Advanced Data Protection, the service in question, allowed users to automatically store encrypted backups of files from their devices that not even Apple itself could access. And while there may be legitimate reasons for law enforcement to seek access to particular files, Apple correctly concluded that carving a new pathway through this wall of encryption would introduce a significant new vulnerability to Apple’s online storage system, one that would affect every user on the planet. 

Just as a new door into a home gives intruders an additional path inside, so too does a digital back door provide a new way for law enforcement, hackers, and unfriendly governments to access materials that are supposed to be protected. So, just like with a real door, digital engineers add a lock and key to keep things secure.

But anyone holding that key, whether a legitimate government actor, a repressive regime or a criminal hacker, can access users’ data for their own purposes. While Apple or another tech company would build protections into the system’s design, no company can guarantee that the keys would always remain safe from hackers or from government overreach. A key allowing access to so much data is a tremendously attractive target for bad actors, and if even a single hacker succeeds in accessing the key, all bets are off. Because of those risks, end-to-end encrypted backups rely on the principle that only the user has access to the keys.

Simply creating an additional access point would also introduce extra complexity to the cloud storage system, which in itself naturally creates opportunities for errors to creep in that hackers could exploit. Apple has noted that in practice, systems with backdoors are unlikely to provide the privacy and security guarantees users expect and demand and that risks of cloud data breaches are significant and impactful. While there may be a law enforcement interest in accessing certain backed up files, undermining encryption for everyone’s backed up files itself will risk widespread criminal activity, from unlawful surveillance to accessing people’s most intimate photos.

As an esteemed group of researchers noted about previous attempts to require back-door access to online systems, “The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.” Experts are clear that keys under doormats make us all less secure and will be widely abused.

And those are just the technical concerns.  Governments demanding access to those keys have different conceptions of the level of privacy their citizens should be allowed, and a back door built for a lawful purpose in one country could turn into a tool of repression in another. Likewise, regimes change, and if less-benevolent leaders take over, a surveillance system built for the “right” reasons could fall into the wrong hands.

While past proposed systems have differed in their technological details – and the apparent order to Apple in this case remains secret – one trend has been consistent. Whatever technologies are involved, from hidden access points to stored (“escrowed”) access codes that allow decryption, to “ghost users” added in to online conversations, systems for exceptional access inevitably get abused.

A case-in-point is the Athens Affair, in which the Greek government discovered that an unknown hacker had gained access to Vodafone’s “lawful intercept” system to spy on phone calls of both journalists and Greek politicians – including the nation’s then-president. And yet again more recently, the Salt Typhoon hackers gained unprecedented surveillance over telecommunications systems in the US and other countries, including Internet and cellular telephone metadata and even audio recordings of conversations from presidential candidates, through access to the lawful access systems put in place to comply with statutory requirements.

Apple’s decision to cut off encrypted cloud storage in the UK is a dramatic move, but it’s also both principled and pragmatic. Complying with the UK government’s reported order would undermine the security of every Advanced Data Protection user around the world. When it comes to encryption, threats to security anywhere are threats to security everywhere. 

The post When It Comes to Encryption, Back Doors Are Never Simple: Why UK Apple Users Won’t Have Encrypted Backups Anymore appeared first on Center for Democracy and Technology.

Today, CDT and a group of over 100 civil society organizations, companies, and cybersecurity experts – as part of an effort led by the Global Encryption Coalition (GEC) – submitted a letter to British Home Secretary Yvette Cooper calling on the UK Home Office to rescind its demand that Apple create a backdoor into its end-to-end encrypted services.

The UK demand is an alarming effort to undermine encryption, and if carried out would endanger the privacy and security of hundreds of millions of individuals who use Apple products across the globe.

As encryption advocates have demonstrated for decades, creating any backdoor access to encrypted systems for law enforcement will also make those systems vulnerable to cybercriminals, foreign espionage, and other bad actors.

The ongoing damage of the Salt Typhoon hack shows how severe the risks of leaving communications and data systems vulnerable can be, and why encryption is so vital. Now more than ever we need to be championing strong encryption, not tearing it down. The UK’s short-sighted effort will make its citizens less safe and more vulnerable to having their most sensitive data and intimate conversations stolen and snooped on. We hope the UK Home Office will heed the warning of experts and reconsider this decision.

This letter was published on Thursday, February 13, 2025 with 109 signatures. More signatures may be added as they come in, and will be noted at a future date.

Read the full letter – and list of signatories – on the GEC’s website.

The post CDT Joins Global Encryption Coalition Letter on UK Government’s Use of Investigatory Powers Act to attack End-to-End Encryption appeared first on Center for Democracy and Technology.

Please do not hesitate to contact our team in Brussels: Laura Lazaro Cabrera, Silvia Lorenzo Perez, Aimée Duprat-Macabies, David Klotsonis, and Giulia Papapietro.

Security, Surveillance & Human Rights

Civil Society Strategises on Tackling Spyware

Spyware remains high on the EU agenda; in Poland, an arrest was recently made in relation to the governmental probe on the use of Pegasus. In this context, on 20 November, CDT Europe convened the Spyware coordination group to strategise on EU-level actions to tackle spyware. The discussion focused on key areas of regulation and advocacy, aiming to build consensus. Points of convergence included the need for definitions of key terms that can adapt to the rapid evolution of spyware technologies, and the strict prohibition of spyware use against journalists.

Participants also explored the potential of internal market regulation as a legal basis for addressing the commercial spyware market and industry. Insights from the European Media Freedom Act (EMFA) and the EU Cybersecurity Framework informed discussions, particularly regarding litigation strategies to challenge Article 4 implementation and leverage cybersecurity policies to mitigate spyware threats. 

The workshop highlighted the shared urgency of curbing spyware misuse through coordinated, impactful advocacy and legal action.

All Eyes on Member States’ Actions on Spyware

At the various Pall Mall Process meetings that took place on the sidelines of the Paris Peace Forum, CDT Europe’s Silvia Lorenzo Perez engaged in critical discussions where she highlighted the urgent need for coordinated global action on spyware. 

At a panel held by the Swedish government and Access Now, victims shared powerful testimonies on the devastating impact of spyware abuse. These accounts underscored the urgent need for robust regulatory action to protect human rights defenders. This meeting was followed by a multistakeholder roundtable focused on combating the spread of commercial spyware. 

The day concluded with a Pall Mall Process meeting to review measures aimed at preventing spyware proliferation globally. While governments recognise the dangers of spyware, translating concerns into enforceable legal frameworks remains a challenge. The EU now has a unique opportunity to lead, with Member States at the table tasked with driving critical reforms. With the Polish Presidency of the Council of the EU at the helm, the time is now for bold leadership to address spyware abuse and protect both national security and individual rights.

Recommended read: The Guardian, Ronan Farrow on surveillance spyware: ‘It threatens democracy and freedom”

  Online Expression & Civic Space

Trusted Flaggers in the DSA: Challenges and Opportunities

Implementation of the Digital Services Act (DSA) is at a busy phase, with online platforms starting to release their first annual risk assessment and audit reports (CDT Europe and other CSOs published a joint letter on the process). Another crucial part of the regulation’s implementation rests with the Trusted Flagger Mechanism, which helps combat illegal content online by granting certified entities priority processing of flagged material. CDT Europe and EU DisinfoLab organised a webinar on the topic on 21 November, where over 30 participants, including civil society organisations (CSOs), Digital Services Coordinators, and the European Commission, explored current challenges and opportunities. The system faces significant hurdles, including resource constraints for CSOs applying for certification, misinformation campaigns undermining public trust in Trusted Flaggers, and low uptake due to complex, burdensome processes and unclear benefits. With only 15 certifications granted so far, the mechanism is underutilised. 

Some key recommendations from the event include:

• Ensuring sustainable funding for CSOs to meet Trusted Flagger obligations’
• Developing proactive communication strategies to counter misinformation and clarify the role of Trusted Flaggers to the wider public; and
• Establishing a working group to harmonise practices, support applicants, and address challenges like application complexity.

In our full outcomes report blog, we identify key opportunities for CSOs.

A Human Rights-Centered Application of the DSA

CDT Europe’s Research and Policy Officer David Klotsonis joined a workshop in Vienna, organised by the DSA Human Rights Alliance and hosted by the Organisation for Security and Co-operation in Europe (OSCE). The event focused on exploring principles for a Global Human Rights-Centered application of the Digital Services Act. The participants discussed lessons from other jurisdictions and conflict zones to shape thoughtful DSA implementation, while considering the risks of applying the law to different regulatory environments without accounting for unique vulnerabilities. As the “Brussels Effect” continues to generate buzz, it’s crucial to unpack its real-world implications. How can laws, when removed from their original institutional context, unintentionally—or deliberately—undermine human rights? This workshop offered a timely platform for reflection, and was a source of important insights.

Online Gender-Based Violence: What Now?

Online gender-based violence (OGBV) continues to be a widespread and alarming issue, fueled by misogynistic narratives, that affects women in Europe and around the world. On the International Day for the Elimination of Violence against Women. and in the context of the 16 Days of Activism against Gender-Based Violence, CDT Europe highlighted the EU’s progress on the issue, such as the Directive on combating violence against women and the Digital Services Act. Despite these advancements, problems persist in ensuring the online space is free of this gendered harm. In our blog, we explored the obstacles ahead, emphasising the need for cultural change and effective implementation. 

Recommended read: The Verge, Meta says it’s mistakenly moderating too much 

Equity and Data

An Ongoing Battle for Full Accountability for AI Harms

In our latest blog post, we reflected on persistent gaps in EU regulation that hinder accountability for AI-induced harms. Transparency, an inherent challenge for AI systems, is a crucial prerequisite to identifying harms. The AI Act goes some way towards ensuring a base level of transparency in some circumstances, but neglects the importance of procedural safeguards to ensure individuals’ legal access to remedies. This was never the AI Act’s intention, as it was conceptualised around the same time as the AI Liability Directive (AILD), a proposal that outlined basic steps towards easing procedural burdens for complainants in recognition of the hurdles posed by AI’s opaque functioning. Despite the AILD’s process-oriented nature and modest impositions, the draft law is struggling to get off the ground — even as the effective remedies issue in AI remains unaddressed. 

Making the Case for Robust European Regulation

In a debate hosted by Euronews as part of their Tech Summit on 4 December, CDT Europe’s Laura Lazaro Cabrera shared the stage with representatives from DG JUST and CEPS to discuss regulation for consumer protection in the digital age. In the discussion, Laura highlighted the importance of ensuring laws regulating tech include both substantive and procedural safeguards to truly guarantee robust consumer protection. She also noted the importance of challenging the false dichotomy between innovation and regulation, underscoring the value of high product standards and their essential role in preserving health, safety, and fundamental rights. She also questioned the false assumption that underperforming products falling short of robust standards would lead to Europeans missing out — rather, it’s companies that would be missing out on the European market should they fail to find ways to conform. 

Recommended read: The Guardian, Deus in machina: Swiss church installs AI-powered Jesus

Bluesky

We are on Bluesky! As more users join the platform (including tech policy thought leaders), we’re finding more exciting content, and we want you to be part of the conversation. Be sure to follow us at @cdteu.bsky.social! You can also follow our starter pack of EU tech journalists, to catch the latest digital news in the bubble. Find us also on Mastodon and LinkedIn.

Upcoming Events 

Liberal Forum Roundtable: On 10 December, our Equity and Data Programme Director Laura Lazaro Cabrera will participate to the the European Liberal Forum’s conference on “The Era of AI: Harnessing AI for Humanity”, bringing together MEPs, APAs, political advisors, civil society, academia, and corporate sector representatives to engage in Chatham House discussions on the role of the EU in advancing AI over the next mandate. 

Kofi Annan Foundation: On 11 December, Laura will speak at the “Comparative lessons from the EU and the US elections in the age of Artificial Intelligence” event organised by Democracy Reporting International (DRI) and the Kofi Annan Foundation (KAF) to reflect upon the risks and challenges generative AI represents for European democracy.

The post EU Tech Policy Brief: December 2024 appeared first on Center for Democracy and Technology.

From the statement:

End-to-end encryption plays a crucial role in ensuring the safety, security and privacy of millions in Australia. However, the statutory review of the Australian Online Safety Act erroneously characterises end-to-end encryption as an obstacle to online safety and law enforcement, instead of recognising that it is essential for online security and weakening it reduces safety for all.

The Online Safety Act risks becoming forever known as the Online ‘Unsafety’ Act if strong protections for communications and stored information secured by end-to-end encryption are not included in the Act. Without clear protections, the eSafety Commissioner may soon issue industry standards under the Australian Online Safety Act that effectively force service providers to weaken or circumvent end-to-end encryption to monitor and intercept communications.

These measures would weaken the security, confidentiality and integrity of communications while they are transmitted or in storage. A failure to safeguard end-to-end encryption will make all Australians and people around the world less safe, not more.

Further, the addition of a general duty of care to the Act, without safeguarding encryption, suggests compelling service providers to remove or circumvent the confidentiality of end-to-end encryption in order to meet their duty of care obligations. This would pave the way for pervasive surveillance and damage online safety as well as the human rights to privacy and free expression.

End-to-end encryption not only protects children from bad actors harvesting their personal data or intercepting and taking over their communications – it also protects children by preventing their personal data from being used for profiling and advertising.

We urge the Australian government to utilise the Online Safety Act review process to course correct and actively protect and encourage the use of end-to-end encryption. Doing so would benefit people, businesses, and governments and would be crucial to achieving the goal of the Online Safety Act.

Read the full statement + list of signatories.

The post CDT Joins Joint Statement Urging Australian Government to Protect End-to-End Encryption in Review Process of the Online Safety Act appeared first on Center for Democracy and Technology.

With an eye toward solving these problems, the Internet Architecture Board held a three-day virtual workshop on October 17-21, 2022 on “Management Techniques in the Encrypted Networks,” and the workshop report published as RFC9490 earlier this year. The workshop aimed to speed the adoption of encryption on the Internet by focusing on barriers to adoption. The workshop generated ideas to enhance network management methods, emphasizing the need to evolve these methods to better their efficiency and reliability in the face of ubiquitous traffic encryption. The idea was to promote and motivate security and user privacy by platforming collaborative ideas at the intersection of network management and traffic encryption. The workshop addressed the actionable requirements in network management, identified the actors who are willing to work on collaborative solutions, and suggested starting points for such solutions. 

I joined the workshop as part of the Program Committee representing CDT in the IAB and  presented my ideas on the state of users and privacy, including guidelines for performing safe measurement on the Internet. This work is a result of my collaboration with Iain Learmonth and Gurshabad Grover as part of the privacy research group at the Internet Research Task Force, and it outlines guidelines for academic and internet researchers who use the internet as part of their scientific experimentation and research, to mitigate risks to the safety of other users. 

This work first locates these guidelines in relation to threat models, measurement studies, and user impact. It puts forward three main categories of considerations: 

• Consent, such as informed consent, proxy consent, and implied consent; 
• Safety considerations, including highlighting the need for dedicated testbeds, respect for other actors’ infrastructures, and a commitment to data minimization; and 
• Risk analysis. 

Other work presented in this area included traffic-classification techniques that use machine learning at a high level to identify patterns. While these techniques look a lot like invasive “deep packet inspection,” this type of classification attempts to understand high-level network patterns rather than individual packets. Avoiding privacy and tracking issues is certainly a concern. This approach can be done without coordination from the applications users and services run at the end points.

Another aspect of the solution space does involve introducing trusted second- or third-party intermediaries that would coordinate with network operations. For example, billing zero-rated services, parental controls, redirection and fraud prevention could be features that users opt into when they use services or applications. Through relay-like intermediary services, those second- or third-parties could give the network limited information about the user and what the user is doing with their connection.

In conclusion, proponents of strong and ubiquitous encryption are often put on the back foot when network operators get together to talk about the challenges associated with opaque network traffic. Similar workshops held in other contexts might implicitly and explicitly consider the trend to encrypt network traffic an outright assault on network security. However what was different about this IAB workshop, beyond the fact that encryption advocates like me were part of the programming, is that it not only assumed  that transport encryption is desirable, but that it addressed these tensions with networks so as to ensure transport encryption becomes the new norm.

The post More Encryption is the Goal: The Internet Architecture Board Holds a Workshop on Managing Encrypted Networks appeared first on Center for Democracy and Technology.

We pointed out that end-to-end encryption is essential to secure communications on the inherently insecure Internet, and that it has been available by default for years from other messaging services, such as Signal and Apple’s iMessage. Meta began to roll out E2EE by default on Messenger late last year, and had offered E2EE since 2016 to those who opted in.

We also explained that denying children the opportunity to use E2EE encrypted messaging services does not protect them; it exposes them to danger. When a teenager confides with their parents and their friends sensitive information about their health, their fears, their activities, and who they are with and where they are going, the communications containing that information must be secured by encryption to promote child safety. 

CDT has long supported encryption, and is a founding member of the Global Encryption Coalition, which counts among its members other amici including the lead drafters, the Internet Society, Mozilla, Signal, Access Now, and Fight for the Future.

Read our brief.

The post CDT Defends Encryption Against Broadside Attack from Nevada AG appeared first on Center for Democracy and Technology.

This is a statement of the members of the Steering Committee of the Global Encryption Coalition, which consists of the Center for Democracy & Technology, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla.

***

From the Statement:

The Global Encryption Coalition Steering Committee (GEC-SC) welcomes the recent ruling by the European Court of Human Rights (ECtHR) in the case of Podchasov v. Russia, which unequivocally reaffirms the position that mandatory requirements imposed by governments to weaken end-to-end encryption constitute a violation of the fundamental right to privacy. This landmark decision reinforces the essential role that strong encryption plays in protecting the digital security and privacy of individuals worldwide. This is particularly relevant for the ongoing conversations around the CSAM legislation in the EU and the Online Safety Act in the UK. The UK is a signatory to the European Convention on Human Rights (ECHR) under which this decision was rendered, and Member states of the EU are also signatories.

As stated by the Court:

“…[the] statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued…”

Encryption serves as the backbone of secure communication on the internet, enabling individuals to exercise their freedom of expression and to engage in confidential business activities without fear of undue surveillance or interference. The ECtHR’s ruling aligns with the GEC-SC’s long-standing position that efforts to undermine encryption not only threaten individual privacy but also the integrity and security of the digital ecosystem at large.

As also stated by the Court:

“…In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression…. Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud, and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption…”

The decision sends a clear message to governments around the world: policies and practices that compromise the security of encryption technologies are incompatible with the principles of privacy and security that form the bedrock of a democratic society. It underscores the importance of upholding encryption as a vital tool for protecting human rights in the digital age.

…

Read the full statement here.

The post Global Encryption Coalition Steering Committee Statement on the ECtHR Court Ruling on Encryption in Podchasov v. Russia appeared first on Center for Democracy and Technology.

First, the exception to the ban on the use and sale of Sensitive Location Data for converting such data into non-location data is harmful. This language would allow X-Mode to continue collecting, using, and selling data about people’s general visits to Sensitive Locations without specific GPS coordinates or other location data attached (e.g., the fact that they visited Planned Parenthood). That exception is harmful and should be removed. 

Second, the exception to the definition of Location Data that would allow X-Mode to continue to collect Sensitive Location Data if that data is collected abroad and used for a security, or a national security, purpose is problematic and unclear. The harm and deceptive behavior from X-Mode stem not from where the data is collected. The exception will also be difficult to comply with and enforce. It should similarly be removed, or at least clarified and narrowed.

Read the full comments here.

The post CDT Comments in response to FTC’s Proposed Consent Order with X-Mode Social, Inc., and Outlogic, LLC appeared first on Center for Democracy and Technology.

Furthermore, it warns of the overarching control the UK government could gain over technological development and maintenance, which would significantly erode trust in digital services and compromise user safety, not only harming UK citizens and businesses but also setting a concerning precedent internationally. The letter’s 27 signatories stand in a critical appeal for maintaining the integrity and security of the digital landscape.

Read the open letter.

The post Open Letter from Security Experts Voices Concerns Over the Proposed Changes to UK Investigatory Powers Act’s Notices Regime appeared first on Center for Democracy and Technology.

***

From the letter:

The eSafety Commissioner has publicly stated that it supports privacy and security, and does not advocate building in weaknesses or back doors to undermine end-to-end encrypted services. (5) But client-side scanning fundamentally undermines encryption’s promise and principle of private and secure communications and personal file storage. We urge the Commissioner against creating standards that would force encrypted services to implement such scanning measures as they would create an unreasonable and disproportionate risk of harm to individuals and communities.

Australia is a leader in the field of online safety policy making, and this position comes with responsibility in shaping the norms and direction of international internet governance and regulation. Proceeding with the standards as drafted would signal to other countries that online safety is somehow counterposed to privacy and security, when the opposite is true.

We strongly urge the eSafety Commissioner to amend the proposed industry standards to ensure the protection of privacy and security, and urge the Australian Government to commit to the ongoing protection and strengthening of encryption, privacy and digital security.

Read the full letter + list of signatories.

The post CDT Joins Civil Society Coalition Calling on Australian Government to Reconsider Threats to Encryption, Privacy in Draft Online Safety Industry Standards appeared first on Center for Democracy and Technology.