The Dutch government has officially declared its opposition to any restrictions on the development or use of encryption products, even as Dutch lawmakers are weighing legislation that could mandate backdoor government access to encrypted communications.
In a 4 January 2016 letter to the Dutch parliament, the head of the Ministry of Security and Justice, Ard van der Steur, explained the government’s reasons for endorsing strong encryption, which sound quite similar to those cited by technologists such as Apple’s Tim Cook, the most high-profile critic of backdoors.
According to a translation of the letter, provided by Dutch cybersecurity consultant Matthijs R. Koot, van der Steur points to the uses of encryption for protecting the privacy of citizens, securing confidential communications by government and businesses, and ensuring the security of internet commerce and banking against cybercrime.
Privacy of communications is also a protected right under the Dutch constitution, and a fundamental right protected by the European Convention on Human Rights and the Charter of Fundamental Rights of the EU, van der Steur’s letter says.
The minister acknowledges that criminals and terrorists may also use encryption, making it difficult if not impossible for law enforcement and intelligence services to monitor their communications in defense of national security and public safety.
But van der Steur also observes that encryption is widely available and requires “little technical knowledge, because encryption is often [an] integral part of the internet services that they too can use.”
But because today’s communications products and services use unbreakable encryption, demands that technology companies hand over decrypted data would essentially require weakening encryption to provide backdoors.
Van der Steur notes that any “technical doorways” [backdoors] in encryption would undermine the security of digital systems, making them “vulnerable to criminals, terrorists and foreign intelligence services.”
As fellow Naked Security writer Paul Ducklin put in in a recent article we published about the risks of deliberately weakening cryptographic systems:
[M]andatory cryptographic backdoors will leave all of us at increased risk of data compromise, possibly on a massive scale, by crooks and terrorists…
…whose illegal activities we will be able to eavesdrop and investigate only if they too comply with the law by using backdoored encryption software themselves.
Van der Steur agrees very strongly:
[Backdoors] would have undesirable consequences for the security of communicated and stored information, and the integrity of IT systems, which are increasingly important to the functioning of society.
In his conclusion, van der Steur states:
The government endorses the importance of strong encryption for internet security, for supporting the protection of citizens’ privacy, for confidential communication by the government and companies, and for the Dutch economy.
Therefore, the government believes that it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands.
A victory in the Crypto Wars?
The debate over encryption backdoors goes back to the 1980s and 1990s, was revived in the past two years by law enforcement officials like FBI Director James Comey, and has intensified since the 13 November 2015 terrorist attacks in Paris.
China recently passed an anti-terrorism law that compels technology companies to decrypt data upon request of the government; while in Pakistan, the government’s demand for backdoor access to BlackBerry customer data led the company to pull out of the country entirely.
Apple submitted a letter to the bill’s oversight committee saying language in the draft bill could force Apple to “weaken security for hundreds of millions of law-abiding customers,” in order to allow security services to eavesdrop on encrypted communications such as iMessage.
In the US, Republican Senator Richard Burr, chairman of the Senate Intelligence Committee, has indicated that he wants to propose legislation requiring companies to decrypt data at the government’s request.
Even in the Netherlands, the government’s recent pro-encryption stance is not a complete victory for opponents of backdoors.
As Koot noted on his blog, the pro-encryption policy isn’t guaranteed to remain policy in the future, and Dutch law already requires technology companies to decrypt data sought in targeted investigations.
Meanwhile, the Dutch parliament is considering updating a 2002 security and intelligence law to compel bulk decryption of communications, Koot reports.
The war over backdoors has yet to be lost or won, and it is far from over.