- The EU's HLG (High Level Group) now considers VPNs among “key challenges” to investigative work.
- End-to-end encryption is also mentioned in the final report as the biggest technical challenge
- Experts are calling for restraint and consideration on the measures, fearing civilians will carry “state spyware in their pockets”
For the first time, an EU expert group has explicitly mentioned VPN services as "key challenges" to the investigative work of law enforcement agencies, alongside encrypted devices, apps, and new communications operators.
The group's final report also refers to end-to-end encryption as "the biggest technical challenge."
Known as the High-Level Group (HLG), the expert group was tasked by the EU Council in June 2023 to develop a strategic plan "on access to data for effective law enforcement."
Lawful data access by design
The HLG's first set of recommendations leaked to the public in June last year. The goal was simple – make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.
Commenting on this plan, Mullvad VPN CEO Jan Jonsson told TechRadar at the time: "It would mean total surveillance and that Europe's inhabitants carry state spyware in their pockets."
The final wording of the LHG report from March 13, 2025, shows not much has changed from the original ethos. Yet, the recommendations on achieving"lawful data access by design" look more refined.
As mentioned, experts are now considering including VPN services among the key challenges to investigations.
Previously, concerns were mostly reserved for messaging apps or secure email software using encryption to scramble users' content into an unreadable form, de facto making it difficult (if not impossible) for authorities to successfully decrypt wanted information.
Law enforcement agencies from the EU, North America and Australia continue their work to gain future lawful access to private communications within the EU initiative Going Dark.We also note that VPNs are mentioned under “key challenges”.https://t.co/ktu9HlZre0March 18, 2025
Widening the target to VPN services seems to align with experts' view on metadata access as "essential for identifying suspects."
Metadata refers to data not concerning the content, such as who's sending the message, who's receiving it, at what time, and from where. VPNs work to mask IP addresses, which provide the details of our location when we access the internet.
For experts, however, EU lawmakers need to find solutions to force service providers to retain some necessary metadata for a minimum time period. Thankfully, the need for a "harmonised and consistent" legal framework for data retention is among the latest LHG suggestions.
Introducing new obligations to collect users' identifiable metadata, however, would clash with the technical infrastructure and policies of many privacy-focused services. That's especially true for no-log VPNs that, as the name suggests, never collect information that can link users with their online activities.
The security conondrum
Despite the emphasis on the need for authorities to access people's data to carry out investigations, LHG experts recognize that "this must not be at the expense of fundamental rights or the cybersecurity of systems and products."
In particular, the report highlights on more than one occasion how encryption is also essential for people's security, protecting against data theft, state-sponsored espionage, and other forms of unauthorized data access.
The aftermath of the Salt Typhoon attacks sparked an outcry from authorities for all citizens to switch to Signal-like messaging apps to improve their online security.
It remains to be seen how EU lawmakers will find a balance between the will of accessing people's data – no matter if these are encrypted – and preserving information security.
On their side, cryptographers and other tech experts have long argued that encryption either works as intended or is broken for everyone.
Commenting on the ongoing push for encryption backdoors, Proton CEO Andy Yen recently said, "Encryption is math – it either adds up or it doesn't. You're not able to create a backdoor that will preserve encryption. It is simply not possible."
You might also like
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
