Encryption: Police want real-time access to data streams from WhatsApp & Co.

For almost a year, the EU's so-called High-Level Expert Group on Data Access for Effective Law Enforcement (HLEG) has been working behind closed doors as part of the Crypto Wars on solutions to the "wicked problem" of encryption ("going dark") identified by home affairs politicians and investigators. In response to a freedom of information request from MEP Patrick Breyer (Pirate Party), the EU Commission has now published a number of presentations - some of which have been redacted – that shed some light on the discussions. The focus of practitioners and standardization bodies is therefore primarily on gaining access to metadata and communication data in real time, even for fully encrypted services such as WhatsApp, Signal and Threema.

The National Technical Support Unit (NTSU) of the Belgian Federal Police has made particularly far-reaching demands in this direction. "The focus is on real-time data – managed by the OTT," it emphasizes, referring to "over the top" platforms that offer users services such as messaging directly via the internet. The best way to achieve this is through direct contact with big tech companies, for example, which are usually based in the EU and therefore have to deliver. The technical support unit refers to this as the "Yahoo approach" because this method apparently works particularly well for the US provider, for example for email and search.

The NTSU propagates a procedure via the "front door", which does not require any back doors in encrypted products. A law enforcement agency would submit a standardized request directly to the OTT service provider's data processing unit - possibly supported by a warrant from a judge. The latter must send a response with the requested data in the same standardized form, securely and in a "comprehensible" format (almost) in real time. This is "invisible, discreet and secret for the target" of the investigation and technologically neutral. "We love encryption," explains the NTSU. "Even when it's end-to-end encryption" (E2E). However, such protection mechanisms do not change the fact that the operator or a third-party provider commissioned by it is obliged to hand over the data in plain text.

Comeback of untrustworthy trust centers?

This does not apply to past communication, but only to future communication from the time of the order, the police unit clarifies. They want to avoid a race for interception technologies. The NTSU rejects the alternative use of state Trojans and other forms of "state hacking", which could be used to retrieve data before or after decryption on the end user's device, for example, as uncertain, expensive and sometimes ineffective. It would also torpedo cooperation in the event of vulnerabilities. Operators of services with E2E repeatedly emphasize that they themselves have no access to the unencrypted communication. However, the Belgians are not interested in this.

The Cyber Technical Committee of the EU telecommunications standardization authority ETSI is working on a solution for this. In a diagram, it refers to a "trusted authenticated party", which should receive and manage an access key. However, IT security experts have considered the inclusion of such third parties to be an indisputable breaking point for years. The ETSI team is also showing interest in a standardization mandate for "Lawful Access by Design". The EU Commission is also bringing more intensive standardization into play. It is also pushing to "strengthen and codify cooperation between commercial companies and law enforcement authorities so that technical product documentation and source codes are shared voluntarily."

The Brussels-based government institution also recommends "legislation to combat the use of encryption devices that are proven to be used exclusively for communication between criminals". Technology providers should be obliged to "allow access to data stored on users' devices at the request of judicial authorities". Other presentations include data retention and potential cooperation with Microsoft data centers in the Netherlands.

(olb)