- Home /
- News /
- 2015 /
- October /
- EU: Europol seeks "workable solution" on law enforcement access to encrypted data
EU: Europol seeks "workable solution" on law enforcement access to encrypted data
27 October 2015
Europol, the EU's policing agency, has called for:
"a workable solution to the issue of encryption which allows legitimate users to protect their privacy and property without severely compromising government and law enforcement's ability to investigate criminal or national security threats."
The demand to make it easier for law enforcement authorities to access encrypted communications comes in Europol's latest
'Internet Organised Crime Threat Assessment' (IOCTA) (4.4 MB, pdf), which was published at the end of September.
The report suggests that EU Member States should provide quantitative data to Europol's European Cybercrime Centre (EC3) in order to better inform the qualitative debate on the issue:
"The debate currently underway is one that quite rightly is being held in public. Whilst most would agree with the sentiments of wanting their law enforcers to have access to criminals' communications, the dilemma is the negative impact of the ways in which this would be achieved. However, one significant piece of data is missing from the debate: the scale of the problem. What is currently not in the public domain is the degree to which criminal detection and investigation is being hampered by the use of encryption by criminals.
"It would seem that if a proper public debate is to be forthcoming, if legislators are to be trusted in what they wish to place into law, and if decisions on what inevitably will be compromises in security and privacy are to be evidence based, it is important that the problem is quantified in a way that earns the trust of most if not all members of the public. EC3 will be asking Member States if they will cooperate in providing the data to enable the nature of the problem (current and future potential) to be established."
Return of the "crypto wars"
High-level EU officials have previously weighed in on the encryption debate, which many consider to be a revival of the "crypto wars" of the 1990s, when the US government attempted to "compel companies to give the government backdoor keys into commercial encryption technologies." [1]
In January this year the Counter-Terrorism Coordinator, Gilles de Kerchove, suggested that the European Commission "explore rules obliging internet and telecommunications companies… [to] share encryption keys," while Europol director Rob Wainwright has said that technology firms "should consider the impact sophisticated encryption software has on law enforcement." [2]
The IOCTA says that de Kerchove's proposed solution, known as "key escrow" and which would require "anyone using encryption… to file a copy of their encryption key with either a government agency or possibly a trusted third party," is impossible in a practical sense and would open the door to massive security breaches.
The authors note the impracticality of acquiring keys from services that generate a new key pair for every communication; the impossibility of only permitting communications using keys that had been placed in escrow; the enormous risks presented by possible breaches of databases of encryption keys; and the difficulties with cross-border requests for and transfers of keys.
Aside from Europol's request for quantitative data from Member States, by the end of this year the EU is expected to launch an 'EU Internet Forum' which will "bring IT companies together with [law enforcement agencies] and civil society" and "focus on deploying the best tools to counter terrorist propaganda on Internet and in social media and will explore concerns of LEA on new encryption technologies." The most recent preparatory meeting for the launch of the forum was held on 22 October. [3]
Forced disclosure?
The IOCTA notes that a partial solution to law enforcement agencies' problems with encryption can be found in "obligation to disclose" laws, which would require an individual to disclose their encryption keys or face a criminal penalty, although "this tends to be effective only when data remains on the suspect/criminal's computer. If they keys are transient, especially if they are system generated, it can be practically impossible to recover these."
In the UK, the Regulation of Investigatory Powers Act (RIPA) sets out penalties for refusing to disclose passwords, and a number of people have been imprisoned for denying the police access to encrypted material.
Syed Hussain - already in prison for plotting an explosive attack on a Territorial Army centre - was "sentenced to four months in prison for refusing to hand over the password for an encrypted USB stick that was seized in a counter-terrorism operation." [4]
In October 2010 Oliver Drage received a four month prison sentence for refusing to disclose the 50-character password that decrypted material stored on his computer. [5]
In July 2014 Christopher Wilson was imprisoned for six months after refusing to disclose his passwords to the police. At the time he was "suspected of attempting to break into a law enforcement website and 'trolling' the Newcastle Police by fooling them with a prank phone call." [6]
Robot crime?
Aside from the issue of the encryption, the report's main focus is on "key developments, changes and emerging threats in the field of cybercrime," such as fraud, malware and child sexual exploitation.
However, it also contains an annex that considers the possible effects of the development of artificial intelligence (AI) on law enforcement activity:
"One issue that could become a true challenge for law enforcement is the involvement of AI-based machines in the commission of crime…
"While the malfunction of a machine can rather easily be handled as an accident that does not require intensive criminal investigations, the increasing use of AI could be a game changer."
Four main questions are raised:
Liability: "Who will be made responsible? The hardware production company? The AI software company? The implementer?"
The ability of AI systems to learn: "Not having implemented measures to restrict possible action of AI-based decisions could in the future be the focus of law enforcement investigations against manufacturers of such systems."
The issue of mens rea (Latin for "guilty mind"), a key component of criminal law and described in the IOCTA as "ultimately the concurrence of intelligence and violation. The question is if this includes artificial intelligence. This is certainly not the traditional understanding of mens rea."
"Finally what will be the consequences and penalties that will be applied? Imprisonment will most likely not be a suitable option."
Document
Europol, 'The Internet Organised Crime Threat Assessment (IOCTA) 2015', 30 September 2015 (4.4MB, pdf)
Footnotes
[1] Electronic Frontier Foundation, 'The Crypto Wars: Governments Working to Undermine Encryption', undated; Eric Geller, 'The rise of the new Crypto War', The Daily Dot, 10 July 2015
[2] EU Counter-Terrorism Coordinator, 'EU CTC input for the preparation of the informal meeting of Justice and Home Affairs Ministers in Riga on 29 January 2015', DS 1035/15, 17 January 2015; 'Europol chief warns on computer encryption', BBC News, 29 March 2015
[3] Presidency, 'EU Cybersecurity Strategy: Road map development', 6183/2/15 REV 2, 5 June 2015; Friends of the Presidency Group on Cyber Issues, 'Summary of discussions', 12918/15, 15 October 2015
[4] Sophie Curtis, 'Man jailed for refusing to divulge USB password', The Telegraph, 15 January 2014
[5] 'Man jailed over computer password refusal', BBC News, 5 October 2010
[6] Joseph Cox, 'How Refusing to Hand Over Your Passwords Can Land You in Jail', Motherboard, 9 July 2014