ProtonMail, Threema, Tresorit and Tutanota warn EU lawmakers over ‘anti-encryption’ push

Four European apps which secure user data via end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint-statement warning over recent moves by EU institutions that they say are setting lawmakers on a dangerous path to backdooring encryption.

End-to-end encryption refers to a form of encryption where the service provider does not hold keys to decrypt the data, thereby enhancing user privacy — as there’s no third party in the loop with the technical capability to access data in a decrypted form.

E2e encryption also boosts security by reducing the attack surface area around people’s data.

However growth in access to e2e encrypted services has, for some half decade or more, been flagged as an issue of concern for law enforcement. This is because it makes it harder for agencies to access decrypted data. Service providers served with a warrant for e2e encrypted user data will only be able to provided it in an unreadable form.

Last month the EU Council passed a resolution on encryption that’s riven with contradiction — calling for “security through encryption and security despite encryption” — which the four e2e app makers believe is a thinly veiled call to backdoor encryption.

The European Commission has also talked about seeking “improved access” to encrypted information, writing in a wide-ranging counter-terrorism agenda also published in December that it will “work with Member States to identify possible legal, operational, and technical solutions for lawful access” [emphasis its].

Simultaneously, the Commission has said it will “promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism”. And it has made it clear there will be no ‘one silver bullet’ as regards the e2e encryption security ‘challenge’.

But such caveats are doing nothing to alleviate the concerns of e2e encrypted app makers — who are convinced proposals from the Council of the EU, which is involved in adopting the bloc’s laws (though the Commission usually drafts legislation), sums to an push toward backdoors.

“While it’s not explicitly stated in the resolution, it’s widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors,” the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain.

“The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn’t, users have privacy or they don’t,” they go on. “The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen’s home and might begin a slippery slope towards greater violations of personal privacy.”

They point out that any move to break e2e encryption in Europe would run counter to the global rise in interest in robustly encrypted services — pointing to the recent surge in sign-ups for apps like Signal as a result of mainstream privacy concerns attached to Facebook-owned WhatsApp.

Europe has also been ahead of the curve globally in legislating to protect privacy and security. So it would be quite the U-turn for EU lawmakers to line up to poke holes in e2e encryption. (Which, for example, EU data protection regulators are simultaneously recommending be used in order to legally secure transfers of personal data out of the bloc to third countries where it might be at risk).

To say there are ideological contradictions in the EU pushing in an anti-encryption direction is a massive understatement. Even as the contents of current communiques coming out of Brussels on this topic read as if they’re inherently conflicted — which may in fact be a recognition that squaring this circle is no simple policy proposition.

The app makers also pick up on that. “People around the world are taking back control of their privacy, and often it’s European companies helping them do it. It seems illogical that policy makers in the EU would now push for laws that fly in the face of public opinion and undermine a growing European technology sector,” they write.

In an individual quotation from the joint-statement, Andy Yen, CEO and founder of ProtonMail, a Swiss end-to-end encrypted email service, warns against complacency in the face of the latest seeming push for a legal framework to perforate encryption.

“This is not the first time we’ve seen anti-encryption rhetoric emanating from some parts of Europe, and I doubt it will be the last. But that does not mean we should be complacent,” he said. “Put simply, the resolution is no different from the previous proposals which generated a wide backlash from privacy conscious companies, civil society members, experts and MEPs.

“The difference this time is that the Council has taken a more subtle approach and avoided explicitly using words like ‘ban’ or ‘backdoor’. But make no mistake, this is the intention. It’s important that steps are taken now to prevent these proposals going too far and keep European’s rights to privacy intact.”

Martin Blatter, CEO of end-to-end encrypted instant messaging app Threema, also argues that EU lawmakers risk kneecapping homegrown startups if they seek to push ahead with legislation to force European vendors to bypass or deliberately weaken e2e encryption.

“[It] would not only destroy the European IT startup economy, it would also fail to provide even one bit of additional security,” he warned. “Joining the ranks of the most notorious surveillance states in this world, Europe would recklessly abandon its unique competitive advantage and become a privacy wasteland.”

Also chipping in, Istvan Lam, co-founder and CEO of Tresorit, an e2e encrypted file sync & sharing service, argues that any moves to weaken encryption would seriously undermine trust in services — as well as being “irreconcilable with the EU’s current stance on data privacy”.

“We find this resolution especially alarming given the EU’s previously progressive views on data protection. The General Data Protection Regulation (GDPR), the EU’s globally recognized model for data protection legislation, explicitly advocates for strong encryption as a fundamental technology to ensure citizens’ privacy,” he said, adding: “The current and proposed approaches are at complete odds with each other, as it is impossible to guarantee the integrity of encryption while providing any kind of targeted access to the encrypted data.”

While Arne Möhle, co-founder of Tutanota, a German e2e encrypted email provider, says any push to backdoor encryption would be a disaster for security — which actually risks helping criminals.

“Every EU citizen needs encryption to keep their data safe on the web and to protect themselves from malicious attackers,” he said. “With the latest attempt to backdoor encryption, politicians want an easier way to prevent crimes such as terrorist attacks while disregarding an entire range of other crimes that encryption protects us from: End-to-end encryption protects our data and communication against eavesdroppers such as hackers, (foreign) governments, and terrorists.”

“By demanding encryption backdoors, politicians are not asking us to choose between security and privacy. They are asking us to choose no security,” he added.

A fight looks to be brewing in Europe over what exactly the Council’s contradictory edict on ensuring “security through encryption and security despite encryption” will shake out to. But it seems clear that any push toward backdoors would mobilize major regional opposition — as well as being an unattractive option for EU policymakers because it would face legal challenge under the region’s jurisprudence.

The Commission recognizes this complexity. Its counter-terrorism agenda is also notably wide-ranging. There’s certainly no suggestion that it believes e2e encryption is a sole nut that must be cracked. EU institutions are pushing across a number of fronts here, not least because a bunch of fundamental red lines limit wiggle room for non-targeted interventions.

What comes out of the Council’s resolution may therefore be a concerted push to upskill police in areas relevant to investigations (such as digital forensics and metadata analysis). And perhaps create structures for local or state level forces across the bloc to access more powerful security service technical competences for furthering targeted investigations (e.g. device hacking). Rather than an EU-level order blasted at e2e encryption vendors to mandate a universal key escrow ‘solution’ (or similar) — indiscriminately risking everyone’s security and privacy.

But it’s certainly one to watch.

Flip raises $4M to pounce on the growing sector of employee messaging

By now we’re all familiar with text messaging groups for multi-person co-ordination. I’ve lost count of how many WhatsApp, Telegram and Facebook messenger groups I’m on! Other apps like Threema have started to be used in a business context and startups like Staffbase have decided to become full-blown ‘workforce messaging’ platforms. The thinking now amongst investors is that messaging is about to explode in all sorts of verticals and that it’s a rich seam to mine.

In that vein, Flip, a Stuttgart, Germany-based employee messenger app, has now raised €3.6M ($4M) from LEA Partners and Cavalry Ventures, together with Plug and Play Ventures and Business Angels such as Jürgen Hambrecht (Chairman of the Supervisory Board BASF), Prof. Dr. Kurt Lauk (Chairman of the Supervisory Board Magna International), Florian Buzin (Founder Starface) and Andreas Burike (HR Business Angel). The capital raised will be invested primarily in the expansion of the team and the development of further markets.

Founded in 2018, the start-up offers companies a platform that connects and informs employees across all levels in a legally compliant manner.

That last part is important. The application is based on a GDPR-compliant data and employee protection concept, which was validated jointly with experts and works councils of several DAX companies. It also integrates with many existing corporate IT infrastructures.

The startup has now secured customers including Porsche, Bauhaus, Edeka, Junge IG Metall and Wüstenrot & Württembergische. Parts of the Sparkasse and Volksbank are also among the customer base. It also counts Deutsche Telekom as a partner.

Flip founder and CEO, Benedikt Ilg, said in a statement: “Flip is the easiest solution for internal communication in companies of all sizes.”

Bernhard Janke from LEA Partners said: “As a young company, Flip has been able to attract prestigious clients. The lean solution can be integrated into existing IT systems and existing communication processes, even in large organizations. With the financing round, we want to further expand the team and product and thus support the founders in their vision of making digital workforce engagement accessible to all companies.”

Claude Ritter of Cavalry Ventures said: “We are convinced that Flip is setting new standards in this still young market with its safe, lightweight and extremely powerful product”.