EU to developers: Your encryption is lacking

The European Union updated its guidelines for protecting personal information under EU data security laws, which are more stringent than those in the U.S.

In short, EU officials told developers they were doing a bad job encrypting data. While all the basic building blocks of good encryption methods exist, they said, implementation is lacking and testing is ineffective.

ADVERTISEMENT

“The scientific study of such protocols can be said to be still not mature enough,” said the report, which was compiled by the European Network and Information Security Agency (ENISA).

Last year’s disclosures by government leaker Edward Snowden that revealed a number of U.S. spy programs have only pushed the EU to consider even more data security measures.

EU officials have also encouraged companies to ensure the U.S. government does not have unfettered access to EU citizens’ data. In response, major U.S. cloud computing companies have been launching EU-only data centers so customer data does not have to flow between the U.S. and EU.

In their report, EU officials highlighted cloud computing as a particular area of concern.

Standard encryption can secure data stored in the cloud, but not data being accessed from the cloud, they said.

“One either has to allow the cloud to decrypt the data,” leaving the data vulnerable, “or to download the entire data set to the user’s machine, thereby mitigating the benefits of moving to the cloud in the first place,” the report said.

In the wake of the Snowden disclosures, concerns over poor cloud encryption could cost the U.S. cloud industry up to $180 billion, according to some estimates.

Stateside, U.S. lawmakers have failed to move forward with their own efforts at legislation to limit the government's surveillance authority.

While the ENISA report presents merely guidelines, the EU is working to implement an update to its data protection laws, which is expected to go into effect next year.