On 3 June 2020, the EDPS organised its first online workshop of the Internet Privacy Engineering Network (IPEN), on the “state of the art in encryption and its role for protection of privacy and personal data ”. With nearly 200 participants, the event attracted strong interest among privacy experts, developers and engineers. For this reason, a second follow-up IPEN webinar on the topic took place on 24 June 2020, in order to deepen the discussion and further explore all aspects of encryption.
Both events were designed to better understand why we should use encryption, and what we need to know to use it properly.
Some heavily politicised debates of the past (so called “crypto-wars”) did not always build on an extensive analysis of the scientific and technological basis of cryptography. Neither did they take into account the multiple use of cryptography, which are needed for our complex economy and society to operate in a secure manner: today, cryptographic tools are relied on more and more by both private individuals, companies, public authorities, to carry out various activities and to secure internet based communications infrastructure.
Furthermore, with the full application of the European Union’s General Data Protection Regulation (GDPR) since 2018, encryption gained legal recognition as a means to protect the fundamental rights of individuals in the context of processing personal data. The GDPR mentions encryption explicitly in several provisions (Articles 6 (lawfulness of processing), 32 (security), 34 (personal data breach notification)), as a powerful measure to reduce the risks for individuals whose data are processed, an essential outcome in the GDPR’s risk-based approach.
Through years of experience in privacy engineering within the framework of the IPEN, we at the EDPS, aim to contribute to the discussion on encryption based on knowledge and a real comprehension of the many ways cryptography works, its technical capabilities and limits.
At the event on 3 June 2020, the European Data Protection Supervisor, Wojciech Wiewiórowski, explained the relationship between the protection of personal data and encryption from a legal and policy perspective.
Professor Bart Preneel, director of the COSIC institute at Leuven University and lead scientist for a Belgian Covid-19 app, is one of the leading cryptography experts on the planet. He gave an overview of the current use of cryptography in economy and society, and explained some of the relevant technological developments. Political actions may be necessary in the field of encryption to ensure its continuous usefulness. The continuous technical progress in computer capacity and availability now makes some older encryption tools obsolete and insecure.
Researchers Stefano Leucci and Iraklis Symeonidis presented a common analysis about digital communications and encryption at the time of Covid-19 from a legal and technical perspective.
The Data Protection Commissioner of Schleswig-Holstein (Germany), Ms Marit Hansen, finally gave a more in depth perspective on the challenges of enforcing the GDPR provisions on encryption in practice.
The follow-up event of 24 June 2020 focused on the challenges and pitfalls that can occur when using cryptography. The session also covered the state of the art of encryption-based privacy enhancing technologies.
Professor Carmela Troncoso, head of the Security and Privacy Engineering Lab at EPFL (Switzerland), and lead researcher in the DP3T project (an approach to decentralized, privacy-preserving contact tracing to limit the spread of COVID-19) shared her experience about the use of cryptography beyond the secrecy of transmitted or stored data. Examples are the use of cryptography in the DP3T project, as well as a privacy-preserving search engine implemented for the International Consortium of Investigative Journalists (ICIJ), allowing them to search and exchange information without revealing their sources or identity.
Isabel Barberá, an expert on security and data protection from Utrecht (The Netherlands), talked about experiences on the chances and pitfalls of the use of encryption in practice. She presented common misunderstandings and mistakes of controllers applying encryption in their everyday business and proposed a set of actions to ensure encryption is complemented by a set of organisational and technical measures for security and personal data protection.
Overall, the two events revealed the strong interest in the topic of encryption.
Participants highlighted the diverse use of cryptography, going beyond encryption of data at rest/in transfer, such as enabling the comparison of datasets without gaining access to their content, and ensuring unlinkability of data subjects to actions or messages. The Q&A sessions during the workshops and in the subsequent networking meetings also showed that practitioners would appreciate more practical guidance.
There is a clear need to invest more in the understanding and analysis of cryptographic technologies. We take this as an encouragement to continue similar discussions in future IPEN events.