The irony of the EU regulation for encryption

An expected ally becomes an enemy

Earlier this week there have been several reports around the data protection approach the European parliament is taking via a draft from the committee on civil liberties, justice and home affairs. This proposal is bringing end-to-end encryption again to the forefront by saying:

The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used, or by state-of-the-art end-to-end encryption of the electronic communications data.
Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.

Which is ironic.

The Burden of Regulation

Regulation has been one of the main reasons (or maybe an excuse) for telco operators to limit the evolution of communication services.

The requirement of lawful interception for communications (fundamentally calls and texts, but sometimes even for new services which were in a less clear space regarding regulation) translates into technical requirements for service and equipment vendors, and for in-house service development initiatives. The results are increased costs and timescales, which end up making the solution unviable.

And that has been one of the constant complaints from telcos about the service offered by Internet companies (the also called “OTTs”, if Dean Bubley gives his permission), because they have been able to evolve their offerings without having to deal with interoperability (actually, with the telco definition and expectation of “interoperability”) or regulatory limitations.

The expectation from telcos was that eventually regulation would catch up with Internet service providers, and would impose them the same burdens. This was illustrated with the “level-playing-field” analogy, which has considerable issues too.

The Irony

But if the current approach gets approved (which is not clear to me, since it may face opposition by some member countries that want further access for law enforcement) rather than regulation catching up with Internet services we will see technology catching up with telcos.

With the current wording — “providers of electronic communications services” encryption would have to be applied to every communication service. And:

The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and messaging provided through social media

This means that the current behavior of services like SMS of traditional calling would be non-compliant with this regulation.

Making traditional calls and texts (or even the newest flavor of telephony: VoLTE) compliant with end-to-end encryption is not a technical issue. It is not a matter of “adding an encryption layer” to the existing services. Such a change means long standardization processes, serious architectural changes, and little incentive from most operators, which is what halts these initiatives. On top of that, we should consider the interoperability at the international level: a call should work between an EU number and an Asian or American one. Does that need to be e2e encrypted too? That would require other operators, not required by their regulation to do this, to implement the new standards.

The costs, timescales and politics around this makes it so unlikely that in such an scenario I expect operators simply encouraging their customers to call using WhatsApp.

Actually, my guess is that the regulation, if it finally happens, will allow “legacy services” as they are, and only make it a requirement for new services. Probably it will also request making clear to users the privacy risks around these old services, which again points to pushing users to the Internet providers.

And this can be another nail in the already-quite-reinforced coffin of RCS, as the current definition by the GSMA and Google does not contemplate e2e encryption. Google, if providing the service by itself, could adhere to the new requirements, but the complexities of the ecosystem, telcos involved with their own platforms, interoperability process and standardization approach will certainly further delay years something that has already been late for a decade.