The European Union is discussing access by law enforcement authorities to encrypted communications in a number of papers, working groups and new cooperation forums. The “crypto debate” begun around a year ago on ways to circumvent encryption or access protected communication has gained new momentum.
Most recently, the Luxembourg Council Presidency sent out a paper setting out the challenges posed by “Internet communication channels and multiple social media” to the Member States. The paper expresses the view that new “encryption based technologies” are increasingly hampering or rendering impossible effective investigations. According to this paper, these technologies are of particular significance not only in the area of “counter-terrorism policies”, but also of “anti-radicalisation measures”.
The paper is entitled “Effective criminal justice in the digital age – what are the needs” and calls, amongst other things, for “effective data retention”. In a further document, the Luxembourg Presidency invites the Member States to consider what steps should be taken by the Commission in this respect. The “private use of live streaming”, along with the Darknet and anonymisation tools are listed as further impediments for law enforcement. “Critical e-evidence” can be lost, the paper says, if there are no adequate means available to the competent authorities to react effectively.
Encryption: “one of the main instruments of terrorists and criminals”
In January, EU Counter-Terrorism Coordinator Gilles de Kerchove called for Internet and telecommunications providers to be obliged to introduce “back doors” to encrypted communications. This is probably why this issue is still on the agenda of Europol. In March, Europol Director Rob Wainwright had warned about the increasing use of encryption technologies, which he viewed as one of the main instruments of terrorists and criminals.
In September, Wil van Gemert, Europol Deputy Director Operations, presented a working group report on “policing the terrorist threat online” at a conference of European police chiefs. According to this paper, it is particularly important to overcome the “obstacles of anonymity and encryption”. Participants in this working group included representatives from the authorities in Austria, Denmark, Hungary, Germany and Spain. They advise more cooperation with the “private sector”, including providers and platforms, in order to gain access to encrypted content and access servers.
In the autumn, Europol presented its second report on the cybercrime threat landscape, which discussed in detail the topics of encryption and anonymisation. Europol also lists “anti-forensic tools”, including the wiping of software or operating systems run from removable media, as amongst the challenges faced by the authorities. The report states that the use of these techniques by criminals is now considered the norm rather than the exception. At the same time, it stresses the need for an “increasing volume” of digitised data in investigations.
Europol is sceptical about the making available of encryption keys
According to Europol, investigators are confronted with encrypted data in three quarters of all cases. The agency stresses that the tools are now so easy to use that they can be accessed by non-tech-savvy criminals. TrueCrypt and BitLocker are named in this context, along with PGP, an increased use of which has apparently been noted by the Member States. The Europol report states that the situation is further complicated by Internet providers and platforms like WhatsApp, iMessage, Facebook, Facetime, Google and Yahoo providing end-to-end encryption as the default setting. It points out that, while the benefits to the “public and to the private sector” cannot be denied, the question as to where this leaves governments and law enforcement is currently unanswered.
An appendix to the report discusses over three pages the various perspectives in the “encryption debate”. The idea of banning encryption completely is viewed critically, in part because it could mean more private data ending up in the hands of criminals and also because the privacy of communications is anchored in the Universal Declaration of Human Rights. The creation and use of encryption technology can in any case no longer be controlled, the report points out.
Europol also recalls the crypto war in the 1990s, when the US government made the export of PGP illegal, but the software nevertheless became widely available in other countries in the form of “PGP International”. The report makes clear that the demand made at the time to force all providers of encryption technologies to set up “back doors” for the law enforcement authorities would not be feasible today. It points out the security problems that this would create for international companies, for example, as well as the fact that many services change the encryption key for every interaction. The report also points out the problems of all these encryption keys being stored centrally yet securely, without the datastore being compromised by hackers.
Launch of Internet service providers’ forum
The report thus proposes a number of measures. It states that legislators and policymakers, together with industry and academia, must agree on a workable solution to the issue of encryption which allows privacy and copyright to be respected without severely compromising government and law enforcement’s ability to investigate “criminal or national security threats” – including in the area of child pornography.
The recommendations include the development of techniques allowing the police to reconstruct data from systems which are encrypted, but have not yet been switched off. It is proposed that the authorities should also create a central database of VPN and proxy services favoured by cybercriminals.
The Federal Ministry of the Interior in Germany explicitly welcomes these efforts at European level, stating that “efforts to send information in a covert and clandestine manner” are a “defining characteristic of communications behaviour” in many phenomena and areas of crime. According to the Interior Ministry, these efforts are aimed at rendering ineffective measures undertaken by the state to investigate and combat such crime. The Ministry stresses, however, that no legal basis currently exists for access to information which has been encrypted by users and that “any kind of dialogue with internet service providers” to discuss different needs regarding the balance between data privacy and threat prevention and criminal prosecution should thus be welcomed.
As a next step, the EU announced on 3 December the launch of a new Internet service providers’ forum. In this new community, the EU interior ministers meet and discuss issues with Internet companies. Following a year of preparations, a form of cooperation is now being established intended to allow unwanted Internet content to be removed as soon as possible. One of the further opportunities for practical cooperation cited is the issue of how to deal with encryption techniques.
High-level group is against “abuse of encryption and anonymity”
The Friends of the Presidency Group on Cyber Issues (FoP Cyber) also intends to address the subject of encryption. This can be seen in a document made public by Statewatch, in which the implementation of the “Internal Security Strategy” is discussed. This document too refers to obstacles for investigators which need to be overcome. The Group announces its intention to keep an eye on future developments in this context.
The FoP Cyber was established in 2012, to bring together representatives from the Member States, the Commission, Europol and ENISA, as well as the European External Action Service responsible for foreign and security policy. The Group is tasked with tackling cybersecurity as a cross-cutting issue, affecting both internal and external security. For this reason, the European Defence Agency (EDA) is also on board.
Every participating Member state seconds a “cyber attaché” to Brussels. At the last two meetings of these senior-level officials in October and November, one of the topics addressed was that of “abuse of encryption and anonymity” and the legal loopholes which exist. The group now wants to raise awareness of this issue, make recommendations for action and provide the Commission with concrete contributions to new legislative proposals.
Image: New Europol headquarter in The Hague (OSeveno, Europol building, The Hague, the Netherlands – 931, CC BY-SA 3.0).