- The HLG (high -level group) of the EU now considers VPNs among the “key challenges” at investigative work.
- End -to -end encryption is also mentioned in the final report as the biggest technical challenge
- Experts call for restraint and consideration on measures, fearing that civilians carry “state spy software in their pockets”
For the first time, a group of EU experts explicitly mentioned VPN services as “key challenges” at the survey work of law enforcement organizations, alongside encrypted devices, applications and new communication operators.
The group’s final report also refers to end -to -end encryption as “the biggest technical challenge”.
Known as high -level group (HLG), the expert group was charged by the EU Council in June 2023 to develop a strategic plan “on data access for the application of effective laws”.
Access to legitimate data by design
The first series of HLG recommendations was disclosed to the public in June of last year. The objective was simple – to make the digital devices that we use every day, smartphones and smart homes with IoT devices and even cars, legally and technically monitoring at any time by law enforcement organizations.
Commenting on this plan, the CEO of the VPN of Mullvad, Jan Jonsson, told Techradar at the time: “This would mean total surveillance and that the inhabitants of Europe transport state -spy software in their pockets.”
The final wording of the LHG report of March 13, 2025 shows that little has changed compared to the original ethics. However, the recommendations on the realization of access to legitimate data by design “seem more refined.
As mentioned, experts are currently considering including VPN services among the main challenges of surveys.
Previously, the concerns were mainly reserved for applications messaging or secure messaging software using encryption to ensure that the content of users in an illegible form, which makes de facto (if not impossible) for the authorities to successfully decipher the information sought.
EU, North America and Australia law enforcement organizations are continuing their work to obtain a future legal access to private communications within the EU initiative.March 18, 2025
The widening of the objective to the VPN services seems to be aligning themselves from the point of view of experts on access to metadata as “essential to identify the suspects”.
The metadata refer to the data which is not concerning the content, as which sends the message, which receives them, at what time and from where. VPNs work to hide the IP addresses, which provide details of our location when we access the Internet.
For experts, however, EU legislators must find solutions to force service providers to conserve certain necessary metadata for a minimum period. Fortunately, the need for a “harmonized and coherent” legal framework for data retention is among the latest LHG suggestions.
The introduction of new obligations to collect identifiable metadata for users, however, would come up against the technical infrastructure and to the policies of many services focused on confidentiality. This is particularly true for VPNs without software which, as its name suggests, never collect information that can connect users to their online activities.
Safety conondrum
Despite the emphasis on the need for the authorities to access the data of people to conduct surveys, LHG experts recognize that “this should not be done at the expense of fundamental rights or cybersecurity of systems and products”.
In particular, the report highlights on several occasions how encryption is also essential for people safety, protection against data theft, spying sponsored by the State and other forms of access to unauthorized data.
Did you know?
The consequences of Typhon de Salphon attacks have sparked an uproar from the authorities so that all citizens go to signal messaging applications to improve their online safety.
It remains to be seen how EU legislators will find a balance between the desire to access people’s data – it doesn’t matter if they are encrypted – and the preservation of information security.
For their part, cryptographers and other technological experts have long argued that encryption works as expected or is broken for everyone.
Commenting on the current thrust for encryption deadlines, the CEO of Proton, Andy Yen, recently said: “Encryption is mathematics – this is added or this is not the case. You are unable to create a stolen door that will preserve encryption. It is simply not possible.”
