Table of Contents
Four days ago, Tuta, the providers of an end-to-end encrypted email service, published a blogpost titled: "France is about to pass the worst surveillance law in the EU. We must stop them now!".
According to them, this French law would allow the government - amongst other things - to have backdoors on all end-to-end encrypted services, remotely activate the microphones and cameras, and tighten up censoring content.
This sounds pretty bad. To see where their claims are born from, let's take a step back to November 2023.
Due to an (alleged) rise in drug trafficking in France, a commission was created by the initiative of the right-wing Les Républicains group. In May 2024, they submitted a report named: "A necessary leap forward: getting France out of the drug trafficking trap".
The rapporteur and president of this commission (respectively, Étienne Blanc from Les Républicains and Jérôme Durain from Socialiste, Écologiste et Républicain) decided, a few months later, to propose a similarly named law following the recommendations of the commission.
This bill currently includes 24 articles, all written in French, a language I sadly do not understand. A few of them are what you would expect given this context, such as the creation of a national anti-narcotics prosecutor's office or strengthening the anti-drug office (Ofast).
This bill is worked upon by a specific commission, which concluded its work with a report on the 22nd of January 2025, a couple of weeks ago.
A few days after that, an amendment was proposed to the law, which added one more article; I quote from its "Subject matter":
This amendment introduces platforms to implement the necessary technical measures to enable intelligence services to access the intelligible content of correspondence and data transiting through the platforms.
This is the amendment that Tuta found to be deeply concerning. This amendment forces encrypted messaging apps to decrypt any message at the government's request within 72 hours; to enforce this requirement, it introduces a 1.5M€ or 2% of company income fine.
Indeed, the Senate voted on the new bill from the 28th of January to the 4th of February, and the amendment made it to be article 8(a) of the bill.
The current French law already requires criptology services to provide the government with access to messages with 72 hours, but until the law also had the following sentence: "Authorized agents may ask the aforementioned service providers to implement these agreements themselves within seventy-two hours, unless they demonstrate that they are unable to meet these requests". The bill completely deletes this part, making the request effectively mandatory.
Instead, the sentence "They cannot make any contractual or technical arguments that would hinder them" is added. It's not easy to read through the legal jargon here, especially in French, but this does seem to justify Tuta's worries.
Tuta argues that creating government backdoors for end-to-end encrypted services would also break European data protection laws like the GDPR:
The GDPR pass the control over personal data back to the people by forcing companies to protect personal data, possibly also with end-to-end encryption. Furthermore, Germany’s IT Security Act mandates that critical infrastructure (including IT systems) must be protected from cyber threats and unauthorized access, and Germany’s Telecommunications Act (TKG) regulates the security of communication services and data.
They also quote the following statement of the European Data Protection Supervisor:
Encryption, or the encoding of messages in such a way that only intended recipients can understand them, is one of the main tools to guarantee the security of our information. It is recognised as necessary for the digital economy and for the protection of fundamental rights, such as privacy and free speech.
Tuta is not the only company worried about such a development. Signal, the end-to-end encrypted messaging app, has very recently stated that they will refuse to operate in any country which requires backdoors on their encryption. This means that Signal might soon be unreachable for anyone living in France, but also Sweden and the UK, who are passing similar laws.
However, this is just article 8(a) of the bill. Though this amendment constituted what prompted Tuta to speak out, they mention that the whole "war on drugs" law is full of worrying changes.
To do this, they quote a website called La Quadrature du Net. They seem to be an organization that "promotes and depends fundamental freedoms in the digital world", placing itself as quite left-wing and opposing, as an example, AI.
According to them, the "Narcotrafic" law would also allow for "remote activation of connected objects"; they say,
This law provides for a new escalation in surveillance by continuing the legalization of spyware (such as NSO-Pegasus or Paragon). It thus authorizes the police to remotely activate the microphones and cameras of fixed and mobile connected devices, such as computers or telephones, to spy on people.
The law also "significantly strengthens the organized crime regime"; the scope of the offenses covered by this regime has "steadily over the years, affecting more people and situations". They claim that, in the past, the organized crime regime was used to pursue an activist fighting against the construction of administrative detention centers, but I found it hard to verify this claim.
They also claim that it would expand the use of "black boxes" to analyze the data of all our communications and exchanges and that it would tighten up their policy of censoring content on the Internet by extending it to publications related to the use and sale of drugs.
Even though I was able to track down the specific changes that prompted the initial Tuta post, going through all 24 of the bill's articles to find the specific changes that La Quadrature du Net is talking about is beyond my skills; as such, I am quite disappointed that they did not bother to make any specific link to the bill's text, which would've allowed us to more easily verify their claims.
As a result, please take all of La Quadrature du Net's words with a grain of salt; however, the requirement of adding a backdoor to all end-to-end encrypted communication is indeed a reality, and a worrying one.
The bill was approved in the Senate with a large majority, including both the left and the right-wing votes. However, it still has to be approved in the National Assembly, and they can still amend it. Thus, Tuta and La Quadrature recommend calling your Assembly representatives if you live in France to let them know that you won't vote for them if they vote for this law.
I briefly mentioned this already, but it's worth noting that this law does not just fall from a coconut tree: similar attacks towards end-to-end encryption are ongoing in the UK and Sweden. Quoting bleepingcomputer.com,
Last week, Apple decided to pull its iCloud end-to-end encryption feature, Advanced Data Protection (ADP), from the UK following a secret order from the government demanding the creation of a backdoor to access user data. A similar law proposed in Sweden is poised to grant law enforcement agencies access to users' message history from apps like Signal. However, Signal's President Meredith Whittaker said in a recent interview that this law would force them to pull their service out of the country.
