The European Data Protection Board (EDPB) issued its final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data last week, which provides additional guidance for international transfers to countries without an Article 45(3) adequacy finding.
Appropriate Safeguards and Technical Supplementary Measures
Getting to the heart of Schrems II and Article 46 transfers subject to appropriate safeguards, the EDPB notes “[a]n essentially equivalent level of protection to that guaranteed within the EU must accompany the data when it travels to third countries outside the EEA to ensure that the level of protection guaranteed by the GDPR is not undermined, both during and after the transfer.” EDPB Recommendations 01/2020 at 9.
As we’ve learned, standard contractual clauses and other Article 46 transfer tools are not bulletproof alternatives to an adequacy finding. Even when using SCCs and other transfer tools containing “appropriate safeguards,” the EDPB points out the other “supplementary measures” may be required “to ensure an essentially equivalent level of protection.” Id. at 13.
The EDPB recommends that exporters conduct assessments of the effectiveness of the chosen Article 46 tool, including how its use is impacted by public authorities of third countries (e.g., intelligence agencies). Exporters must consider whether government organizations “may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedents.” Id. at 14. Similarly, exporters need to consider whether governments have the technical or legal ability to access the data through the importer or a telecommunication provider.
If the third country is known to engage in such data access practices, then the exporter will have to implement adequate supplementary measures if it wants to continue with the transfers. See id. at 17-18. However, “if you consider that you have no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer.” Id. at 18. In this case the exporter “will need to have demonstrated and documented with a detailed report that problematic legislation will not be applied in practice to your transferred data.” Id.
That’s a whole lot of background to say that if there is a risk of government access to the data, then it’s likely exporters will need to implement supplementary measures. Annex 2 of the EDPB Recommendations 01/2020 provides examples of technical, contractual, and organizational supplementary measures that will aid in bringing the transfers up to the level of the requirements demanded by Schrems II.
And really, it’s only technical measures that fit the situation at hand:
Indeed there will be situations where only appropriately implemented technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes.
Id. at 22.
In a hypothetical scenario, the EDPB highlighted the concern of unauthorized data access (e.g., mass collection from undersea cables, secret agreements with telecoms, etc.) from the third country’s government agencies:
Public authorities in third countries may endeavour to access transferred data
a) In transit by accessing the lines of communication used to convey the data to the recipient country. This access may be passive in which case the contents of the communication, possibly after a selection process, are simply copied. The access may, however, also be active in the sense that the public authorities interpose themselves into the communication process by not only reading the content, but also manipulating or suppressing parts of it.
b) While in custody by an intended recipient of the data by either accessing the processing facilities themselves, or by requiring a recipient of the data to locate, and extract data of interest and turn it over to the authorities.
Id. at 29.
And this leads into the quantum question.
The EDPB’s further examination of encryption standards highlighted concerns that the strength of the encryption and the encryption key length must “take[] into account the specific time period during which the confidentiality of the encrypted personal data must be preserved.” Id. at 30. A footnote on this passage expands further on the viability of modern cryptographic algorithms:
The protective capacity of cryptographic algorithms is subject to decline over time due to the discovery of new cryptanalytic techniques, the emergence of new computing paradigms like quantum computing, and the general increase of available computing power, unless the applied algorithms are proven to be information theoretically secure. This concern applies in particular to public key algorithms that are at the time of writing in common use. In consequence, the data exporter has to consider that public authorities may undertake to access encrypted data in the circumstances described in paragraph No. 80, and store it until their resources are sufficient for decryption. The supplementary measure can only be considered effective if such decryption and subsequent further processing at that time would no longer constitute an infringement of the rights of data subjects, e.g., because the data can no longer be used to directly or indirectly identify them.
Id. at 30 n.81 (emphasis added).
In these cases, it appears that the EDPB is suggesting encrypted personal data (as a supplementary safeguard against government surveillance) is only acceptable for transfers to third countries if either:
- “[T]he specific time period during which the confidentiality of the encrypted personal data must be preserved” is shorter than the time it will take us to reach the quantum threshold.
OR - The data exporter is using a post-quantum encryption algorithm.
The EDPB’s concerns here come full circle with the Schrems II fallout, which takes us back to the issues surrounding the Snowden leaks and the bulk collection of data by the United States. The EDPB has identified what it believes is a genuine threat that the NSA, among other agencies and/or governments, will collect and store massive amounts of encrypted data as it awaits the arrival of a quantum computer capable of decrypting these massive data troves. Today’s inaccessible secrets are tomorrow’s intel. Accordingly, it appears some organizations may have to presume that encrypted data is collected and retained by, at least some, third countries.
Let’s back up and take a look at the concerns the EDPB presents about quantum computing.
Public Key Algorithms In Danger by Quantum Computing
Because of the nature of most algorithms used in public key cryptography and the efficiency in which quantum computing should be able to solve these algorithms, nearly every form of modern web communication is in danger.
In the wonderful book Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age, Steven Levy tells the story of how Whitfield Diffie and Marty Hellman discovered a novel way to share secrets through public communication of cryptographic keys. The discovery, initially shared in their 1976 paper New Directions in Cryptography, changed the computing world forever. Nearly every manner we use to communicate online today relies on some use of a public and private key. Accordingly, it is incredibly important—for both privacy’s sake and larger security concerns—that we maintain the security offered by public key cryptography.
Our use of public and private keys for data encryption has stood the test of time thus far because we have devised algorithms that use complex mathematical problems that are too hard for classical computers to attack via brute force. These incredibly useful mathematical problems commonly involve factoring the product of very large prime numbers. Given time, computers can work these problems; however, most people (and governments) don’t have a billion or so years to wait to find out what’s in your transmitted message.
While we’ve made significant advances in processing power over the past 40-ish years, we’ve been able to adjust to the risk of having weak keys in our algorithms by simply upping the key size. Quantum computing is expected to eventually change this.
Without getting lost in the weeds of quantum computing, these complex math problems we’ve relied on for several decades appear to be the kinds of problems that quantum computers will be very efficient at solving. This means the billion years it would take to solve our public key cryptography problem could be cut down into trivial tasks using quantum computers.
If you want to a peek into the math, here’s a great primer on how Shor’s algorithm can tackle the factorization problems much more efficiently using quantum computers:
And so, the quantum threshold is the real rub that the EDPB is hinting at in these latest recommendations:
. . . the data exporter has to consider that public authorities may undertake to access encrypted data . . ., and store it until their resources are sufficient for decryption.
If the NSA (or other third country’s agency) is hoovering up massive amounts of encrypted data that is transmitted using strong, state-of-the-art TLS encryption, the data is inaccessible today. However, once we crossover the quantum threshold, all of that data is an open book to whoever has stored it thanks to the quantum computers and the likes of Shor’s algorithm.
How Long Until We Reach the Quantum Threshold?
This the key concern for the EDPB’s third country transfer technical measures requirements. Of course, it’s also critical for every internet user and the security of data on a global scale.
The short answer is that no one knows but we’re getting closer. Whether stable quantum computers are a gradual development in processing power or we have a massive breakthrough at one of the many research projects underway is anyone’s guess.
We may be months or decades away. Or, we may never wrangle quantum computers in the way we hope to. Whatever the case, it’s important that we develop encryption algorithms that keep our data and communications safe from eavesdroppers using either classical or quantum computers.
The uncertainty of when or whether we will reach the quantum threshold is a dangerous pairing with the EDPB’s warning concerning the validity of using encryption as a supplementary measure.
The supplementary measure can only be considered effective if such decryption and subsequent further processing at that time would no longer constitute an infringement of the rights of data subjects.
EDPB Recommendations 01/2020 at 30.
Looking Forward to Post-Quantum Encryption Algorithms
We’re not hopeless in finding a way to protect our encrypted data from brute force attacks by quantum computers. There are many post-quantum encryption algorithms in development today. NIST has been working toward post-quantum cryptography (PQC) standardization since 2017.
NIST is expected to release draft standards and call for public comments for PQC standardization at some point in 2022-2023. A finalized standard will hopefully be available by 2024.
NIST provided guidance in SP 800-56C Rev. 2 that allows you to combine an unapproved post-quantum cryptography algorithm (i.e., “some other method”) with a NIST-approved algorithm and still receive FIPS validation.
In addition to the currently approved techniques for the generation of the shared secret Z as specified in SP 800-56A and SP 800-56B, this Recommendation permits the use of a “hybrid” shared secret of the form Z′ = Z || T, a concatenation consisting of a “standard” shared secret Z that was generated during the execution of a key-establishment scheme (as currently specified in [SP 800-56A] or [SP 800-56B]) followed by an auxiliary shared secret T that has been generated using some other method.
NIST SP 800-56C Rev. 2 at 2.
Likewise, the National Cybersecurity Center of Excellence (NCCoE) recently released a whitepaper on Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms. The NCCoE highlights some of the challenges with replacing the current public-key algorithms with post-quantum algorithms.
The most critical functions that currently require public-key cryptography are key establishment (i.e., the secure generation, acquisition, and management of keys) and digital signature applications. It would be ideal to have “drop-in” replacements for quantum-vulnerable algorithms (e.g., RSA and Diffie-Helman) for each of these purposes. There are multiple candidate classes for post-quantum cryptography. Unfortunately, each class has at least one requirement for secure implementation that makes drop-in replacement unsuitable.
Getting Ready for Post-Quantum Cryptography at 3.
On the production side, Amazon’s AWS is already supporting some post-quantum encryption tools. In November 2019, Amazon announced that AWS Key Management Service supports “post-quantum hybrid key exchange for the Transport Layer Security (TLS) network encryption protocol that is used when connecting to KMS API endpoints.” For those unfamiliar with TLS (and its predecessor, SSL), it is the backbone cryptographic protocol that allows us to navigate the internet with web browsers while maintaining an encrypted connection to the host web servers.
While it’s unlikely that AWS’s post-quantum cryptographic algorithms will win the NIST standard adoption (both are listed as potential alternates in the latest round – see algorithm entries BIKE and SIKE), the real-world implementation that AWS is using for a hybrid post-quantum TLS handshake provides some confidence in moving toward a post-quantum internet in the not-to-distant future.
Final Thoughts
Unfortunately, the world is not quite ready with an arsenal of post-quantum cryptography standards. Many bright researchers and organizations are pushing full steam as we move toward what seems like an inevitable quantum threshold.
As more prodding from regulators pushes for data protection and security holes around quantum computing to be filled, we will continue to pick up steam. A sudden eureka moment in quantum computing could be exciting for developments in the field, while also devastating to present cybersecurity infrastructure.
Of course, as a society, we can’t even get organizations to exercise fundamental cybersecurity practices. Hoping for widespread adoption of post-quantum cryptography standards in the next 5-10 years may simply be a pipedream. Nevertheless, the clamor for post-quantum cryptography grows a little bit louder.
Additional Reading
As mentioned above, Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age by Steven Levy is essential reading for anyone interested in the history of digital cryptography. Likewise, Cryptography Apocalypse by Roger Grimes is directly relevant to today’s discussion of the quantum threshold and post-quantum cryptography. Edward Snowden’s Permanent Record provides additional context into the US intelligence community’s actions that ultimately led us to the Schrems II result and the posture of the EU toward the US today.
Leave a Reply