Cybersecurity & Tech Surveillance & Privacy

The World’s Not Waiting for California: France Moves to Enforce Decryption

Daniel Severson
Monday, March 7, 2016, 7:00 AM

Legislators in France are watching closely the fight between Apple and the FBI, but, in the meantime, the French National Assembly has amended a pending counterterrorism bill to impose heavy penalties on technology companies that fail to cooperate in decrypting communications relating to terrorism investigations.

Published by The Lawfare Institute
in Cooperation With

Legislators in France are watching closely the fight between Apple and the FBI, but, in the meantime, the French National Assembly has amended a pending counterterrorism bill to impose heavy penalties on technology companies that fail to cooperate in decrypting communications relating to terrorism investigations.

The National Assembly is currently considering a bill on Combatting Organized Crime, Terrorism, and Related Financing and Improving the Efficiency and Guarantees of Criminal Procedure. The bill as submitted by the government is available here. A vote is expected this Tuesday before it heads to the Senate.

During its consideration of the bill, the National Assembly last week adopted an amendment that would impose a 350,000 euro fine and five years imprisonment on private companies and their executives who, in terrorism investigations, refuse to provide to the authorities data protected by encryption standards they created.

The amendment also increases penalties for those who do not design their own encryption. Article 60-1 of the Code of Criminal Procedure provides that the prosecutor or the judicial police may, “by any means,” require any person “likely to have information relevant to an investigation,” including digital and personal data, to turn over such information. Failure to comply promptly is subject to a 3,750 euro fine. The amendment would increase that penalty to 15,000 euros and two years imprisonment for terrorism investigations.

The amendment would similarly enhance penalties for a more general provision—article 60-2 of the Code of Criminal Procedure—that requires public and private parties, with limited exceptions, to make available “information useful for ascertaining the truth.” The current provision also allows the police with prior judicial authorization to require telecommunications service providers to take without delay “all measures necessary” to preserve for up to one year the content of information consulted by persons using their services. Under the amended bill, a 3,750 euro fine would become a 15,000 euro fine plus two years imprisonment for terrorism investigations.

These penalties have apparently never been enforced, so some observers question whether increasing them is necessary.

During floor debates, however, Deputy Philippe Goujon characterized the current penalties as “paltry” and proposed the amendment as a “compromise” to shuttle the bill through Parliament.

The National Assembly had rejected other amendments with higher financial penalties.

An amendment proposed by Republican Deputy Éric Ciotti (text here) would have required that the manufacturers of telecommunications tools, telecom operators, and Internet service providers provide all relevant communications in a terrorism investigation to the authorities. Violations would result in a two million euro fine and a one-year ban on marketing products and services in France.

In support of the amendment, Deputy Ciotti noted that, according to a special computer science unit of the French judicial police, at least 8 cell phones of the 133 analyzed in 2015 could not be "treated.” Those phones included an iPhone 4S, seized in connection with the investigation of the November 13 attacks in Paris, and a mobile phone of Sid Ahmed Ghlam who had planned to attack a church in Villejuif last year.

Two other amendments by Deputy Yann Galut (text here and here) would have increased fines to one million euros for designers of electronic equipment who refuse to cooperate in providing access to data relevant to an ongoing investigation. In support of these measures, Deputy Galut and others cited a New York Times op-ed from August 2015 by the Manhattan district attorney, Cyrus R. Vance, Jr., and the Paris chief prosecutor, François Molins, that warned about going dark.

The amendments produced a heated debate with Apple, Google, and other tech multinationals front and center.

In the morning session on Thursday, Deputy Ciotti argued that heavy penalties were required “when faced with companies whose market capitalization reaches several hundred billion dollars, who consider state governments dwarfs, and who show contempt for the law.” He therefore proposed a temporary ban on marketing as “the only way to signal to these companies that their financial incentives will never surpass the laws of a democratic state.”

Deputy Galut emphasized that multinationals have effectively “decided to enact their own legislation” and that frustrating investigations is “unacceptable.”

The rapporteur for the Committee of Laws, Pascal Popelin, condemned refusals to cooperate by tech giants acting “in the name of a pseudo-defense of liberties” and trying to “justify the unjustifiable.” However, he noted that other provisions of the French Code provide that the government can already require decryption, though those provisions do not set specific penalties for failure to comply.

Another deputy observed that the debate is not a simple one pitting multinationals completely insensitive to terrorism against judges singularly pursuing the truth in investigations. He also cautioned, “Think about what could happen to decryption keys in the hands of authoritarian regimes, like China, North Korea, or Syria.”

Minister of Justice Jean-Jacques Urvoas asked the deputies to withdraw their amendments. “A national law is ineffective,” he said. Only “international cooperation” can provide an effective solution. He assured the deputies that the French government is already working with Brussels for a solution at the EU and that Robert Gelli, the Director of the Department of Criminal Affairs of the Ministry of Justice, is meeting with American officials. The next meeting is on March 18.

The Galut amendments were withdrawn, and the Ciotti amendment failed by a vote of 12 to 11. Meanwhile, the Goujon amendment passed.

The amendment will likely change before becoming law.

Speaking for the Committee of Laws, rapporteur Pascal Popelin noted Deputy Goujon’s compromise amendment would prove useful: “strengthening penalties for refusing to cooperate with the authorities is one of the best vehicles for improving the authorities’ access to information necessary to ascertain the truth” in investigations. However, he noted that the text creates some problems of consistency in the Code of Criminal Procedure. Although the Minister of Justice Urvoas opposed the amendment for these reasons, it passed.

If the bill emerges from the National Assembly, the Senate will need to work with the government to iron out any discrepancies in the amendment. Deputy Goujon concluded, “It costs nothing to adopt this amendment. . . . It is raw material that the government can modify through the legislative process. I am confident that we can ultimately reach a mutually agreeable provision.”

[Editor's Note: An earlier version of this post misstated Éric Ciotti's party affiliation. He is part of Les Républicains.]

Daniel Severson is a Harvard Law School and Harvard Kennedy School graduate. He served as editor-in-chief of the Harvard International Law Journal and writes for Lawfare. Daniel was a Harvard University Presidential Public Service Fellow at the Defense Department, a Council of American Ambassadors Fellow at the State Department, and a Fulbright Scholar in Taiwan. He plays the French horn.

Subscribe to Lawfare