EU: Discussion on encryption ponders "retention of vulnerabilities and exploitation by the authorities"


At a recent event hosted by Europol's Innovation Hub, participants discussed questions relating to encrypted data and the ability of law enforcement authorities to access digital information. One issue raised was a possible "EU Vulnerability Management Policy for Internal Security," which could allow for "temporary retention of vulnerabilities and their exploitation by the relevant authorities." In effect, this would mean identifying weaknesses in software and, rather than informing the software developers of the problem, exploiting it for law enforcement purposes.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

According to Europol:

"The EU Innovation Hub for Internal Security is a collaborative network of innovation labs that works to provide the latest innovation updates and effective solutions to support the work of internal security actors in the EU and its Member States, including justice, border security, immigration, asylum and law enforcement practitioners. "

Problems with reality

Establishment of the Hub has been pushed heavily by the Council's internal security committee, COSI, which is eager to get it fully up-and-running (pdf). COSI (the Committee on operational cooperational on internal security) was established by the Lisbon Treaty, although it was mentioned in "the very first drafts of the EU Constitution, drawn up in the wake of 11 September 2001."

COSI's note considers that for the Innovation Hub, there is an "emerging gap between capabilities and expectations, between the political ambition and the reality."

There appear to be issues with sustainable financial support and staffing, which is providing difficult to remedy as the Hub relies on voluntary contributions of both funds and personnel:

"The fact that the Hub continues to function mainly on a voluntary basis and dependent on the support that the Agencies and the Member States can offer in line with their own budgetary limits is making it increasingly difficult for the Hub to continue its development as the platform for innovation in internal security.

...The high level of political ambition and operational needs, combined with the lack of sustainable financial means and commitment, could lead to a situation where the Hub simply cannot deliver on its mission and tasks, leading to disenchantment and loss of trust. This would jeopardise the future opportunities of the Hub, an ambitious and genuinely joint EU-level multi-sector innovation platform on internal security."

In mid-September the Innovation Hub organised its second annual event, bringing together:

"COSI representatives, JHA counsellors, representatives of EU JHA agencies, Innovation experts from national law enforcement agencies (LEAs), Office of the EU Counter Terrorism Coordinator, Council General Secretariat, European Commission (DG Home and JRC), Czech and incoming Swedish Presidencies, public and private research institutes, industry representatives, Horizon project representatives and civil society organisations."

A brief report produced by the Innovation Hub (pdf) summarises discussions at the event.

Political ambitions not yet met

Luis de Eusebio Ramos, the Europol Deputy Executive Director for "Capabilities", told the audience in a pre-recorded opening speech that "continued efforts were needed in order to fulfil the ambitions expressed by COSI."

He also referred to the "relevance of the Hub's pilot projects, in particular the Accountability Principles for Artificial Intelligence (AP4AI)."

While principles are no doubt a good thing to have, sometimes the binding force of the law is more effective. The Council, however, has been seeking to increase the level of secrecy over police and immigration use of AI technologies, with a set of proposed amendments to the forthcoming AI Act.

The Council's recent move contrasts starkly with a point made by Michael O'Flaherty, the Director of the EU's Fundamental Rights Agency, at the conference's first session:

"...fundamental rights compliance had to be assessed at different stages: in the design of the technologies, in the training of the technologies, in the operation of the technologies, and following their application."

The Council's amendments seek to prevent such scrutiny. Mr O'Flaherty "also stressed the importance of strongly embedded oversight authorities to ensure a full respect for fundamental rights," which is something that appears to be proving difficult in the world of data protection.

The second session of the first day focused on "Innovation in Monitoring and Surveillance".

Here, "discussions focused on the application of AI, highlighting the importance of investing in innovation, where legal and ethical assessments are given the highest priority from the outset."

However, the report also notes that "discussants... agreed that innovation should not be hampered by over-regulation."

The third panel covered "Digital Investigation Tools: From Research to Use".

The report notes that:

"In order to help law enforcement agencies to make the most of the opportunities offered by new technologies, and make their job more efficient and effective, the Europol Innovation Lab created the Europol Tool Repository hosting cost-free software tools to help investigators in their daily activities. These non-commercial tools are provided by Law Enforcement Agencies or by Research and Technology Organisations. The tools have been downloaded hundreds of times and have already supported several investigations."

The fourth panel dealt with "Justice and Accountability: Visions for the Future of Innovation for Security – towards Responsible Use of Technologies," and was followed by closing remarks: "Overall, the agencies are enthusiastic about the Hub’s achievements so far they all committed to increase their engagement and, where possible, their resource commitments."

Discussion on encryption

The second day opened with a discussion on encryption, "in order to go beyond the polarized positions that tend to oppose security and privacy, and to propose an alternative way forward supported by innovations."

"The discussion started with the opportunity of a possible EU Vulnerability Management policy for Internal Security and the necessary conditions for its successful development, in particular appropriate and dynamic oversight mechanism," says the report.

There was also talk of the possiblility of "temporary retention of [software or hardware] vulnerabilities and their exploitation by the relevant authorities," albeit with a "rigorous risk assessment process" in place.

Finally, there was an informal meeting of the Innovation Hub's Steering Group:

"Member State representatives expressed the wish that national needs and priorities should be reflected in the work of the Hub. The Steering Group agreed that this could be achieved through the mapping exercise that is nearing completion, as well as by hosting Member State representatives in the Hub Team (noting that France already seconded a national expert to the Europol Innovation Lab to work on some Hub-related projects). The Steering Group also agreed that the Hub’s activities could benefit from greater visibility at Member State level."


Further reading

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error