Backdoors vs. Trojans: Europol is examining „solutions“ against end-to-end encryption

The German police also uses a „decryption platform“ at Europol. The system belongs to an „innovation laboratory“ and is currently being equipped with new technology. The EU Commission will soon decide whether Europol should also handle the decryption of secure connections.

Since 2014, Europol has been offering Member States support in decrypting data carriers or mobile phones. The unit is based at the „Centre for Combating Cybercrime“ (EC3), which was set up a year earlier at the headquarters of the EU Police Agency in The Hague. What forensic tools Europol uses for this purpose is not answered by the European Commission, which is responsible for the functioning of the EU agencies.

According to Europol’s annual report for 2018, the „decryption platform“ has been requested 32 times since its creation, in 12 cases successfully. Operations are carried out in various fields, including cybercrime, drug trafficking and migrant smuggling. According to the German government, the services are also available to third states.

National competence centres for decryption

Requests have also come from the German Federal Criminal Police Office (BKA), which has approached Europol in six cases „with decryption orders“. This is what the Federal Ministry of the Interior writes in its answer to a small inquiry. It does not explain in what time frame the requests were made and whether they were successful. Like the Commission, the German government is also reluctant to comment on how the „decryption platform“ works. The devices, applications or processes supported there are „not known in detail“.

Since last year, Europol has included the „decryption platform“ among the services offered by its newly established „innovation laboratory“. Its areas of responsibility include police handling of anonymisation and encryption on the Internet and darknet. Europol is also researching the use of quantum computers.

„Decryption handbook“ for Member States

Currently, the „decryption platform“ is being expanded together with the EU Research Centre. In the budget for 2018, the Commission had approved an additional 5 million euros. The activities carried out by EC3 on the side until then will now be taken over by a newly appointed „decryption expert“. The money has also been invested in new technology, which should be ready for use next year. Europol does not write whether the new facility is housed as an „off-site platform“ with an external provider, as considered in the annual report.

Europol is also working on a „decryption manual“ which is to serve as a guideline for the Member States. The agency received a further 500,000 euros for training of the competent national law enforcement and judicial authorities. Training content is being developed by the EU police academy CEPOL. The Member States can set up national competence centres for decryption, the development of which is supported by money from the Internal Security Fund (ISF) of the European Union. Europol could take over the coordination of the national centres.

Council conclusions

Now the „instruments“ for decoding are being further developed. So says a document published last week by the former and Finnish and current Croatian presidencies. The two governments also call for further investigation into „possible solutions to end-to-end encryption“. To this end, the European Council adopted conclusions in June 2017. The Commission then held several „expert meetings“ with authorities from the Member States.

The measures are to be based on a report in which Europol and the judicial agency Eurojust have drawn up an analysis with regard to encryption. However, the agencies remain vague on how the authorities could gain access to decrypted communications.

Countries like Germany are against implemented backdoors for encryption technology and want to make Internet service providers responsible instead. The German BKA president recently demanded once again that the companies should keep decrypted copies and hand them out on request of police and secret services via a „frontdoor“.

Commission decides on end-to-end decryption

The Finnish and Croatian governments also want to „not prohibit, limit or weaken“ the encrypted connections. According to the paper, the Commission and Europol have already held a „technical meeting“ and discussed „possible ways forward to address this issue“. The results will lead, among other things, to a second report that Europol and Eurojust intend to present soon.

The agencies already mentioned the use of Trojans („remotely access a computer system“) as one of the possibilities against the use of encryption. Europol and Eurojust are thus on the line of states such as Germany, where federal and state police laws also lower the hurdles for the use of Trojan programs.

After the follow-up report, the ball will be in the Commission’s court, which then should decide on new measures and funds for „developing options to address the misuse of end-to-end encryption by criminals“. The topic will also be on the agenda of the EU-US high-level meeting on justice and home affairs in early March.

Image: The new Europol director Catherine de Bolle with BKA chief Münch during her inaugural visit to Berlin in 2018. The BKA is one of Europol’s power users (BKA).

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.