„Wicked problem“: Europol considers vulnerability exploitation to break encryption

At a conference hosted by the EU police agency, three ways to decrypt communications and storage media were discussed. One of the approaches was apparently pushed by the Bavarian State Office of Criminal Investigation.

For at least seven years, EU member states have been looking for ways to give their law enforcement agencies access to encrypted content. Time and again, the Council, which consists of the 27 governments, has stressed the importance of encryption for secure communications and supposedly ruled out backdoors. Like the EU Commission, the EU states instead relied on infecting mobile phones with governmental spyware to read encrypted messenger services. The encryption of seized devices or storage media, on the other hand, was planned to be broken with the help of supercomputers.

But now the establishment of a common vulnerability management is back on the agenda of European police and judicial authorities. Under the leadership of the EU police agency Europol, about 70 participants discussed a possible „EU policy“ in this area – for example, whether security vulnerabilities in software should not be reported immediately to the manufacturers, but should be exploited for the programming of state spying tools. This is according to the transcript of a conference of the „EU Innovation Hub for Internal Security“ published by the British civil liberties organisation Statewatch. At the end of a „Round Table on Encryption“, those responsible had assured that they wanted to tackle the „wicked problem“ at EU level.

„Innovation Hub“ in The Hague

The „Innovation Hub“ is a joint network of all nine EU agencies in the field of Justice and Home Affairs, established in 2019. The EU Commission and the Council also participate. Led by Europol in The Hague, the network seeks „the latest innovations and effective solutions“ in the areas of justice, border management, immigration, asylum and law enforcement.

Since last year, the participants have been meeting for a joint annual conference. Current and future projects are presented and discussed there.

At the most recent meeting on 13 and 14 September, around 100 participants exchanged views on new surveillance possibilities on the first day. Other topics were the securing and use of electronic evidence and the use of „artificial intelligence“. The second day was devoted to the topic of „encryption“.

Presentation by the French Gendarmerie

The introductory presentation was given by Boštjan Škrlec, Vice-President of the EU Agency for Judicial Cooperation in Criminal Matters (Eurojust), dealing with „cross-border criminal exploitation of encrypted communication platforms“. On the topic, Europol and Eurojust had published a „First report of the observatory function on encryption“ in 2019, which listed numerous opportunities for encryption as well as its circumvention by law enforcement agencies.

First, the participants discussed the possible implementation of a common vulnerability management. Who presented on this remains unclear. On the podium were two employees of the French Gendarmerie, which was responsible for the hack of the encrypted Encrochat network. The coordinator of the investigation at the time now works as head of the „Operations“ department at Europol.

As part of vulnerability management, any backdoors could be stored „temporarily“ to „allow their exploitation by competent authorities“, the memo said. It is not clear where such storage could take place. Subsequently, questions of supervision and control were also discussed. According to the paper, „the need to adopt a rigorous risk assessment process“ was stressed. Europol had invited Nico van Eijk, chairman of the Dutch Intelligence Review Committee, to discuss the issue.

Authorities to use supercomputers

Next up for discussion was the use of quantum computing for law enforcement agencies. This was presumably presented by the staff member of a French governmental research centre invited for the panel, who investigates side attacks“ on encrypted mobile phones.

For the forensic decryption of data carriers, the „decryption platform“ set up at Europol is also to use such supercomputers. Europol has concluded an agreement with the Joint Research Centre of the EU Commission for this purpose. Laurent Beslay, a representative of the facility, was also on the podium.

With the spread of quantum computing, however, other states or possibly private actors could also read out encrypted content. The participants on the panel also discussed this „threat for their cyber security“. Research into „quantum-safe algorithms“ is therefore necessary.

„Game over for secure communication“

Finally, the panelists addressed the possibility of retrieving data directly from internet service providers. If they do not store any decrypted content, they could be obliged to hand over metadata. Do discuss this, Europol had invited Jean-Christophe Le Toquin, the coordinator of Encryption Europe. As an association of European small and medium-sized enterprises, the campaign advocates standard encryption of communications.

Markus Keil from the Bavarian State Criminal Police Office (BLKA) was also on the same panel. He probably discussed the role of the European Telecommunications Standards Institute (ETSI),which was on the agenda, with Toquin. Among other things, in order to eavesdrop on 5G communication, which is actually secure, various states have ensured in the ETSI that the corresponding standards are weakened and that an interface for leaking decrypted data is prescribed. Keil attends ETSI meetings on behalf of the BLKA and has himself proposed various standards for interception of communications and Europe-wide leakage to the ETSI.

Sven Herpig, Head of International Cybersecurity Policy at the New Responsibility Foundation, has also participated in the „Encryption Roundtable“. After being asked on his participation, he calls the influence of police forces and secret services in standardisation bodies like the ETSI a „game over for secure communication“. He also has doubts about the envisaged use of vulnerabilities and calls first for a surveillance audit to check whether such interventions are necessary at all. Of the three measures proposed, the use of quantum computing to break encryption is the least invasive, he says. But here, too, an overall monitoring assessment would be needed first.

Letter of request from EU states to Commission and agencies

So far, work in the „Innovation Hub“ has been dominated by France, which has seconded a liaison officer to the „hub team“. Another permanent staff member comes from the EU agency for the operational management of large-scale IT systems.

The agency currently has no fixed budget. The EU Commission is therefore called upon to free up funds for research in the „Innovation Hub“. The agencies should also plan corresponding funds in their budgets and assign staff.

In addition to the transcript of the conference, the General Secretariat of the Council has distributed a kind of petition for the „Innovation Hub“. Statewatch has also published this document. According to it, the current staff costs of the participating agencies amount to about €669,000, in addition to the ongoing projects with €4.15 million. The recent annual meeting costs another €96,000.

Image: France’s gendarmerie had hacked the encrypted Encrochat network, the head of the operation now works at Europol (SCRCGN).

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert