17 Nov INATBA Privacy Working Group Issues Response to Council Resolution on Encryption
Privacy Working Group of International Association for Trusted Blockchain Applications Association Internationale sans but lucratif
Avenue de Tervueren 188a/4 1150 Bruxelles Belgium
16th November 2020
Re: Draft Council Resolution on Encryption “Security through encryption and security despite encryption”
This statement is being issued on behalf of the privacy working group of INATBA – International Association for Trusted Blockchain Applications (https://inatba.org/). With more than 180 members, INATBA brings together industry, startups and SMEs, policymakers, international organisations, regulators, civil society, and standard-setting bodies to support blockchain and Distributed Ledger Technology (DLT) to be mainstreamed and scaled-up across multiple sectors.
Our group was made aware of the draft Council Resolution on Encryption “Security through encryption and security despite encryption”, which was discussed on Austrian national news outlet orf.at (https://fm4.orf.at/stories/3008930/). We consider such a proposal to be a danger to blockchain technology and to privacy in particular and have asked the council to consider the following.
- Introduction
Blockchain technology makes it possible for large groups of people or organisations who may not know or trust each other to collectively agree on and permanently record information without the need for a third-party authority. This is possible through cryptography and with the use of private and public keys for encryption and decryption of the data. Asymmetric encryption, as it is called, is the backbone of the distributed ledger technology (DLT), a most common type of which is the blockchain technology.
During the last couple of years, blockchain technology has proven its capability to revolutionize various sectors of the economy. Its potential has been recognized by many decision-making bodies and well-established institutions worldwide.
There have been many initiatives launched at the EU level which focus on supporting the research and development as well as adoption of blockchain technology. As mentioned on the Commission’s official website:
“The EU believes that blockchain technology when properly used can provide significant benefits to European industry, the European economy, and to European society as a whole. For this reason, the European Commission is supporting blockchain on the policy, legal and regulatory, and funding fronts.”
In 2018 EU Member States formed the European Blockchain Partnership (EBP) and decided to cooperate in the establishment of a European Blockchain Services Infrastructure (EBSI) that will support the delivery of cross-border digital public services, with the highest standards of security and privacy.
The EU has devoted significant funds to support research and innovation in blockchain, notably through the Horizon 2020 programme (up to EUR 180 mln) and through EU Artificial Intelligence and Blockchain Investment Fund (EUR 100 mln) to be invested in startups in 2020. The European Commission is also managing EU Parliament Pilot Projects, which resulted, for instance, in the creation of the EU Blockchain Observatory and Forum – an initiative focused on providing analyses and discussion forums concerning blockchain technology.
Most recently, the EU Commission announced a Digital Finance package including a digital finance strategy and legislative proposals on crypto-assets, which are one of the major applications of blockchain technology in finance, such as:
- new EU Regulation on Markets in Crypto-Assets;
- new EU Regulation on a pilot regime for market infrastructures based on DLT;
The abovementioned legislative proposals have long been awaited by the blockchain industry as well as regulators both at the EU and national level.
- Consequences of weakening encryption for blockchain technology
The commented draft Council Resolution foresees to shape a legal framework enabling state actors to gain access to encrypted data. This is not a feature that any strong cryptographic system foresees because once this is technically possible, it becomes nearly impossible to prevent other actors from using such functionality too. E.g. the implementation of such a proposal would require encryption to provide a backdoor for competent authorities, and would through this illegalize the use of encryption technology that is not providing this. It would therefore promote significantly weaker protocols, jeopardizing the security of data in Europe in general.
Blockchain technology relies on public key cryptography that is end-to-end by design, the supporting toolsets and algorithms also require encryption. By weakening these underlying technologies the trust element of the blockchain (e.g. that data can not be changed through the backdoor) could no longer be guaranteed. More in detail, if the public key signing algorithms used to validate transactions or the hashing algorithms on which all blockchains rely are broken, this would jeopardize the integrity of the entire system. Crypto-assets, one of the key use cases of blockchain technology, rely entirely on public-key cryptography. Similarly, self-sovereign and digital identities rely on public-key cryptography to ensure the integrity of identities and signatures.
- Potential consequences for the EU market
As mentioned beforehand, there are a number of blockchain initiatives launched under the EU in the space of identity and also finance. These are areas that involve the processing of high volumes of personal and sensitive data including financials and biometrics. In allowing the EU to have access to the encryption keys of this data, it would create a risk vector that could potentially be exploited by adversaries of the union or susceptible to political whims. As a supra-national institution representing the leading global data protection framework and responsible for upholding privacy rights found in the European Courts of Human Rights, this proposal would create friction that would make it difficult to respect European citizens’ human rights.
Additionally, one of the influential reasons that attracts companies to the EU is the rule of law and basic human rights. This extends to businesses holding confidence that their users’ data rights will be protected too, especially with the propagation of the General Data Protection Regulation as a leading global data protection framework. By reducing the effectiveness of the data protection framework, this would reduce the competitiveness of the EU as a jurisdiction that champions data protection rights.
Many companies have established themselves in the EU under the premise that their data users rights will be respected. The fact that these companies can effectively use blockchain based technologies with the understanding that there would be no exposure of their users has attracted many companies to the EU. By forwarding this proposal it creates a further disincentive for companies to continue their operations in the EU. Furthermore, weakening the trust in encryption through any type of mandatory technical back-doors or key escrows will force innovative companies working in the space to move or incorporate their activities outside of the European Union. The inability to safely rely on such crippled encryption will also drive international businesses that rely on secure transactions to conduct their business from other jurisdictions.
- Recommendation
INATBA considers the proposed Council Resolution to jeopardize blockchain technology and its further development and strongly urges the committee members of:
- COSI (Standing Committee on Operational Cooperation on Internal Security) on November 19th;
- COREPER (Committee of the Permanent Representatives of the Governments of the Member States to the European Union) on November 25th; and
- the Council;
to oppose and reject this resolution to protect blockchain technology, the democratic effects it can bring and the privacy and freedoms of the individuals.
Signed by Marc Taverner, Executive Director
Silvan Jongerius, Co-Chair of the Privacy Working Group
Marcin Zarakowski, Co-Chair of the Privacy Working Group