Crypto Wars: EU police call for debate on circumventing encryption
Police and judicial authorities in the EU are primarily promoting client-side scanning, i.e. searching and extracting private communications from end devices.
EU police and judicial authorities are increasing the pressure almost daily in the ongoing Crypto Wars and the associated discussion about the controversial "going dark" scenario, according to which the increasing end-to-end encryption of chat services such as WhatsApp, iMessage, Facebook Messenger and Signal in particular threatens to make investigators blind and deaf. The "EU Innovation Hub for Internal Security" is now calling for an extended debate on the use or introduction of methods to circumvent encryption. The group is focusing in particular on client-side scanning (CSS), i.e. the scanning and extraction of private communications directly on user devices such as smartphones. Such techniques deserve a "thorough examination".
The appeal is part of the first report by the Innovation Center on Encryption, which Europol published on Monday. In addition to the EU Police Office, the hub includes Eurojust, EU-Lisa, which is primarily responsible for IT systems for border control, the EU Counter-Terrorism Coordinator, the EU Commission's Joint Research Center and its Directorate-General for Home Affairs.
"Lately, the debate between the privacy of the individual and the collective security and integrity of a person has evolved into a more constructive discussion," the report states. However, there are still "challenges" to overcome in this area. The key to success lies "in promoting dialog, collaboration and innovation to ensure that both individual rights and the need for lawful surveillance are respected". However, according to technical experts, a little bit of encryption is just as impossible as being a little bit pregnant.
Legislators and courts are already responding
"Most EU Member States have general legal provisions on access to encrypted information", explain Europol & Co. Some have even recently amended existing national laws in areas "relevant to circumventing encryption". These amendments potentially offer additional opportunities to collect and use encrypted data. Enhanced search capabilities and means for targeted lawful access could be beneficial in the collection of encrypted data.
The recently adopted EU dossier on electronic evidence (e-evidence) is praised by internal security experts as a "step in the right direction for access to digital information in cross-border criminal investigations" regarding the cloud, for example. Although the corresponding regulation does not require service providers to provide data in plain text, the expected faster transmission of requested information could prove beneficial considering the differences in data retention periods in the EU countries, "which are problematically short in some cases". The case law of the European Court of Justice, for example, concerning infiltrated encrypted communication services such as Encrochat also appears to favor law enforcement agencies.
CSS plays an important role in the dispute over the planned chat control. Just last week, numerous civil society organizations, cybersecurity experts and IT companies mobilized against this in a petition launched by the Global Encryption Coalition in view of the latest "compromise proposal" of the Belgian EU Council Presidency on chat control. The security and legal concerns expressed by experts regarding client-side scanning continue to exist. The problem of online dissemination of child sexual abuse material cannot be solved in this way. On the contrary, it would "create considerable security risks for all citizens, companies and governments".
New mobile networks should be able to be monitored
According to the report, "home routing" in 4G and 5G networks, i.e. the centralization of communication services by network operators, also creates problems. This means that people within national borders who use a foreign SIM card can no longer simply be tapped. This would only be possible if the foreign service provider cooperated with the domestic provider. From a technical point of view, "further research is therefore required" to find a solution that also meets the data access requirements for investigators. Meanwhile, it should be demanded "that data protection-enhancing technologies are deactivated in home routing". Law enforcement authorities also need a legal framework for the use of interception technologies for user identification in the form of so-called SUPI catchers in next-generation mobile networks (5 and 6G).
Recently, it has already become known that the controversial EU High-Level Group on Data Access for Effective Law Enforcement is calling for access to unencrypted communications data to be integrated directly into the technology with the principle of "lawful access by design". Previously, the Belgian police in particular had campaigned for real-time access to data streams in plain text from WhatsApp & Co. Back in April, European police chiefs, including Europol, urged governments and the digital industry to take urgent measures against end-to-end encryption.
(olb)