Strong Crypto and Policing: EU Again Debates EncryptionEU Lawmakers Tackle Strong Crypto and Law Enforcement Access to Data
European lawmakers are once again considering encryption policies and attempting to strike a balance between the privacy and security afforded by strong encryption and law enforcement's needs. But with encryption being a cornerstone of the internet, and all Europeans having the right to privacy, is there any new balance to be struck?
A draft document published by the Council of the European Union on Nov. 6, and due to be presented to the full EU Council on Thursday for discussion, appears to be trying to reconcile potentially conflicting aims.
For instance, the paper calls for EU member states and institutions to cooperate on developing potential technical solutions that would enable police and law enforcement to use their investigative powers during an investigation while at the same time upholding citizens' rights and preserving the advantages of encryption.
"Competent authorities must be able to access data in a lawful and targeted manner … in full respect of fundamental rights and the data protection regime, while upholding cybersecurity," the paper states.
The Nov. 6 draft resolution does not call for any specific new regulations. Rather, it's designed to prompt a discussion about encryption.
Government authorities have legal rights to access private data in criminal and security cases. But authorities note that encryption often makes it impossible to exercise those rights and access the data they seek.
More Government Officials Demand Backdoors
Some government officials and law enforcement agencies, both inside and outside of Europe, continue to push for so-called encryption backdoors to help with crime investigations.
In April, for example, the U.S. Department of Justice criticized Apple's refusal to offer law enforcement officials access to the data stored on two iPhones belonging to a Saudi national who killed three U.S. sailors at a military base in 2019. Attorney General William Barr said the decision cost investigators time and money. Not for the first time in this type of situation, however, the FBI eventually accessed data stored on the devices using means that did not involve Apple.
Crypto debate watchers say this is a common refrain: Government officials argue that they should have the ability to fully access any device and all of the data it stores during the course of an investigation and demand that manufacturers make this happen, no matter the cost. But at the same time, officials often fail to discuss that there are other ways of obtaining the data, including third-party tools for bypassing encryption, as well as law enforcement tactics, such as recruiting informants or obtaining a court order to install malware on a target's PC (see: Dutch Police Bust 'Cryptophone' Operation).
In some cases, law enforcement can break decryption keys via brute force, but some keys can take months or even years to crack. A judge can also demand that a suspect offer up all passwords when a court demands, or face up to five years in prison. But legal experts say that rarely happens, due to a lack of proof that the data on the devices would be relevant to the investigation.
Backdoors Pose Hacking Risk
Cybersecurity experts have long argued that encryption backdoors are a bad idea because a backdoor by definition means weak cryptography, and weak crypto is easy for any crime gang, unfriendly nation-state or other type of hacker to exploit.
Jake Moore, a former member of the U.K. Police Digital Forensics Unit and Cyber Crime Team who's now a cybersecurity specialist at security firm ESET, is one of many in the field who argue that creating backdoors for law enforcement eventually would lead to devices being hacked by cybercriminals.
"You simply cannot support the development or implementation of encryption if you create a backdoor, even for the government," Moore says. "If you create a way to break it for law enforcement, you do the same for the bad actors - and ultimately, break the internet and any trust that goes with it."
Europol Not Seeking Backdoors
In January 2018, the 13th Security Union Progress Report noted that an additional 5 million euros ($5.8 million) was provided to strengthen the European Cybercrime Center's technical capabilities to deal with issues related to encryption. Also known as EC3, the center is part of the EU's law enforcement intelligence agency, Europol.
"Encryption as a very difficult and sensitive topic," Philipp Amann, the head of strategy at EC3, recently told Information Security Media Group.
"From our perspective, it is very clear we need strong encryption; we don't want to have any backdoors," because encryption "is a building block of our internet," he said. But where does that leave investigations in which criminals are abusing encryption? "So that's a very difficult space, especially for law enforcement. Because you can't really have your cake and eat it. … You can't have strong encryption and easy access to the encrypted information in the context of a criminal investigation."
In the real world, law enforcement can obtain a court order to tap a landline or mobile telephone. But even if law enforcement was able to replicate phone tapping in the digital world - potentially by making phone manufacturers install the equivalent of malware on every device in the EU - experts say this would likely violate Article 8 of the EU's Charter of Fundamental Rights, which stipulates that Europeans have the right to protection of their personal data.
The EU's General Data Protection Regulation, however, offers exemptions to privacy requirements for the processing of personal data by law enforcement or to safeguard national security, but only on a targeted basis.
Better Encryption on the Way
Meanwhile, technology advances. So as law enforcement continues to look for ways to navigate the encryption debate - and criminals and nation states are developing new tactics to counter crypto - cryptologists are working on making encryption even harder to break.
For example, a trio of researchers have published a paper on how to build indistinguishability obfuscation or IO. This is intended to hide the inner workings of a computer program, acting as a cryptographic master tool from which nearly every other cryptographic protocol could be built, including public key encryption and fully homomorphic encryption. This would mean cloud computers could compute using encrypted data without learning anything about it.