Why France and Germany’s Encryption Stance May Be More Bark Than Bite
France has been beating the anti-encryption drum hard recently, and it has now joined forces with Germany to call for something to be done.
The question is, what can actually be done?
On Tuesday, the two countries’ interior ministers called on the European Commission to think about the possibility of a new directive that would force uncooperative communications providers to remove illegal content or decrypt messages for the benefit of investigators.
A directive is a kind of EU law that must be transposed into national law by the union’s member states. That gives them a bit of room for interpretation—unlike with a regulation, which automatically applies in a unified way across all the countries.
The thing is, there is already little to stop EU countries—which retain complete control over their national security laws—from trying to force the likes of Telegram and WhatsApp (FB) to decrypt messages.
“The current data protection directive (which also applies to the so-called over-the-top service providers) allows member states to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences,” Commission spokesperson Natasha Bertaud said via email. “The new general data protection regulation (which will apply as from 25 May 2018) maintains these restrictions.”
Of course, national security is the name of the game here. France is still reeling from a series of terrorist attacks, and Germany has also recently had a series of incidents that have been associated with terrorism—although the links there are not so clear-cut.
Get Data Sheet, Fortune’s technology newsletter
So if the ability to demand decryption is already there, what do France and Germany want?
For a start, although they tried to put on a unified front after meeting in Paris on Tuesday, France’s Bernard Cazeneuve and Germany’s Thomas de Maiziere issued rather different statements.
The German minister talked about doing what was technically and legally possible to tackle encryption, referring to “best practice” and “innovative ideas.” His French counterpart went further, criticizing Telegram by name and calling for the new European directive.
“I don’t think they agree on what they’re calling for,” Kirsten Fiedler, the managing director of European Digital Rights (EDRi), tells Fortune.
The situation is not unprecedented. Brazil serves as an example of what happens when investigators are frustrated with end-to-end encryption, with WhatsApp being repeatedly blocked (and reinstated) over its refusal to decrypt a user’s communications.
WhatsApp and rival Telegram point out that they cannot decrypt anything because their encryption is constructed so as to only give users such access.
That leaves a handful of potential solutions. The authorities can hack into suspects’ devices, thereby bypassing the encryption that shields messages as they transverse the networks. They can order the providers to install “backdoors,” or they can forbid the providers from using end-to-end encryption in the first place.
In the U.S., the debate flared up earlier this year as Apple (AAPL) fought the FBI over encryption. With anti-encryption hardliners such as Senator Lindsey Graham switching sides once they understood the technical reality, investigators resorted to hacking into the iPhone that was at the center of the row.
It may be that France and Germany want to introduce EU-wide measures on encryption so they can have more heft behind them when they ask services such as WhatsApp—based outside the EU—for help. The U.K., still in the EU for now, may back them up. But there’s no easy answer to what comes afterwards.
For more on encryption, watch our video.
“It’s another populist measure that can be dangerous for our privacy and at the same time doesn’t mean anything,” Fiedler says.
The next step in this debate will possibly be the upcoming revision to the EU’s “e-privacy” directive, which sets out privacy restrictions for telecommunications operators. The Commission wants to bring internet-based communications providers such as WhatsApp and Skype (MSFT) under the same regulatory regime, and it’s possible that the new version may explicitly talk about decryption orders.
But it’s unlikely that the Commission will try to ask for the impossible. Commission vice president Andrus Ansip has already come out as very pro-encryption and anti-backdoor. The European Parliament, which would its own say on any new directive, is of the same mind.
There is a possibility here that the French and German governments, both of which are heading into national elections next year, are just trying to look tough.