The Legal Look – A spinning approach towards encryption

By Victor de Pous

If it is up to Justice and Security Minister Ferd Grapperhaus technology companies must hand over a decryption key to law enforcement agencies if an investigating criminal judge orders so, for example in a case about transmitting child pornography via WhatsApp or Telegram which use end-to-end encryption. The fierce discussions about government access to encrypted private communication versus privacy protection are old – originally called the “crypto wars” – but have now taken the Netherlands by surprise because the government, until recently, held-on to its stone and finished encryption policy with the Leitmotiv: “Cryptography plays a key role in technical security in the digital domain.” Suddenly the wind blows from a diametrical angle.

 

Regulating encryption with special legislation – or rather not – is a fine example of divided interests and opinions in the digital society and a lasting legal trend at the same time, just as changing fundamental positions is. Walking down memory lane brings us back to notably the year 1993 with the enactment of the (first) Computer Crime Act introducing a “decryption obligation” for suspects. That obligation, however, was considered incompatible with the privilege against self-incrimination; the essential nemo tenetur principle (a fair trial), codified in, among others, Article 10 Universal Declaration of Human Rights and Article 6 European Convention on Human Rights.

 

Two decades later suspects of possessing and trading in child pornography or terrorist activities were soon obliged to cooperate in opening-up encrypted files, warned then Justice Minister Ivo Opstelten in 2012. A legislative provision was being prepared. With his action, the minister responded to a wish from members of the House of Representatives. Criminal investigation practice today needs this competence because the use of encryption by suspects is increasing, especially within child pornography networks. 

 

Not a moral problem in sight. After all, we are dealing with criminal behaviour that can seriously affect the mental health and physical integrity of victims. In addition, the reasoning read that a suspect who made such an effort to disguise his activities for the outside world must take into account the government’s use of heavier resources to protect its citizens. For the record: a new, comprehensive and comparative research of that same year concluded that a decryption order for suspects is – under certain strict conditions – not incompatible with a fair trial. But in the final bill of the third Computer Crime Act, introduced on December 22, 2015 the criminalisation of decryption refusal was swapped for another controversial provision: a legal “hack back” competence for the police into secured digital systems of suspects, wherever those are located.

 

“Regulating encryption with special legislation – or rather not  – is a fine example of divided interest and opinions in the digital society and a lasting legal trend at the same time, just as changing fundamental positions is.”

 

Subsequently, on January 4, 2016, the Dutch government published its formal encryption policy. Read my lips: no prohibition or limitation on the use of encryption, no requirements for implementing a backdoor, and no decryption order in the Code of Criminal Procedure. We, that is, the second Cabinet of Mark Rutte, will announce both this conclusion and the underlying considerations internationally and, moreover, we will even promote strong encryption. Duly noted.

 

Almost four years later the present Justice Minister pleads – on television – for decoding information so that the police have access to private communications when a suspicion of child abuse or child pornography occurs. “Encryption is good, but I want a judge to be able to determine when we should be able to see information when suspicious things are going on.” (..) “Child abuse is something we as a society have to say to: ‘there is no excuse for shielding it in one way or another’.” (..) “Let’s make legislation once and for all in which we have a key right in those situations where we can detect suspicious transactions.”

 

The turn of the century appears to be a turning point. Countries such as the United Kingdom (2000), Belgium (2001), France (starting in 2001) and Australia (2001) all introduced some kind of decryption order regulation, while United States’ case law headed in the same direction.  Recently, Australia heated the crypto debate further up with its backdoor Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. Under the Trump Administration, the US might follow suit. Attorney General William Barr already sent a clear message that adding backdoors decreases security, but that it is worth it. Now, the Netherlands wants to be the new kid on the block. In another part of town, however, we find Tim Berners-Lee, the inventor of the World Wide Web and one of the most prominent supporters of non-compromised encryption. “If encryption were not a thing then huge amounts of modern life would be impossible,” he told WIRED in 2017. “If you put a hole in encryption – if you decide WhatsApp shouldn’t be secure – then you do that to everything else that is equivalent to WhatsApp you’d have a battle in which you would have a huge number of disasters.”

 

The advocated “key right” for crime fighters doubles as a key risk for citizens. Will the Netherlands lose its position as The First of the Mohicans?

 

About the author

Victor de Pous is a corporate lawyer, legal analyst and researcher. He has over thirty years of experience in the legal and policy aspects of digital technology, information processing and the information society.