"Going Dark" group: broadside against encryption and anonymity online
EU law enforcement experts demand the impossible from WhatsApp, Signal & Co.: the installation of eavesdropping interfaces and the guarantee of IT security.
Direct access to messages would render the encryption mechanisms of secure messengers absurd.
(Image: Tero Vesalainen/Shutterstock.com)
The controversial EU High Level Group on Data Access for Effective Law Enforcement (HLG) has presented its recommendations. In the 42-point paper, the experts, who mainly come from the area of law enforcement in the EU and the member states, demand the technically impossible from communication service providers with end-to-end encryption such as WhatsApp, Signal, Threema & Co.
The service providers are supposed to guarantee the IT security of their services, but at the same time build interception interfaces directly into their applications to allow investigators to access data in plain text almost in real time. To do this, however, end-to-end encryption (E2EE) would have to be broken, bypassed or - via a third party with a master key, for example - circumvented. This would leave nothing of IT security and data protection for users.
Access should be directly integrated into technology
The EU Commission set up the working group last year at the urging of the member states. The starting point was the ongoing Crypto Wars and the associated debate about the "going dark" scenario, according to which the increasing end-to-end encryption of messenger services in particular threatens to make investigators blind and deaf. Scientists believe this to be a myth, but the police and judiciary want the "evil problem" of encryption they have identified to be solved. At a meeting with representatives of law enforcement and judicial authorities from the USA last year, they called for access to unencrypted communication data to be integrated directly into the technology using the principle of "lawful access by design".
The HLG has taken up this appeal. Its catalog, which is classified as confidential and published by Netzpolitik.org, calls for the implementation of "lawful access by design" in "all relevant technologies in line with the requirements expressed by law enforcement authorities". At the same time, "a high level of security and cybersecurity must be guaranteed and full compliance with legal obligations regarding lawful access must be ensured". According to the HLG, police practitioners should "contribute to the definition of requirements". However, it is not their job to "impose specific solutions on companies". Instead, experts recommend the development of a technology roadmap that "brings together experts in technology, cyber security, data protection, standardization and security and ensures appropriate coordination".
Every user should be clearly identifiable with retained data
At the same time, the HLG emphasizes that any relevant new obligations, legal instruments or standards "should not directly or indirectly lead to providers having to weaken the security of communications by undermining E2EE in general". Therefore, requirements "for access to clear data should be subject to careful assessment based on state-of-the-art technological solutions". The "challenges of encryption" must also be taken into account.
In principle, manufacturers or service providers already have a duty to enable lawful access through technology design. However, they should do so "in such a way that this does not have a negative impact on the security of their hardware or software architectures". "Uncooperative" service providers should face sanctions.
"Leap into a fully monitored society"
There are also calls for the "introduction of a harmonized EU system for data retention", which should be "technology-neutral and future-proof", as well as current and future data processors, including "over-the-top" platforms that offer services such as messaging directly over the internet. Access to "comprehensible data" must also be ensured. For metadata such as location and connection information and subscriber data, there should therefore be a way for the service provider to decrypt it "at any time during the provision of the service" if it is encrypted.
The HLG is also pushing for at least one requirement for companies to "store data long enough for each user to be clearly identified", for example via IP address and port number. Anonymity on the internet would no longer be possible. In Germany, the debate about IP data retention is already raging. The EU interior and justice ministers are to discuss the list at their next meeting on June 13 and 14 and identify "easily achievable goals" by then, "which should be pursued or tackled immediately". The Pirate Party's lead candidate for the European elections, Anja Hirschel, warns: "The Going Dark plans are an unprecedented, excessive leap directly into a fully monitored society."
(mho)
