27 October 2016
- In answer to a Questionnaire Member States' responses showed: "the need for practically orientated measures prevailed over the need for adoption of new legislation on EU level."
The Council of the European Union is considering ways for law enforcement agencies to get access to encrypted messages. There are different laws and practices in Member States and it appears that a majority of them favour the better exchange of knowledge and practices to get access rather than a harmonised EU law. Many national laws prescribe that:"a prior judicial order is often required."
In September 2016 the Council Presidency circulated to Member State the following: Encryption of data - Questionnaire (LIMITE doc no: 12368-16, pdf):
"Over lunch during the informal meeting of the Justice Ministers (Bratislava, 8 July 2016) the issue of encryption was discussed in the context of the fight against crime. Apart from an exchange on the national approaches, and the possible benefits of an EU or even global approach, the challenges which encryption poses to criminal proceedings were also debated. The Member States' positions varied mostly between those which have recently suffered terrorist attacks and those which have not. In general, the existence of problems stemming from data/device encryption was recognised as well as the need for further discussion.
To prepare the follow-up in line with the Justice Ministers' discussion, the Presidency has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings." [emphasis added]
A number of questions to Member States concern whether judicial authorities have to agree access including:
"Under your national law, is there an obligation for the suspects or accused, or persons who are in possession of a device/e-data relevant for the criminal proceedings, or any other person to provide law enforcement authorities with encryption keys/passwords? If so, is a judicial order (from a prosecutor or a judge) required? Please provide the text of the relevant provisions of your national law." [emphasis added]
The response of Member States
Member States responses to the Questionnaire is not available but the Council Presidency has circulated a summary and made recommendations in: LIMITE doc no: 13434-16 (pdf):
"Delegations will find in annex a discussion paper to facilitate the debate on the issues related to encryption following the answers to the questionnaire provided by Member-States."
The need for secure and safe communications in everyday life is seen as a fundamental right so:
"The e-Privacy Directive... encourages the use of encryption technologies to protect users' communications. However, the opportunities offered by the encryption technologies are also exploited by criminals in order to hide their data and potential evidence, protect their communications and mystify their financial transactions."
"The use of encryption deprives law enforcement of crucial evidential opportunities, especially given the fact that it is no longer restricted to desktop computers but increasingly available on mobile devices and many commercially available communication platforms have now encryption by - default (increasingly by way of end-to-end encryption leading to situations where services are not interceptable)." [emphasis added, here and below]
"neither the suspect, nor the accused who is in possession of a digital device/electronic data are under the legal obligation to provide to the law enforcement authorities the encryption keys/passwords, in most cases due to the right against self-incrimination.....
service providers are obliged according to national law to provide law enforcement authorities with encryption keys/passwords; a judicial order is not always required. However...
interception/monitoring of encrypted data flows is possible under certain conditions prescribed in the national law with the aim of obtaining decrypted data; a prior judicial order is often required...."
Lack of technical capacity, finance and training
Among top 3 "challenges" emerging from the questionnaire is the:
"the lack of sufficient technical capacity both in terms of efficient technical solutions to decrypt and respective equipment is among the top 3 challenges, followed by the lack of sufficient financial resources and personal capacity (both in terms of numbers and training of staff)."
And the conclusion drawn from the questionnaire is:
"the need for practically orientated measures prevailed over the need for adoption of new legislation on EU level."
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.