The European Union intends to simplify investigative authorities’ access to encrypted content. This emerged from the replies to a questionnaire that was circulated to all Member States by the Slovak Presidency of the EU Council. After a “reflection process”, efforts in this area are, according to the summary of the replies, intended to give rise to a framework for cooperation with Internet providers. It remains unclear whether this will take the form ofa recommendation, regulation or directive.
The replies to the questionnaire are now being examined by the Friends of the Presidency Group on Cyber Issues (FoP Cyber), which also held discussions on “increasing tendencies to exploit encrypted communication in order to hide criminal activities, identities and crime scenes”. Those taking part included the European External Action Service, the European Defence Agency and other EU institutions. FoP Cyber’s recommendations will then be addressed at the meeting of the next Justice and Home Affairs Council in Brussels.
Focus on encrypted communications sent via Facebook, Skype, WhatsApp and Telegram
The non-public questionnaire was first published online by the British civil rights organisation Statewatch. Following a freedom of information request, the Council Secretariat lifted this classification. The summary of the replies is also classified, but has now been published by Statewatch.
The questionnaire was responded to by authorities from 25 Member States, including the German Federal Ministry of the Interior. The police agency Europol also submitted replies. Twenty-one participants responded that their investigators often or almost always ran up against encrypted content or devices, and that this applied especially to encrypted communications sent via Facebook, Skype, WhatsApp and Telegram.
While neither suspects nor the accused are under the legal obligation to disclose encryption keys or passwords in the participating Member States, a number of governments are working on relevant legislation. Internet providers are obliged to disclose these encryption keys or passwords, however, and a judicial order is not always required for this. This also applies to the interception of encrypted communication with the objective of decrypting the data at a later stage. However, there is often a lack of sufficient technical capacity, which is why decryption is defined as being among the top three challenges. There are further shortcomings with respect to financial resources and personnel capacities for corresponding measures.
“Transcription, decoding or decrypting of the recording subject”
The Slovak Presidency of the EU Council arrives at the conclusion that “practical solutions” should be sought that allow for the possible disclosure of encrypted data or devices and that the cooperation of public prosecution offices, which is currently scheduled for harmonisation in the area of e-evidence, may be drawn upon to this end. This likewise involves entering into cooperative partnerships with Internet service providers; much of the communications data isolated in the course of cross-border investigations is encrypted.
Two years ago, the European Union adopted the European Investigation Order to facilitate the cooperation between investigative authorities, a directive that must be implemented by the Member States by 2017. An “issuing State” may request that an “executing State” assist with efforts to gather evidence in the event of criminal proceedings. The European Investigation Order stipulates the procedure for administrative cooperation regarding the “transcription, decoding or decrypting of the recording subject”.
Germany proposes “software that records communications before they are encrypted”
The extent to which state Trojan programmes could also number among “practical solutions” remains unclear. The Federal Ministry of the Interior has, at any rate, proposed appropriate tools in its reply to the questionnaire:
For ongoing telecommunications activities, one possibility would be to access the corresponding information technology system and to install software that is specially designed for this purpose. This software records communications before they are encrypted and ensures that it is exclusively ongoing telecommunications that are intercepted.
German federal authorities have now established a Central Authority for Information Technology in the Security Sector (ZITiS) for the deployment of state Trojans, which has an initial complement of 60 permanent posts with additional staff scheduled to join them at a later stage.
Europol as a hub for investigative authorities
In the summer, the European Union established the European Judicial Cybercrime Network (EJCN), which has now been tasked with addressing “the challenges stemming from encryption”. The EJCN is scheduled to commence its work on 24 November and will, along with Europol, cooperate closely with Eurojust, the judicial cooperation unit.
Further objectives of the EJCN include speeding up international legal assistance procedures and improving cooperation with Internet service providers and cross-border investigative measures in cyberspace. This cooperation extends to the transatlantic region; the European Union is currently working on procedures that will enable European investigative authorities to submit direct enquiries to private service providers in the US.
In order to simplify legal assistance for digital investigations, the US has now dispatched a state attorney to Europol. The police agency is, according to the Council Document, intended to function as a hub in the area of encrypted telecommunications. Further assistance could be provided by the European Agency for Network and Information Security (ENISA). Europol and ENISA recently discussed legal and technical options for dealing with encryption at a private conference in the summer.
Image: Vincent van Zeijst, Netherlands, The Hague, International Criminal Court, CC BY-SA 3.0