CyAN’s Position on the Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement
The Cybersecurity Advisors Network (CyAN) opposes recommendations made by the European Commission’s High-Level Group on Access to Data for Effective Law Enforcement (HLG) that we view as incompatible with European rights and values.
Overview
The HLG, often referred to as “Going Dark” / #EUGoingDark was established in 2023 in order to develop ways for law enforcement to more effectively identify, track, and investigate international crime. Its current recommendations can be found here (PDF).
The High-Level Group has some laudable goals, including reducing crime, enhancing cooperation between law enforcement agencies, and improving efficiencies. The Cybersecurity Advisors Network opposes several components of the HLG recommendations, and encourages our members, partners, and stakeholders to do the same.
European Digital Rights (EDRi) published an article about HLG and many of the issues with its composition, its objectives, and the many issues associated with HLG’s activities in June 2024. Former Member of the European Parliament (MEP) for the German Pirate Party Patrick Breyer wrote a series of extensive posts on the problematic nature of the HLG; a good introduction can be found here.
In short, objections to the HLG, as well as to its goals and its decision-making process, include the group’s undemocratic lack of transparency and accountability, the excessive influence that law enforcement and national security entities have on EU policymaking through the group, its regular re-hashing of repeatedly defeated and debunked schemes to undermine the security of information through legally mandated weakening of encryption and other mechanisms which currently ensure citizens’ rights and safety online, and its willingness to consider measures that will damage fundamental European constitutional rights in the pursuit of illusory civic and national security.
The Proposed ProtectEU Security Strategy
The HLG is also involved in crafting the European Commission’s related ProtectEU Internal Security Strategy (full text here) which includes a push for mandatory encryption backdoors (“to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner”). Politico has a good summary of some of the logic driving these problematic items in the EU’s proposed strategy. CyAN has signed the Global Encryption Coalition’s joint letter pushing back against ProtectEU, affirming our commitment to strong encryption and democratic safeguards.
Our Concerns About the HLG’s Recommendations on Access to Data for Effective Law Enforcement
The HLG’s recommendations bear the strong potential for a mass surveillance structure. While CyAN strongly supports the fight against online ills such as child sexual abuse materials (CSAM), cybercrime, fraud, terrorist / violent extremist content (TVEC), and image-based sexual abuse (IBSA), we insist that undercutting the freedoms of citizens runs counter to the liberal democratic values that are a cornerstone of European society. There are more effective and less damaging ways to achieve these aims.
Notably, the HLG explicitly advocates for the introduction of compulsory encryption backdoors, something CyAN has consistently opposed and actively campaigned against across multiple jurisdictions. Backdoors irreparably undermine encryption, and are detrimental to privacy, individual rights, economic prosperity, and democratic stability. CyAN has published numerous articles and position papers opposing such proposed laws in jurisdictions including Australia, Sweden, the US, and Japan, Ukraine, France and Sweden, the United Kingdom, and the European Union. Our members strongly advocate for the urgent need for viable end-to-end encryption [1] [2], free of backdoors [1] [2], especially in the face of quantum encryption, not least as a vital tool for protecting vulnerable populations,
Significantly, while the Copenhagen Criteria for membership in the European Union include democracy and transparency, the rule of law, human rights, and respect for minorities, the EU’s 27 member states have occasionally diverged from both these core values, and from each other’s interpretation thereof. While the EU is currently a stable system with strong safeguards for citizens’ rights, neither liberty nor democracy can be taken for granted. The past two decades have provided several examples of how quickly formerly free societies can revert towards authoritarianism. Technological and legal protections for anonymity, data security and integrity, and freedom of expression should be strengthened, not undermined.
CyAN’s Position
CyAN objects to the following components of the HLG’s proposed framework in its current form (May 2025):
- The requirement for online service providers to archive all online activities (27), as well as mandatory identification and data retention: clicks, messages, connections – under individuals’ legal names. This risks creating an online panopticon, and bears the risk of turning citizens into potential suspects. This will also dramatically subvert the utility of VPNs and other anonymity tools, that provide safety to users (27.v).
- Encryption backdoors: providers must supply data “in an intelligible way”, forcing them to weaken or bypass end-to-end encryption whenever asked (27.iii).
- Backdoors by design: hardware and software makers are ordered to bake permanent law-enforcement access points into phones, laptops, cars, and IoT devices (10, 22, 25, 26).
- Criminalisation of non-compliance: services or developers who refuse to spy on their users face fines, market bans, or prison (33, 34, 35, 37).
- Universality: the rules cover every “electronic communication service”, from open-source chat servers to encrypted messengers to vehicle comms systems (17, 18, 27.ii).
- Subversion of member-state national sovereignty: law enforcement may intercept data under another member state’s jurisdiction “without going through a cross-border cooperation instrument”. Not all EU members have equal levels of respect for freedom of expression, privacy, confidentiality, and similar concepts, and eroding a member state’s ability to protect its own citizens is a dangerous path to pursue (39).
The recommendations repeatedly mention a desire to prevent abuse, ensure citizens’ rights, and ensure that expanded surveillance and investigative powers are only used in a lawful, responsible manner – without specifics of what mechanisms would ensure such respect for Europeans’ basic human rights. It amounts to “trust us, we have your best interests in mind”.
Make Your Voice Heard
The Commission’s feedback period on the HLG’s recommendations is open until 18 June 2025, midnight Brussels time. In addition to supporting the GEC’s arguments against ProtectEU by signing the joint letter, CyAN will provide our own comments to the Commission on Access to Data for Effective Law Enforcement. We strongly encourage our members to do the same, and to contact their MEP in order to oppose surveillance overreach.
European Commission feedback form:
Global Encryption Coalition Joint Letter on ProtectEU:
A list of Members of the European Parliament by constituency:
https://www.europarl.europa.eu/meps/en/home
A sample text to send to your MEP:
Dear <…>
I am writing to you as an information security professional, in order to voice my opposition to the European Commission High Level Group on Access to Data for Effective Law Enforcement (HLG) current recommendations.
As a European citizen, I firmly believe that several of the HLG’s proposals are highly damaging to European fundamental liberties, to the security and integrity of online commerce, and to the trustworthiness of online discourse and democratic mechanisms.
These include, but are not limited to:
- The requirement for online service providers to archive all online activities (27), as well as mandatory identification and data retention (27.v)
- Encryption backdoors (27.iii)
- Backdoors by design (10, 22, 25, 26)
- Criminalisation of non-compliance (33, 34, 35, 37)
- Universality (17, 18, 27.ii)
- Subversion of member-state national sovereignty (39)
I support the HLG’s objectives of fighting cybercrime, terrorism, and abuse online, but the means advocated by the group are not the right way to strengthen our society.
I urge you to help ensure that the European Parliament, European Commission, and all other elements of the European Union’s legislative, executive, and judicial mechanisms continue to respect the rights of Europeans to privacy, trust, safety, anonymity, freedom of expression, and security online, and to not allow the undermining of the technological mechanisms that ensure these in the interests of a surveillance state which will damage our freedom and prosperity.
With best regards,
&c.