Stories from the Secure Uplink
The ‘Going Dark’ initiative: The impact of HLG recommendations
The ‘Going Dark’ initiative: The impact of HLG recommendations

The ‘Going Dark’ initiative: The impact of HLG recommendations

The European Commission’s High-Level Group (HLG) has released recommendations on Access to Data for Effective Law Enforcement, designed to enhance law enforcement’s ability to access digital data in criminal investigations. This approach responds to the Going Dark initiative, where encrypted communications are becoming harder for law enforcement to access. As a result, the HLG’s proposals include measures that will undermine encryption and privacy.

While FlokiNET acknowledges the need for law enforcement to combat crime, we strongly align with the concerns raised in the open letter from the Chaos Computer Club (CCC) and other civil society organizations. These concerns highlight the risks and impact of HLG recommendations on encryption, privacy, and security.

What are the HLG recommendations?

The push for data retention and access

One primary concern with these recommendations is the push for service providers to decrypt data when necessary. This would severely damage encryption standards, rendering encryption worthless. It would require providers to decrypt metadata and subscriber data at any time during service provision. Such a measure would weaken encryption systems, making digital systems more vulnerable to cyberattacks and surveillance.

The HLG experts were of the view that a data retention regime should include obligations for service providers to provide data in clear while ensuring strong cybersecurity and full compliance with data protection and privacy law, and without undermining encryption. [1]

The legal way to hack devices and company would allow law enforcement to follow the path of criminals and hack infrastructure.

When criminals are using dedicated end-to-end encrypted communication platforms, LEAs need to make use of tactical solutions based on the exploitation of vulnerabilities to gain access to suspects’ communications. [1]

Sanctions for non-cooperation

The recommendations also propose that member states should have the authority to enforce sanctions against electronic and communication service providers that do not cooperate with data retention and provision requests. 

These sanctions could include administrative measures or limits on the service provider’s ability to operate within the EU market. While this could incentivize providers to comply with data retention rules, it could also force companies to compromise user privacy and security, as well as break the law, in exchange for continued market access.

ensuring that Member States can enforce sanctions against electronic and other communications services providers which do not cooperate with regard to the retention and provision of data, e.g. through the implementation of administrative sanctions or limits on their capacity to operate in the EU market [1]

However the proposal goes further and includes imprisonment of company owner who cant or don’t want to cooperate for example if they are not EU based. This would enforce EU law worldwide and would act as percent for dictatorships like China or Russia to censor media worldwide.

This clearly is an blackmail attempt towards privacy focused provider and that is unworthy of a democracy and a Nobel peace price holder like the EU.

Harmonizing at EU level criminal law measures to enforce cooperation, including imprisonment. The same should apply to non-cooperative hosting providers (in addition to Electronic Communications Services) to ensure that such companies, when hosting communication services of a criminal nature, adequately comply with the judicial orders they receive​​​​​​​ [1]

Data retention and clear user identification

Furthermore, the HLG experts recommend that companies retain data to clearly identify users, such as IP addresses, port numbers, location data, call records, and email headers. Storing this identifying information increases the potential for surveillance, data breaches, and misuse of personal data. This also undermines the principles of GDPR.

In addition to the issues determined by the lack of harmonized legislation across Member States, experts also discussed the fact that the lack of knowledge of the precise location of users and data often adds complexity to determining the territorial nexus of a criminal offense. [1]

The service provider should keep the information about the user regardless if required or not. Also this would break existing law like GDPR.

ensure access to intelligible data (for metadata and subscriber data, there should be a means for the service provider to decrypt the data if encrypted at any time during the provision of the service) [1]

not only focus on data retention, but also on access to data, building upon the e-evidence rules [1]

establish at the very least an obligation for companies to retain data sufficient to ensure that any user can be clearly identified (e.g. IP address and port number) [1]

The risk to encryption and privacy

We are deeply concerned about the impact of HLG recommendations on encryption. These changes could undermine the security measures that protect businesses and individuals online.

Encryption is not just a technical feature; it’s essential for privacy and security in the digital world. Weakening or dismantling this vital protection, under the guise of “lawful access by design,” opens the door to catastrophic risks for everyone.

This policy would undermine security for those under investigation. Furthermore, it would expose the personal data of countless innocent individuals. As a result, such measures pave the way for systemic surveillance. Citizens’ private communications, financial transactions, and personal information would be at risk of mass exposure, theft, and misuse.

The impact on digital security and trust

The HLG recommendations pose a clear and present danger to the integrity of the entire cybersecurity ecosystem. FlokiNET, like many other tech companies, relies on encryption to protect the sensitive data of its clients. Weakening encryption is not a minor inconvenience, it is a direct attack on the trust users place in secure services. Once encryption is compromised, the entire foundation of secure communications and data protection is shaken, leaving users vulnerable to cyberattacks and exploitation.

Additionally, many businesses and service providers across the EU will face a grave dilemma. They must either comply with these dangerous, weakened security measures or risk losing their ability to operate within the EU.

FlokiNET supports the open letter from CCC

FlokiNET fully endorses the open letter from the Chaos Computer Club (CCC), which calls on the European Union to reject any proposals that would weaken encryption, infringe on privacy, and erode digital security

We stand in solidarity with organizations advocating for the protection of civil liberties and privacy, and we firmly believe that law enforcement can be supported effectively without resorting to methods that compromise fundamental rights.

The dangers of the ‘Going Dark’ initiative: The impact of HLG recommendations

The impact of HLG recommendations is a critical issue that cannot be ignored. 

Weakening encryption is not just a technical or policy issue, it is a direct attack on the trust that impacts everyone.

Service providers who fail to implement these backdoor measures will face severe penalties, including sanctions, restrictions on operating in the EU, and even imprisonment for non-compliance. The proposed data retention requirements will also force companies to store sensitive user data indefinitely, increasing the risk of surveillance and data breaches.

We will continue to fight for privacy, security, and the integrity of encryption, ensuring a safe and secure digital future for all. No law enforcement measure should come at the cost of fundamental rights, and we will stand firm in opposing these dangerous proposals.

Have any questions or suggestions? Please contact us at info@flokinet.is or via Signal.

[1] Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement – https://home-affairs.ec.europa.eu/document/download/1105a0ef-535c-44a7-a6d4-a8478fce1d29_en

Leave a Reply

Your email address will not be published. Required fields are marked *