Privacy tech firms warn France’s encryption and VPN laws threaten privacy

Privacy-focused email provider Tuta (previously Tutanota) and the VPN Trust Initiative (VTI) are raising concerns over proposed laws in France set to backdoor encrypted messaging systems and restrict internet access.

The first case concerns a proposed amendment to France's "Narcotrafic" law, which would compel providers of encrypted communication services to implement backdoors, enabling law enforcement to access decrypted messages of suspected criminals within 72 hours of a request.

Non-compliance could result in substantial fines: €1.5 million for individuals and up to 2% of annual global turnover for companies.

The law has not yet been put into effect, but the amendment has already passed the French Senate and is advancing to the National Assembly, so mounting opposition is crucial.

In a new statement, Tuta urges the French National Assembly to reject this amendment, advocating for the preservation of robust encryption to protect individual privacy and security.

They stressed once again that mandating backdoors in software undermines the security and privacy of all users, not just criminals, as it creates vulnerabilities exploitable by malicious actors.

"A backdoor for the good guys only is a dangerous illusion," Tuta Mail's CEO, Matthias Pfau, told BleepingComputer.

"Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cybercriminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone."

Tuta goes a step further to note the legal complexities that arise from the proposed amendment, as it reportedly opposes Europe's GDPR and also Germany's IT security laws.

VPNs object access restrictions

Earlier this week, VTI issued a strong statement on a law amendment in France driven by rightsholders Canal+ and the French Football League (LFP), who have initiated legal actions to compel VPN providers to block access to pirate sites and services.

VTI, whose members include AWS, Google, Cloudflare, Namecheap, OVH, IPVanish VPN, Ivacy VPN, NordVPN, PureVPN, and ExpressVPN, sees this as wrongful targeting of VPN services and urges French authorities to reconsider their approach.

"Focusing on content-neutral tools like VPNs rather than addressing the sources of illegal content not only fails to combat piracy but creates and inflicts collateral damage to cybersecurity and privacy, putting users at risk," stated VTI.

In the letter it posted on its website, the VTI draws parallels with overly aggressive internet blocking laws in China, Russia, Myanmar, and Iran, characterizing the proposal as a potential "weapon for censorship."

Govt pressure mounting

The latest news about sweeping law proposals in France confirms a rising trend of government action aimed at imposing closer control and monitoring of data flows over the internet.

Last week, Apple decided to pull its iCloud end-to-end encryption feature, Advanced Data Protection (ADP), from the UK following a secret order from the government demanding the creation of a backdoor to access user data.

A similar law proposed in Sweden is poised to grant law enforcement agencies access to users' message history from apps like Signal. However, Signal's President Meredith Whittaker said in a recent interview that this law would force them to pull their service out of the country.