France is pushing a new law that would force messaging apps like Signal and WhatsApp, as well as encrypted email services like ProtonMail, to give law enforcement access to decrypted data when requested. This amendment to the “Narcotraffic” bill, currently under consideration in the National Assembly, mandates that companies hand over decrypted messages from suspected criminals within 72 hours.
The goal is to strengthen law enforcement’s ability to tackle drug trafficking, but many tech companies and civil liberties organizations are worried. They fear this could create “back doors” in encrypted services that might be exploited by cybercriminals and foreign adversaries. If companies fail to comply, they could face hefty fines—up to €1.5 million for individuals and 2% of a company’s global revenue for firms.
Matthias Pfau, CEO of Tuta Mail, argues that the introduction of back doors would fundamentally weaken security. He warns that the idea of a secure backdoor for law enforcement is a dangerous fantasy. Vulnerabilities created by such measures would inevitably be exploited by criminals and hostile actors, undermining security for everyone.
Matthew Hodgson, CEO of Element, echoes those concerns, stating the French proposals lack technical feasibility without compromising security. He emphasizes that there are no safe backdoors in encrypted systems, highlighting a fundamental misunderstanding of how encryption works.
France has previously led successful operations against encrypted messaging used by drug traffickers, like EncroChat and Sky ECC. These actions have led to numerous arrests, but critics assert that cracking down on these specific services isn’t the same as compromising the security of widely-used apps like WhatsApp and Signal, which millions rely on for everyday communication.
Opponents of the law question its necessity and proportionality, arguing that any backdoor would likely be exploited in time. The proposed law, introduced by French senators Étienne Blanc and Jérôme Durain, is set for committee review in March 2025, and aims to require companies to implement technical measures so intelligence services can access clear messages.
Additionally, the law would allow police to deploy spyware and use “black box” algorithms to gather data on suspected criminals. This raises concern about potential overreach, as police could censor content related to drug trafficking without judicial input.
Tuta Mail has warned that the proposed law could clash with existing EU and German privacy laws, which prioritize customer data security. If the law passes, Tuta Mail might have to choose between complying with conflicting regulations in France and Germany.
The European Data Protection Supervisor has stated that any new encryption restrictions must be necessary and proportional, yet critics argue there’s no evidence supporting the need for the French proposals. Advocacy group La Quadrature du Net has called for rejection of the amendment, stating that compromising encryption could undermine digital security, while the Observatory of Liberties and Digital Technology warns the bill could prevent defendants from challenging surveillance tactics, violating their rights.