France is proposing a law to require encrypted messaging applications including Signal and WhatsApp and encrypted email services such as Protonmail to provide law enforcement with decrypted data on request.
An amendment to France’s proposed “Narcotraffic” bill, which is passing through the National Assembly in the French Parliament, will require tech companies to hand over decrypted chat messages of suspected criminals within 72 hours.
The law, which aims to provide French law enforcement with stronger powers to combat drug trafficking, has raised concerns among tech companies and civil society groups that it will lead to the creation of “back doors” in encrypted services that will be exploited by cyber criminals and hostile nation states.
Individuals that fail to comply face fines of Euro 1.5 million while companies risk fines of up 2% of their annual world turnover if they fail to hand over encrypted communications demanded by French law enforcement.
Back doors would be exploited by criminals
Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said that it was not possible to introduce back doors into encrypted services without fundamentally weakening their security.
“A backdoor for the good guys only is a dangerous illusion. Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cybercriminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone,” he said.
Matthew Hodgeson, CEO of Element, a secure communications platform used by governments, said that the company was concerned that the French proposals were not technically feasible without fundamentally weakening the security of messaging and email services.
“We are deeply concerned by yet another potential attack on encryption,” he said. “Like the Online Safety Act in the UK, this French proposal shows a deep misunderstanding of what is technically possible in end-to-end encrypted systems,” he said.
“We will keep repeating ourselves until the message sticks – there are no safe backdoors into encrypted services,” he added.
France led international police operations against encrypted phones
France has played a key role in hacking dedicated encrypted messaging services used by drug traffickers, including EncroChat, Sky ECC, and Anom, resulting in the arrests of thousands of people worldwide suspected of drugs trafficking and money laundering.
But opponents of the French law argue that breaking an encryption application that is allegedly designed for use by criminals is very different from breaking the encryption of chat apps, such as WhatsApp and Signal, and encrypted emails used by billions of people for non-criminal communications.
“We do not see any evidence that the French proposal is necessary or proportional. To the contrary, any backdoor will sooner or later be exploited, it is only a matter of time,” said Pfau.
French senators, Étienne Blanc and Jérôme Durain, first tabled the proposed law, entitled “Getting France out of the drug trafficking trap” in January 2024. The bill has passed its first reading, and is due to be considered in Committee on 4 March 2025 and by the Chamber of the National Assembly on 17 March 2025.
The amendment “establishes an obligation for platforms to implement the necessary technical measures to allow intelligence services to access the intelligible content of correspondence and data transiting through them”.
It requires French intelligence agencies to consult with France’s National Oversight Commission for Intelligence-Gathering Techniques (CNTR) – an independent body that has parallels with the UK’s Investigatory Powers Commissioner’s Office (IPCO) – to obtain authorisations to demand clear-text versions of encrypted messages from tech companies.
Law permits police use of spyware
The law also permits the use of spyware such as NSO Group’s Pegasus or Paragon to allow police to remotely activate microphones and cameras of mobile phones and computers, according to an analysis by the civil society group, La Quadrature Du Net.
It also extends the scope of algorithms, known as “black boxes,” which collect data on communications over the internet with the intention of identifying people suspected of criminal activity to authorise the collection of data for “combating crime and organised crime.”
Police will also have powers to censor or restrict access to web sites and content relating to drug trafficking reported by members of the public through the Pharos reporting system, if the material is considered illegal, without the intervention of a judge.
The move has raised concerns from human rights groups that shared memes or jokes about drugs, or excerpts of films could be wrongly blocked.
French law in conflict with EU and German privacy laws
Tuta Mail has warned that if the proposals are passed, it would put France in conflict with European Union laws, and German IT security laws, including the IT security Act and Germany’s Telecommunications Act (TKG) which require companies to secure their customer’s data.
If France goes ahead with its proposals Tuta Mail, which provides services in both France and Germany, would be forced to choose between complying with French or German law.
“German laws like the IT Security Act and the TKG [Telecommunications Act] force us to protect data and mandate that IT systems must not be altered in a way that the security is weakened just for access by law enforcement. We at Tuta will not comply with any law requiring a backdoor, but German law also prohibits us from doing so”, says Pfau.
“The European Data Protection Supervisor has clearly stated that any new measure restricting encryption must “pass the test of necessity and proportionality, based on substantiated evidence”. We do not see any evidence that the French proposal is necessary or proportional,” he added.
La Quadrature du Net, a non profit organisation that defends people’s rights and freedoms on the net, has urged politicians to reject the amendment when it is discussed in the National Assembly in March.
The group said in a blog post in January that civil society groups, cryptography experts and the French Cyber Security Agency ANSSI, have been warning for years that accessing encrypted communications is not only technically impossible but contravenes digital security requirements.
“End-to-end encryption is designed so that companies themselves do not have access to messages. Introducing access (a “backdoor”) would weaken the level of protection of all communications and this is not provided for anywhere in the world,” it said.
The Observatory of Liberties and Digital Technology (OLN), a coalition representing, the French lawyers union, the magistrate’s union, and human rights groups, has also called for parliamentarians to reject the bill.
It has raised concerns that the bill prevents information about surveillance operations from being disclosed to defendants, making it impossible for them to challenge
“The persons prosecuted would thus no longer have any way of knowing or contesting when and how they were monitored, including therefore, in the event of potential abuse by the investigation services,” it said.