The head of the United States' National Security Agency was quite explicit on the subject: the Paris attacks of November 13th, 2015, would not have taken place had the terrorists not used encryption. Because of encrypted communications, Michael Rogers said on February 18th, “we did not generate the insights ahead of time” and so they were unable to warn their French counterparts. “Clearly, had we known, Paris would not have happened,” he added. The NSA director did not give further details but his comments had a big impact in France where a heated debate over encryption has been raging for months.
In fact, the French authorities have been targeting a crackdown on encryption technology for some time. During the debates over the controversial intelligence law at the beginning of 2015, the Ministry of the Interior let it be known unofficially that encryption was the next area it would be working on.
In August 2015 the Paris prosecutor François Molins co-signed an article in the New York Times with counterparts from the US, Spain and Britain. The headline read: “When phone encryption blocks justice”. On September 2nd Molins returned to the theme in an interview with French news weekly L'Express in which he claimed that it had become impossible to unlock the “new generation of mobiles”. François Molins even cited a particular case, that of a phone found in the course of the investigation into Sid Ahmed Ghlam, who is suspected of murdering a young woman called Aurélie Châtelain in April 2015 and who is also alleged to have planned an attack on a church at Villejuif near Paris.
The Paris attacks of November 13th and the killings at San Bernardino in California in December 2015 have only further fuelled the debate about encryption. In January 2016 a Member of Parliament for the right-wing Les Républicains (LR), Nathalie Kosciusko-Morizet, put forward an amendment to the digital bill then being debated that sought to force software developers to provide the supposedly miracle solution to the encryption problem – the leaving of so-called 'backdoors'. These are secret vulnerabilities that are deliberately installed in a system and which can later be exploited by officials. Opponents of this idea claim that such vulnerabilities rarely remain 'secret' for long and that this could undermine global digital security as a result.
The text of this bill, which is currently being examined by a joint committee of MPs and senators, already provides for increased penalties in cases where someone refuses to hand over a decryption key. Under current law, contained in article 434-15-2 of the French criminal law code, a person can be jailed for three years and be fined 45,000 euros for not complying with a demand for a decryption key during a criminal investigation. The punishment increases to a maximum of five years and a fine of 70,000 euros when the deciphering “would have prevented the carrying out of a crime or an offence or would have limited its impact”. The current bill envisages increasing this fine to 150,000 euros.
Meanwhile the current law, under article 60-1 of the code on criminal procedure, allows a prosecutor to “require any person, or any private or public establishment or organisation, or any public administration” to hand over a decipher key. If they refuse they are subject to a fine of 3,700 euros. The current bill would increase that to 15,000 euros when the refusal comes from a company “such as a device manufacturer or service provider”.
During debates at the National Assembly several MPs, in particular socialist Yann Galut and LR member Éric Ciotti, put forward amendments aiming to increase the fine for reluctant manufacturers even further to one and two million euros respectively. Or in some cases simply to ban the product from sale. All such amendments were rejected, though Ciotti's was only defeated by one vote. However, an amendment from LR's Philippe Goujon was adopted, against the wishes of the government. This increases the penalty for companies who do not comply with demands for the decipher key to a jail term of five years and a fine of 350,000 euros.
According to Mediapart's information, though, the crackdown was close to being very much tougher. For not everyone inside the government was opposed to the different amendments tabled by MPs. The interior minister Bernard Cazeneuve and the new justice minister, Jean-Jacques Urvoas, for example, wanted to go further than the Goujon amendment by imposing penalties that would have forced manufacturers to install backdoors in their software. According to a government source, several members of the government, including the junior minister in charge of the digital economy Axelle Lemaire, opposed the interior and justice ministers. This second group of ministers finally won out when prime minister Manuel Valls came down on their side against such penalties.
During debates on the bill's text in public session on March 3rd there were some strong attacks made against encryption, supported by Jean-Jacques Urvoas. The justice minister used the occasion to announce that he has already started a process of international talks within the European Union and with the Americans on the issue. “We have gone past the stage of reflection and are looking at operational methods,” said Urvoas. “I have no doubt as to our chances of success, especially as Parliament, and in particular the National Assembly, is spurring us on. With this new pressure, we will go even faster as we share the same ambition and cause.”
Indeed, the question of software backdoors and even a partial ban on encryption will soon return as an issue and the debate is set to be a lively one. For there is no shortage of opponents to this form of law and order crackdown. These opponents found unexpected support at the end of March in the form of the French military. On March 28th Le Parisien revealed the contents of a classified note from the inter-ministerial defence and security body that reports to the prime minister, the Secrétariat Général de la Défense et de la Sécurité Nationale (SGDSN). The document expresses concern about the current debate and calls for Philippe Goujon's amendment to be withdrawn. The essence of the SGDSN's argument is that it is impossible to introduce backdoors without weakening all computer security. “According to this note, creating such a weakness would amount to facilitating IT attacks liable to damage national security and the competitiveness of French businesses, which would be more exposed to computer espionage,” wrote Le Parisien.
This analysis is shared by France's data protection regulator the Commission Nationale de l'Informatique et des Libertés (CNIL). When it delivered its annual report on April 8th the data watchdog said it wanted to make encryption one of the key issues of 2016, and it set out its thinking on the subject. CNIL said that adding backdoors would “create a collective risk tending to weaken people's security levels faced with the scale of the phenomenon of cybercrime”. Moreover, such a system would be “very complicated to put in operation in a safe way, when applications are globalised and worldwide”.
On a broader level, the watchdog sees encryption as a crucial part of digital life. “In a context of growing digitalisation in our societies and the exponential rise in cyber threats, encryption is a vital element for our security,” CNIL insisted. “It also contributes to the robustness of our digital economy and the personal data that form its elementary particles.” It added: “Protecting personal data in the digital universe, with the help in particular of encryption, is also about protecting a fundamental right and, beyond that, the exercise of individual freedoms in that universe.”
This tough stance from CNIL in favour of encryption came with some warnings. The data watchdog said it was opposed to calls to toughen legislation and pointed out that the law already allows for measures that permit the “handing over of decryption keys concerning suspects or third parties such as cryptography service providers if they know the decryption key”.
CNIL noted in passing the broad powers that the police have to obtain all kinds of data or information, powers that have been strongly reinforced by various security measures made law in recent years. “...official requisitions for digital [information], access to login details, interception of correspondence, audiovisual recordings, the harvesting of computer data displayed on a screen or entered on a keyboard, and recourse to technical experts in the case of encrypted data”.
- The French version of this article can be found here.
English version by Michael Streeter