How it all began: Five years of fight against end-to-end encryption

The German EU Presidency wants to enable police forces and secret services to circumvent end-to-end encrypted communication or to use technical tools to defeat it.

A look at the activities carried out over the past five years allows some conclusions about who is particularly committed to the new crypto war. In its wake, Europol is also developing new capabilities for using Trojans and cracking encrypted storage media.

2015

EU anti-terrorism coordinator Gilles de Kerchove calls on the European Commission to seek legal means to force internet and telecom operators to install backdoors for encrypted communications („share encryption keys“).

The then German Federal Minister of the Interior, Thomas de Maizière, stated at the „International Forum for Cyber Security“ in Lille, Northern France, that the German security authorities must be „authorised and able to decrypt or circumvent encrypted communications when necessary for their work to protect the population“.

Some EU Member States set up the „European Expert Group on Cybercrime“, which is to work on encryption, among other things. The head of action is the French criminal police, co-headed by Europol, the Federal Criminal Police Office and the Bavarian State Criminal Police Office.

Rob Wainwright, then UK Director of the EU Police Agency Europol, repeatedly warns against the increasing use of encryption technologies as „one of the main tools of terrorists and criminals“. Europol would be confronted with encryption in 75% of all cases, on Twitter he calls this an „encryption dilemma“. Public authorities should „cooperate with technology companies“ in order to „gain access to the communications of those who seek to damage our society“.

The European Commission announces in its „European Security Agenda“ to „explore the concerns of law enforcement authorities on new encryption technologies“.

The Luxembourg Presidency sends a state of play on challenges posed by „communication channels and multiple social media“ to Member States, according to which new „encryption based technologies“ would make it increasingly difficult or impossible to conduct effective investigations.

Europol publishes for the second time a situation report on cybercrime, which deals in detail with encryption and anonymisation. An annex discusses on three pages the different perspectives of the „encryption debate“. A general ban is viewed critically, partly because it could lead to more private data falling into the hands of criminals and because the privacy of communications is even enshrined in the United Nations Universal Declaration of Human Rights. In any case, the emergence and use of encryption tools could no longer be controlled.

Wil van Gemert, deputy head of Europol’s operations department, speaks at the conference of European police chiefs and explains that „obstacles of anonymisation and encryption“ must increasingly be overcome. Investigators are confronted with encrypted content in three quarters of all cases. Authorities from Austria, Denmark, Hungary, Germany and Spain also took part in the working group. They recommended more cooperation with the „private sector“.

The group „Friends of the Presidency on Cyber“ (FoP Cyber) also deals with encryption. It now intends to raise public awareness of the issue, make recommendations for action and provide the Commission with „practical input“ on legislative proposals. FoP Cyber was established in 2012 by several Member States, the Commission and EU agencies. Its mission is to address cyber security as a cross-cutting issue. The European External Action Service (EEAS) responsible for security and defence policy and the European Defence Agency (EDA) also participate in FoP Cyber. One of the tasks of the two EU institutions is „cyber diplomacy“ towards third countries.

2016

In May, Europol is organising the conference „Privacy in the digital age of encryption & anonmity online“. The theme will be the „balance“ between freedom and security.

At their June meeting in Bratislava the EU Ministers of Justice discuss encryption. The Council of Ministers then distributes a questionnaire on possible countermeasures to the delegations of the Member States. The German Federal Ministry of the Interior also replies to this and refers to the possible use of Trojans.

The results of the questionnaire with the request for further investigation on possible solutions are discussed in the FoP Cyber and presented to the Coordination Committee for Police and Judicial Cooperation in Criminal Matters (CATS). The CATS uses the results and discussions to prepare the meetings of the Ministers of Justice and Home Affairs.

On 9 June 2016, the Council of Justice Ministers publishes Conclusions on Improving Criminal Justice in Cyberspace, which propose „possible solutions for improving investigations in cyberspace“. Subsequently, a European Judicial Network on Cybercrime (EJCN) is established with the support of Eurojust, the European Union’s agency for judicial cooperation in criminal matters. One of its two core tasks is to „address the challenges of encryption“, for which an „Encryption Observatory“ is responsible. Technical and legal issues are addressed at the EJCN launch event in November.

In a joint letter to EU Member States in October, Germany and France call for solutions „that will allow effective investigations of encrypted data in connection with terrorist acts“.

The Counter-Terrorism Coordinator invites the Commission to consider „the issue of encryption“ as part of „long-term solution for speedy and efficient access of investigators and judicial authorities to e-evidence“ vis-à-vis Internet service providers.

The German and French Ministries of the Interior send a further letter to the Presidency of the Council calling for more cooperation with Internet service providers, while stressing the need for encryption. The anti-terrorism coordinator later mentions the letter in his demands for the implementation of the „Counter-terrorism agenda“.

Following the discussion in the Justice and Home Affairs Council, the Commission and some Member States launch a „reflection process“ on the role of encryption in criminal investigations.

The Slovak Presidency publishes the progress report „Encryption: Challenges for criminal justice in relation to the use of encryption -future steps“. The four proposed measures include a „reflection process“ led by the Commission, more cooperation with Internet service providers and close cooperation and consultation with Europol, Eurojust and the EJCN.

„How to deal with encryption“ is a topic for discussion at the EU-US ministerial meeting in Washington.

In December, the EU Ministers of the Interior and Justice discuss the results of the questionnaire on encryption; in the justice section, the German Ministry of the Interior presents the results. Legislative proposals are still not an issue at this time.

Subsequently, the „EU Internet Forum“ also deals with challenges for law enforcement through encryption. This topic is one of the tasks of the association founded one year before.

2017

On 18 January the Commission sends its work plan „The role of encryption in criminal investigations“ to the FoP Cyber, which now operates as the Council’s Horizontal Working Group on Cyber Issues. According to this, the Commission wants two working processes on questions of access to encrypted content. Participants in a group on technical frameworks are DG HOME and CNECT and the agencies Europol and ENISA. „Where appropriate“, additional experts from Member States, companies or universities should be invited. Legal issues will be discussed with Eurojust and the EJCN, among others. On an „ad hoc basis“, civil society organisations would also be involved. At the end, the results of the two working processes would be brought together and presented at a conference. The issue is also to be addressed in February 2017 in the  EU-US Working Group on Cybercrime.

The first „Expert Workshop“ on encryption is taking place in May at the invitation of the Europol Cybercrime Centre (EC3). Participants included the Commission and delegates from Austria, Slovenia, Croatia, the UK, the Netherlands and Germany. The German Federal Criminal Police Office was represented by staff from various departments. As a result, it was decided to collect statistical information and to commission case studies on the dissemination of encryption techniques. The „experts“ also discussed the „central bundling“ of technical competences and „services“ at Europol.

Under the Maltese Presidency, the Commission reports to the June Justice and Home Affairs Council in the Justice Section on the work of the „Expert Process on Encryption“, which is to be continued in the coming months.

In October, the Estonian Presidency presents the final report „The practical implementation and operation of the European policies on prevention and combating cybercrime“, which covers in several pages the possibilities of „overcoming“ and „cracking“ encryption. The first part of the report deals with „data in rest“, i.e. data carriers and storage media confiscated by Member State authorities. Europol is to use supercomputers for this purpose.

At the October Justice and Home Affairs Council, the Commission reports again on the progress of the „expert process on encryption“. Legislative proposals are still not under discussion.

In its „11th progress report on the Security Union“, the Commission then goes into detail on the „role of encryption“ and announces a six-point plan with legal and technical measures „to enhance decryption capabilities“. These include more decryption capacities in the Member States, supported by a „decryption platform“ at Europol, in the development of „centres of expertise“. This will be located at EC3 in The Hague. The Europol Cyber Unit will develop and make available „measures to obtain needed information encrypted by criminals“ and will receive 19 new posts to this end. For the time being, this will again concern „data in rest“, i.e. not yet end-to-end encryption. For training programmes by the EU police force CEPOL, the Commission will provide €500,000 under the „Internal Security Police Fund“. The Police Agency is also working on a „decryption manual“ to assist Member States. Europol’s efforts will be supported by the EU Internet Forum, an indication that sooner or later end-to-end encrypted communication will also be in focus.

At their December Council, Justice and Home Affairs Ministers hold a „joint discussion on encryption“ and examine the measures presented by the Commission in October. The Commission is „urged“ to „to continue examining the issue“ and is expected to report on progress in implementing the proposed technical measures in March 2018.

2018

According to the „13th progress report on the Security Union“, Europol will receive a further €5 million to develop capabilities for reading encrypted content. The Commission had already pledged this money in the 12th progress report, but only published the amount earlier this year. The funds will also be used to investigate „technical and legal aspects of the role of encryption in criminal investigations“.

A workshop on encryption is being held at Europol in The Hague on 5 February 2018 with a presentation by the German Federal Criminal Police Office. The subject is „in particular an exchange of experience on the effects of encryption on telecommunications interception“. According to the German Federal Ministry of the Interior, there have been further events on this topic in a „workshop series“. At this stage at least one „decryption expert“ is working at Europol, from which the competent authorities of the Member States can obtain assistance.

In October, the Commission sends a „working paper“ to the Council, in which it proposes that Europol should develop a Trojan software and make it available as a service to the authorities of the Member States. This could counter „abuse of encryption by criminals and terrorist suspects“. To this end, the Police Agency would run a Trojan pilot project which could subsequently be made permanent. The technical „solution“ for penetrating foreign computer systems is to be procured in a non-public tender.

2019

Europol and Eurojust publish a „First report of the observatory function on encryption“, which lists numerous possibilities for encryption and how to circumvent it. The agencies do not indicate which of these methods should be used by authorities to access decrypted communications.

The newly established „EU Innovation Hub for Internal Security“ at Europol addresses encryption in the field of security research.

One year before taking over the EU Council Presidency, the German Federal Minister of the Interior, Horst Seehofer, announces that he wants to oblige providers of encrypted messenger services to issue messages and calls from their users by court order.

Under the Finnish Presidency, the Member States adopt Conclusions on combating the sexual abuse of children, which deplore the increasingly encrypted communication of offenders as a need for new measures.

After CEO Mark Zuckerberg announces end-to-end encryption in Facebook chats, the so-called „Five Eyes“ states USA, Canada, Great Britain, Australia and New Zealand demand access to the data „in a readable and usable format“ in an open letter. The „Five Eyes“ include cooperation between foreign secret services for the interception of digital communications. In the letter to Facebook, the governments cite protection against child abuse as an argument against encryption.

The President of the Federal Criminal Police Office, Holger Münch, calls for a „front door debate“ in which providers of encrypted messenger services are to be obliged „to hand over an unencrypted surveillance copy“.

2020

In the „Report on the implementation of the renewed EU internal security strategy“, the former Finnish and current Croatian presidencies criticise that „no progress has been made“ since the end of 2018 on possible approaches to end-to-end encryption. The document expresses the expectation that the Commission takes „a decision on the solution to be implemented“ and finance it.

In a letter, the anti-terrorism coordinator calls on the EU member states to „break the trend of unregulated encryption practice“. „Unfettered encryption“ in applications and standards is a „massive challenge“ for police and intelligence services, he said, and requires a „robust response“ from policy makers. Kerchove therefore calls for „regulatory measures“ and sets out a roadmap. In an accompanying document, he describes various forms of encryption, including end-to-end, transport encryption and password protected devices.

For brute-force attacks on password-protected storage media, Europol uses the „Hashcat“ software. In 2018, in the first year of its existence, the „decryption platform“ was used in 32 cases, for 2019 Europol names a further 59 cases, the success rate is 39 percent. In total, more than 1,750 encrypted devices were examined. The German Federal Criminal Police Office has also requested the services at least six times. In future, the „decryption platform“ is to use supercomputers of the European Union. To this end, Europol has concluded an agreement with the EU Commission’s Joint Research Centre (JRC), according to which the attacks on encrypted content are to be carried out in Ispra, Italy, on Lake Maggiore.

On a regular basis, „Law Enforcement Authorities Decryption Workshops“ are now held at the JRC, where „technical experts“ exchange information on current developments and projects for decrypting digital content.

A Europe-wide working group on the interception of 5G telecommunications by police forces and intelligence services is consolidated and extended to include encrypted communications. This „Permanent Group of Heads of Lawful Interception Units“ will help to improve „operational capabilities“ in the Member States. Its new tasks also extend to the „legislative domain“. The group was originally set up as the „Expert Group 5G“ on the initiative of the Federal Criminal Police Office.

In June, Ylva Johansson, European Commissioner for Home Affairs, speaks at a webinar on combating sexual abuse and exploitation of children and calls for a „technical solution“ to the „problem“ of encryption. Her office had initiated a „a special group of experts from academia, government, civil society and business“ to find appropriate solutions. The magazine Politico later publish the group’s unofficial report, which listed various technical options for accessing encrypted data in messenger services.

On 18 September, the German government announces that it intends to adopt a declaration on the circumvention of encrypted communication on the Internet as part of its EU Council Presidency. The governments of the Member States are to send their position on this to an e-mail address of the German Federal Ministry of the Interior by 7 October.

On 23 September, the German Council Presidency gets a mandate from the EU member states in the Standing Committee on Operational Cooperation on Internal Security (COSI) to „launch an initiative on encryption“.

The governments of the „Five Eyes“, together with Japan and India, are again calling for state access to end-to-end encryption. Their declaration appeals to Internet service providers, and as in the Open Letter of 2018, the sexual exploitation of children, but also violent crimes, terrorist propaganda and attacks are mentioned as arguments.

On 21 October 2020, the German Federal Ministry of the Interior publishes „Ten Points on the Future of Europol“. The declaration calls for the „EU Centre for Innovation in the Field of Internal Security“ located there to focus on encryption.

Also on 21 October, the German Council Presidency distributes its proposal for a resolution „Security through encryption and security despite encryption“, which is subsequently revised several times. For their discussions, the speakers from the Member States have set up a so-called ad-hoc format „Encryption“. The resolution contains a separate paragraph on the creation of a „regulatory framework“ and, in its final version of 24 November, calls for this to be „further assessed“. In previous versions, this paragraph still maintained the „need for a regulatory framework“, which is why measures for law enforcement and judicial authorities against end-to-end encryption „should be prioritised“. In its final version, the paper requires “ national and international communication service providers and other relevant stakeholders“ to cooperate on „technical solutions and standards“.

In addition, the German Presidency is planning „Conclusions on internal security and a European police partnership“, which will also contain comments on encryption. „Technical solutions for lawful access to encrypted data“ should ensure that law enforcement and judicial authorities can „exercise their powers, as prescribed and authorised by law, both online and offline“. The need for a „legal framework“ to be developed „in a close dialogue with the technological industry“ is also confirmed. This would mean that there is no prescribed technical solution for access to encrypted data, but that Member States would be free to decide on the methods they use to disable or circumvent end-to-end encryption on a national level.

In an „input“ on the terrorist attacks in Germany, France, Austria, the Counter-Terrorism Co-ordinator calls for a „legislative solution with regard to law enforcement and judicial access to encrypted content“. According to Kerchove, the initiative of the German Presidency is „a good first step“.

On 13 November the EU interior ministers publish a „Joint Declaration on the recent terrorist attacks in Europe“. It calls for the Council to „consider the matter of data encryption so that digital evidence can be lawfully collected and used by the competent authorities“.

In an accompanying document to the planned „Council resolution on encryption“, the German Federal Ministry of the Interior is seeking approval and is „determined“ to engage in a close exchange with the „Five Eyes“ states. In doing so, the Ministry refers to their „International Declaration“ against end-to-end encryption published a few weeks ago. It also calls for an „ongoing dialogue especially with the UK in that matter“. In a follow-up version, the document is supplemented two weeks later with a request for the Commission to regularly report to the Council.

At its meeting on 25 November, the Committee of Permanent Representatives of the Member States (Coreper) approve the resolution on encryption by written circular without debate. The conclusions on internal security and on a European police partnership, including a presentation on encryption, were also agreed.

The EU-US ministerial meeting planned for autumn, which is always attended by the current and upcoming EU Council presidencies, is cancelled because of the Corona pandemic. The German government confirms that there is a regular „exchange of views“ at the biannual meetings on the topic of „dealing with encryption“.

Update:

In the Security Union Communication „A Counter-Terrorism Agenda and stronger Europol to boost the EU’s resilience“ presented on 9 December, the EU Commission warns that encryption can „also be used as a secure channel for perpetrators where they can hide their actions“. The Commission therefore annaounces to work with Member States to „identify possible legal, operational, and technical solutions for lawful access“.

On 14 December, the Council of Ministers for Home Affairs finally publishes the „Council Resolution on Encryption-Security through encryption and security despite encryption“. It should ensure competent authorities „in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offlineprotectingour societies and citizens“.

Also on 14 December, the EU interior ministers adopt the „Council Conclusions on Internal Security and European Police Partnership“, according to which „technical and operational solutions anchored in a regulatory framework“ are to be found, „developed in close consultation with service providers, other relevant stakeholders and all relevant competent authorities, although there should be no single prescribed technical solution to provide access to encrypted data“.

Furthermore, in its „First Progress Report on the EU Security Union Strategy“, the EU Commission points out on 14 December that the EU Internet Forum has „expanded its scope of activities to also cover child sexual abuse online“. The Forum started a „technical expert process“ to find „possible technical solutions to detect and report child sexual abuse in end-to-end encrypted electronic communications“.

On 18 December, Europol officially launches its already operational „decryption platform“. As far as is known, it currently only offers support to member states in the digital forensics of encrypted devices and storage media.

2021

According to a press agency report, the EU Commission is not planning a proposal for a „general ban on encrypted communications“. EU Home Affairs Commissioner Ylva Johansson wrote this to three MEPs. No solution is being considered that would „fundamentally weaken encryption for all citizens“. Johansson also ruled out „backdoors“ for accessing encrypted data.

At the belated annual meeting of the EU Internet Forum for 2020, EU Home Affairs Commissioner Ylva Johansson says the alliance has broadened its scope to include child sexual abuse on the internet (video). With the internet service providers present there (Google, Facebook, Microsoft, etc.), the Commission wants to seek technical solutions to detect images and videos showing child sexual abuse, despite end-to-end encrypted services.

The German Central Office for Information Technology in the Security Sector (ZITiS), which was founded to perform different aspects digital surveillance, participates „with individual experts“ in discussions on „challenges of encryption“ within the framework of the „Europol Platform for Experts“ (EPE).

In its two-year outlook for the Horizon 2020 research framework programme (area „Civil Security for Society“), the Commission announces further efforts against end-to-end encrypted communication with 5G. A project in the research line „Fighting Crime and Terrorism“ is entitled „Lawful interception using new and emerging technologies (5G & beyond, quantum computing and encryption)“ and is to develop a platform that uses interfaces to derive decrypted communication. At least three police authorities from three member states or „associated countries“ are to participate. The process, to be developed at a cost of five million euros, is to reach technology readiness level 5-6. This includes a prototype.

At the EU-US Senior Officials Meeting in April, „challenges related to encryption and lawful interception“  is on the agenda. The current EU Presidency will present the Council resolution on decryption adopted in December under the German Presidency.

In a public consultation on the „EU Strategy for a more effective fight against child sexual abuse“ from July 2020 the EU Commission asks whether an obligation on providers to detect, report and delete abuse should also apply to encrypted communications.

After Brexit, Great Britain will remain a member of the „G6“, where the interior ministries from Germany, France, Great Britain, Italy, Spain and Poland are organised. Under the British chairmanship, the informal circle, in which the EU Commission also participates, deals at the end of March with „issues caused by end to end encryption“. The USA is also taking part in this exchange.

In its communication „EU Strategy to tackle Organised Crime 2021-2025“, the EU Commission describes access to encrypted content as one of its priorities. Together with „relevant actors“, the „existing capabilities and approaches for lawful and targeted access to encrypted information“ are to be analysed. In addition, the Commission wants to strengthen its „efforts in the field of standardisation“ in the context of decrypting 5G communications. A stocktaking of the Member States‘ handling of encryption and a „multi-stakeholder process“ to explore and assess legal and technical possibilities are to result in a proposal on „targeted access“ to encrypted content, which the Commission intends to present in 2022.

In May, the Portuguese Presidency calls for an EU-wide framework on access to encrypted content by police and judiciary. For the first time, this should also affect device manufacturers. In case of non-compliance, the companies could be banned from doing business in the EU, which could „use the strength of its single market“ to do so. The Council brings the „COSI community“ into play as a new actor for the work on regulation. This refers to the Standing Committee on Internal Security, which is made up of senior officials from the interior and/or justice ministries of all EU member states as well as the Commission and the External Action Service.

Conclusions

    • From 2015, the newly established Centre for Combating Cybercrime at Europol brings the subject of encryption to the public in various publications, and the then British Europol boss warns several times of the risks it poses
    • Chaired by France and co-chaired by Germany and Bavaria, Europol is launching a „European Expert Group on Cybercrime“ in 2015, working on encryption. Two years later a similar group of the Justice and Home Affairs Council follows
    • The Commission and Eurojust also launch „expert groups“ or „expert processes“ on encryption, considering technical and legal aspects
    • In the coming years, the Council and the Commission invite each other to take various initiatives, including the development of a state of play, statistics and studies on technical solutions against encrypted storage media and end-to-end encryption
    • The Anti-Terrorism Coordinator ensures that the issue remains on the EU agenda through his regular papers
    • From 2018, Europol is setting up capabilities to decrypt storage media with brute force attacks using high-performance computers. The Police Agency also intends to procure Trojans and assist in their use in the Member States
    • In several conclusions and reports, the Council and the Commission mention the need for technical and legal solutions for end-to-end encryption by 2019, without committing to backdoors or Trojans as technical options
    • The need to circumvent encryption is initially justified more by terrorism, and later by the prosecution of crimes against the sexual self-determination of children
    • New momentum in 2019 in preparation for the German EU Presidency
      In 2020, the Federal Ministry of the Interior ensures a resolution against encryption, which for the first time includes the demand for a legal framework against end-to-end encrypted communication. Although it is rebutted in the discussion process, it is flanked by further conclusions that call for decisive legislative EU measures
    • The Commission will now feel called upon to urge Internet service providers to engage in dialogue on technical measures for access to end-to-end encrypted communications, probably through the EU Internet Forum
    • The Commission could also launch and finance a feasibility study and/or a pilot project for the deployment of a Europol Trojan with voluntary Member States
    • All activities of the past five years have been carried out without the involvement of the European Parliament, which will only be asked for its assent when a legislative proposal against encryption is presented in a few years‘ time on the basis of the resolution initiated by Germany

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.