by Sam Bocetta
The European Commission has begun taking more decisive steps toward secure, encrypted communications. But while all of these steps may be positive, not all of them are identical.
Recently, the EU executive has made it clear that staff should use the messaging app Signal, a less popular, but a potentially more secure competitor to WhatsApp. This comes after countries in the EU failed to agree on governing rules for WhatsApp (as well as for Skype), as part of discussions on the recent ePrivacy regulation. But at the same time, the European External Action Service (EEAS) has decided to create its own messaging platform for EU officials to use in their work across the world.
As the EEAS is the EU’s delegation to countries across the planet (including to dangerous crisis zones or states that potentially harbour ill-will), it is unsurprising they’ve opted for something more advanced than their EU commission counterparts.
Instructing their staff to steer clear of the EU Commission’s chosen platform, Signal, the EEAS has opted for a more tailored approach. While Signal is widely used and praised for its security and level of encryption, the EEAS believes it needs something even more advanced. Their sights are set on a secure, instant messaging tool to be used for exchanges of classified “EU restricted” information.
What are the exact details of the EU’s new messaging app?
Staff members for the EU Commission need a secure messaging tool for unified communication in order to ensure greater mobility with collaboration, to centralize information, and to boost overall efficiency. However, the EEAS has, unsurprisingly, remained quiet when it comes to revealing details about their new messaging tool. However, while internal security features were kept under wraps, it has been revealed that the new tool has been deployed since late Q3 2019.
Nobody can be sure just how exactly the EEAS is encrypting its messages across the new tool, or what software, protocols, or security auditing techniques it is based on. Its ability to protect data is another question mark. It also remains unclear whether the tool has been tested under a rigorous data protection impact assessment, although, as assessments like this are currently required by EU legislation, it is likely this will be the case.
This isn’t to say that the EU has a perfect history with data protection. It was only recently that it ran into data related trouble when they hired NationBuilder, a company swamped in controversy after its role in President Donald Trump’s 2016 US election win and Brexit.
A new focus on encryption
While the EEAS is focusing on its new tool, the EU commission has adopted Signal in its efforts to become more secure. An end-to-end encryption app, Signal is ideally placed to help these bolstered security efforts.
Beyond the EU, Signal is a favourite choice for security and privacy experts due to its open-source technology and end-to-end encryption. Features such as automatic message deletion help to prevent messages being read by third parties, and it’s open-source allows multiple developers to improve its security.
Developed in 2013 by security experts, Signal is backed by WhatsApp creator Brian Acton, who famously clashed with Facebook in 2017. It is specifically designed so that the people running the Signal platform can’t see any of your messages or listen to your calls – and neither can any bad agents.
While WhatsApp can claim it is based on the same protocol as Signal (called Open Whisper Systems), it cannot claim to be open source. It also has a murky history of being used to apparently deliberately mislead EU officials when it came to how data was used.
The EU’s increasing security concerns
The EU has a patchy history when it comes to data leaks, so it comes as no surprise that it is attempting to enhance its level of cybersecurity.
In late 2018, it was discovered that thousands of confidential diplomatic cables were taken from the EU’s Courtesy system – a platform used to enhance foreign policy information. Likewise, in June 2019, it was discovered that the EU’s Moscow delegation had suffered a data breach with two computers being hacked. This pattern of almost yearly breaches seems unlikely to stop.
While it should be clear that many governments have historically had little actual idea of how encryption works, considering the large number of cybersecurity crises that have happened, EU officials aren’t entirely unschooled when it comes to cybersecurity. They already use encrypted emails when sending sensitive information, and classified documents are sent using even more levels of security.
The use of Signal has mainly been adopted for normal communication outside of critical or sensitive exchanges, suggesting the EU is taking cybersecurity seriously across even the less vulnerable channels.
That said, the adoption of encrypted platforms like Signal might not be received with open arms. Governments across the world – from Washington to Brussels – have typically been against “impossible to crack” encryption, as it can hinder law enforcement efforts. Whether this will influence any of the EU’s security decisions, however, remains to be seen.
Increased security across the board
The EU has demonstrated, through its creation of a new messaging tool and its adoption of Signal, that it is putting an emphasis on encryption. It understands the need for cybersecurity and appreciates the level of advanced encryption that is needed to stay secure in the modern world. It is likely that more technologies will be adopted by the EU in the near future.
*first published in: www.euractiv.com