Cybersecurity & Tech Surveillance & Privacy

Encryption Legislation Advances in France

Daniel Severson
Thursday, April 14, 2016, 9:02 AM

As the U.S. Congress considers encryption legislation, the French Parliament continues to move forward with enhanced penalties for companies that fail to aid sufficiently the authorities in gaining access to electronic data during a criminal investigation.

Published by The Lawfare Institute
in Cooperation With

As the U.S. Congress considers encryption legislation, the French Parliament continues to move forward with enhanced penalties for companies that fail to aid sufficiently the authorities in gaining access to electronic data during a criminal investigation.

The French Parliament is considering a new antiterrorism bill, which includes provisions on encryption. After passing the National Assembly in March, the bill emerged from the Senate on April 5. Using accelerated procedures, the government hopes to get a bill passed by May 26, when the state of emergency expires.

As described in this prior post, in response to the Apple-FBI dispute, the National Assembly adopted an amendment to the bill that would impose enhanced penalties for refusals to cooperate sufficiently in terrorism investigations.

Notably, those penalties would include large fines (up to 350,000 euros) and prison terms (up to five years) on corporate executives who refuse to provide to the authorities data encrypted using with their own encryption technology. The amendment would also change two provisions of the Code of Criminal Procedure: failure to provide to the judicial police information “relevant” or “useful for ascertaining the truth” in a terrorism investigation would result in enhanced penalties—a 15,000-euro fine and two years imprisonment.

On March 8, the National Assembly adopted this language (see “Article 4 quinquies”) when it passed the bill by a vote of 474 to 32, with 32 abstentions.

The Senate changed the details of the encryption provisions, but enhanced penalties remain.

In the Senate’s Committee of Laws Report, the rapporteur agreed that private firms that create encryption should face higher penalties for refusing to help the authorities in investigations but that some of the text that emerged from the National Assembly was “superfluous and counterproductive.”

The committee first dropped the specific, heavy penalties—350,000 euros in fines and 5 years in prison—for private companies that create encryption standards and that refuse to cooperate in decrypting communications in terrorism investigations. The committee reasoned that the introduction of these penalties would confuse the organization of the criminal code and, more important, that a different part of the criminal code already penalizes such conduct.

Article 434-15-2 currently imposes a three-year prison term and a 45,000-euro fine for “anyone who has knowledge of a secret decryption key for an encryption standard that may have been used to prepare, facilitate or commit a crime or offense” and who refuses to provide or use such decryption keys in cooperation with the authorities. If cooperation would have prevented a crime or limited its effects, the penalties increase to five years in prison and a 75,000-euro fine.

The Senate committee’s version of the antiterrorism bill would further increase these aggravated penalties to 150,000 euros in cases in which a corporation refuses to cooperate.

The Senate made another major change to the encryption provisions. Article 60-1 of the Code of Criminal Procedure currently provides that the prosecutor or the judicial police may, “by any means,” require any person “likely to have information relevant to an investigation,” including digital and personal data, to turn over such information. Failure to respond promptly to the requisition request is subject to a 3,750-euro fine. The bill that emerged from the National Assembly would increase that penalty to a 15,000-euro fine and two years imprisonment for terrorism investigations.

The Senate committee kept the amount of the enhanced fine, but would apply it both more narrowly—only to corporations—and more broadly—for all crimes, not just terrorism. The Committee also dropped the prison sentence, noting that prison time would be “disproportionate” and violate the necessity principle for criminal sentences, especially for a single failure to respond to a government request, rather than a refusal.

As in the United States, encryption has generated intense debates in France. The Senate rejected at least three proposed amendments that would have deleted the enhanced penalties altogether. This one, supported by the government, reasoned that encryption implicates the fundamental right to privacy and cannot be settled by “imprecise” and “technically dangerous” measures.

Le Monde reports that the French Network and Information Security Agency (ANSSI), an interministerial agency reporting to the Prime Minister and responsible for the government’s cyber defense, recently drafted a confidential memo supporting robust encryption and objecting to backdoors. The Senate version of the bill does not mention backdoors explicitly, but it moves forward with enhanced penalties for failure to cooperate in furnishing information during criminal investigations.

The Senate also added new punishments for obstructing the government’s efforts to block access to terrorist websites.

Article 6-1 of the Trust in the Digital Economy Act of 2004 currently allows the French government to block Internet sites that incite or publicly condone acts of terrorism. (An office of the French judicial police with a wonderfully dreadful acronym—OCLCTIC—implements these orders.)

Unlike the National Assembly, the Senate proposed a new provision that would punish anyone who knowingly hinders the effectiveness of such procedures with five years in prison and a 75,000-euro fine.

The Senate also proposed creating a crime for “habitually consulting” on a public communications service “messages, images or representations that either directly incite acts of terrorism or condone such acts” when such service includes content depicting voluntary acts of lethal violence. Punishment would be two years in prison and a 30,000-euro fine.

Perhaps recognizing the provision’s potential overbreadth and vagueness, the Senate version says that this article would not apply to “good faith” consultation, or for viewing content to inform the public, to conduct scientific research, or to gather evidence to be used in court.

The Senate proposes inserting these provisions after Article 421-2-5 of the French Criminal Code, which already provides that anyone who “directly incites” or “publicly condones” acts of terrorism faces five years in prison and a 75,000-euro fine. Doing so through a public communications service results in seven years in prison and a 100,000-euro fine.

More broadly, the antiterrorism bill will significantly bolster investigative powers.

Aside from encryption and communications provisions, the full antiterrorism bill strengthens the powers of prosecutors at a time when their independence has been called into question. The bill contains many investigative powers, including authorizations to conduct searches of homes at night under certain conditions, to use IMSI-catchers to eavesdrop on mobile phone traffic, to impose administrative measures (including house arrests) for persons who return to France and are suspected of joining or attempting to join terrorist theaters of operation, and to strengthen counterterrorism finance measures.

The Senate adopted this version of the entire bill on April 5 by a vote of 299 to 29, with 18 abstentions. A joint parliamentary committee is now considering the bill.

Daniel Severson is a Harvard Law School and Harvard Kennedy School graduate. He served as editor-in-chief of the Harvard International Law Journal and writes for Lawfare. Daniel was a Harvard University Presidential Public Service Fellow at the Defense Department, a Council of American Ambassadors Fellow at the State Department, and a Fulbright Scholar in Taiwan. He plays the French horn.

Subscribe to Lawfare