations adopt encryption “at rest” and “in transit” as measures to secure personal data they either store and/or transmit. While the ICO does not say that organisations must encrypt in all circumstances, it does say that there must be a strong justification for not doing so. This also applies to E2EE. The ICO says that its position aligns with recommendations from the National Cyber Security Centre (NCSC).

However, the ICO recognises that, whilst E2EE generates security and trust, protects users from online harms by safeguarding their privacy, and is an essential component of a safe digital ecosystem, it also presents a challenge from an online safety and law enforcement perspective. The same characteristics of E2EE that provide the public with private and secure communications also provide a safe harbour for criminal activity.

That said, positioning E2EE and online safety as being in inevitable opposition is a false dichotomy, the ICO says. Instead, what is needed is an approach that seeks to reconcile the different demands. The challenge is to create tailored and proportionate responses to the issues without unduly interfering with the wider benefits that E2EE provides or the rights and freedoms of wider society. In other words, the ICO says, it is vital that one form of online safety is not traded off for another.

The ICO does not, therefore, support measures that would introduce “backdoors” to encrypted channels on social media platforms to allow access for law enforcement or security agencies, as this would create systemic weaknesses and undermine security and privacy rights. It would introduce data protection risks and add to overall safety concerns by creating more spaces for harm, it says.

The paper sets out key factors that the ICO says need to be considered in order to reconcile E2EE with law enforcement and the detection of harmful content:

  • the demand from consumers for services that safeguard their privacy thereby supporting their safety online;
  • the requirements that existing legislation places on businesses, including the legal obligation on data controllers to process personal data securely;
  • the effectiveness of existing legislative and technical tools to ensure lawful access to data for law enforcement and national security purposes that do not weaken encryption standards;
  • the promising future development of technical solutions for detecting harmful content without weakening E2EE;
  • the necessity, proportionality and effectiveness of any proposed legislative solutions; for example, interventions that weaken E2EE across mainstream services will threaten the safety and security of the majority of users and may not achieve the desired safety outcomes because bad actors can easily switch to more niche services;
  • the social impact of any proposed legislative solutions on online safety and privacy for the population as a whole; and
  • the economic impact of any proposed legislative solutions, both in terms of their direct costs to business and any indirect effects of weakening user trust in digital services.

Overall, the paper states that the policy response to E2EE and online safety requires a nuanced and detailed understanding of the broader issues. The ICO recognises that there are no easy answers and says that a truly multistakeholder approach is needed to find solutions. To access the paper, click here.

Expertise