Encryption backdoors by law? France says 'non'

A proposed amendment to France's Digital Republic Bill, suggesting mandatory hardware backdoors to bypass encryption, has been rejected by the government.
Written by Liam Tung, Contributing Writer

France's deputy minister for digital affairs, Axelle Lemaire: Backdoor proposal would amount to "vulnerability by design".

Image: Axelle Lemaire

The French government has rejected a proposed bill that would have required hardware makers to design products that give authorities access to stored data, even if it is encrypted.

The draft bill, proposed by a right-leaning politician in the wake of the Paris terrorist attacks, would have required all tech companies to insert backdoors into devices, on the grounds that encryption should not impede a police investigation.

The proposal, brought by Republican politician Nathalie Kosciusko-Morizet, came as an amendment to the Digital Republic Bill, France's proposed legal framework for open data, net neutrality, and data protection in the context of cloud computing.

"France must take the lead by requiring equipment manufacturers to consider the imperative of access of police and gendarmes, under the supervision of a judge and only in the context of a judicial inquiry, to these materials," the draft amendment read.

The failed bid to introduce mandatory backdoors marked one more effort to legislate against encryption in a debate that's been reignited by the Paris terror attacks, after speculation the attackers used encryption to coordinate the assaults.

It came alongside a proposal in New York to ban the sale of any smartphone using encryption that cannot be bypassed by its manufacturer.

Critics of such proposals have repeatedly pointed out that secret backdoors cannot be kept exclusively open to law enforcement without the risk that they'll be found and exploited by criminals or other governments.

That was the argument taken up by France's deputy minister for digital affairs, Axelle Lemaire, who was quoted by French site Numerama as calling the proposal "vulnerability by design". With the Digital Republic Bill, the government hopes to enable privacy by design.

"With a backdoor, personal data is not protected at all," Lemaire said. "Even if the intention is laudable, it also opens the door to players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws."

A case in point, she said, was the recently discovered backdoor in Juniper's ScreenOS, thought to have been inserted in 2012, giving the attacker a free hand to decrypt data passing through its equipment.

She also pointed to the recent announcement by the Netherlands that it would not legislate against the development, availability and use of encryption due to its importance to businesses, such as online banking, and personal privacy.

While acknowledging that the Paris attackers possibly did use encryption, the Netherlands government said, "A technical input into an encryption product that can be seen by the prosecution authorities would allow encrypted files in digital systems to be vulnerable, eg to criminals, terrorists and foreign intelligence services."

Kosciusko-Morizet defended her proposal on the grounds that police should be able to inspect computers the way they can search a home.

Read more about encryption backdoors

Editorial standards