By PATRICK STEPHENSON
BRUSSELS – As cheap encryption methods have proliferated, European legal authorities often find themselves stymied in pursuing and dismantling criminal networks who use encrypted communications – code-speak that even nation-state computer assets have trouble breaking.
In response, police want more authority and the capabilities to decode encrypted messages. But consumers using encrypted tools like WhatsApp value the privacy that encrypted communications ensure. A balance obviously must be struck between European consumer privacy rights and the need for European police to track down criminals who exploit encryption for illegal profit.
Towards this end the European Commission released on 18 October its package of six proposals dealing with criminal digital encryption. These were folded into its 11th progress report on the EU’s Security Union programme.
One proposal, for example, calls for boosting Europol’s decryption capability with more security-related personnel posts, while others advocate the creation of a network of expertise among cyber-savvy security experts within national authorities, while providing the latter with toolbox of “alternative investigation techniques” though the progress report does not specify what those tools should be.
Stronger information exchanges among national authorities, service providers and industry is another goal, as is the package’s proposal for more decryptions training programmes for law enforcement and judicial authorities, with EUR 500,000 to be set aside for that goal. Finally, the package urges a “continuous assessment of [encryption’s] technical and legal aspects” in criminal investigations.
To weigh the merit of these proposals, cyber-encryption experts, social media executives and Commission staffers gathered at the Centre for European Policy Studies here on 26 October.
Claudia Warken, project manager on cybercrime at the Commission’s policy department for migration and home affairs (DG-HOME) said law enforcement agencies are increasingly dependent on electronic evidence but that their demands for greater encryption capabilities must be weighed against citizen rights to privacy. “It’s not just criminals” who are using encryption, she said. “Everyone is using encryption more and more for their security.”
However, she conceded that Europol doesn’t have the computer assets for decryption. “You need lots of computing powers for intelligent password guessing. But those calculation powers need cooling rooms [for the processors]. Europol can’t provide the cooling rooms,” she said, noting that the agency also needs things as basic as up-to-date software.
For Warken, Europol needs better decryption capabilities in part because smaller EU countries rely heavily on the agency. “They can’t afford their own encryption skills.” She said one solution lies in getting the EU’s larger member states to share their assets and knowledge through jointly operated national centres for cryptography. “The idea is to get the national centres of expertise and link them together, possibly under Europol’s guidance.”
Warken said that the Commission is proposing to establish an “observatory” to keep track of future decryption developments, in particular regarding quantum encryption, which could reduce the time needed to crack elaborate encryption algorithms from decades to seconds. But the proposal is modest.
“This observatory could be the equivalent of one full-time job, possibly in collaboration between agencies, funded through the Horizon 2020 programme,” she said, referring to the EU’s general research budget.
Addressing the conference via videolink, Christopher W. Savage, a partner in the Washington-based law firm of Davis Wright Tremaine LLP, compared the Commission’s plan favourably against US efforts, which he described as “fundamentally irrational”.
According to Savage, “fear and money are driving US encryption policy. We’re afraid of being attacked, and the intelligence agencies are afraid of being blamed [after an attack].”
Savage said US intelligence agencies are motivated by an “irrational attachment to a mathematical impossibility”, namely that with enough computer power, encryption can always be broken. Massive processing power requires spending, and “nobody wants to spend the money,” he argued. As a result, he said the US may try to ban strong encryption altogether, including the use of encryption by law-abiding citizens for private communications.
By contrast, the US lawyer said the Commission’s proposal was worthwhile because it recognises that breaking high-level encryption is not always possible, and that it tries to balance the legal use of encryption for communications against law enforcement concerns. “Nothing would make me happier than if the US would be a bit more mature in that way,” he said.
Cristina Vela, who chairs a working group on data protection at the Brussels-based European Telecommunications Network Operators’ Association, said “strong encryption is here to stay”.
Per Vela, accommodation must be found between maintaining privacy and catching criminals. She gave the example of Brazil where judges have repeatedly shut down the popular messaging application, WhatsApp, because the company has refused to hand over messages between suspected drug smugglers and dealers. In response, WhatsApp said in a press release: “We cannot share information that we don’t have access to.”
One full-time staffer does not an encryption “observatory” make. Rather than fund good-paying jobs – which is what many of the proposals seem to imply – the Commission would do better to give funds to institutions such as Europol that need them for things such as server cooling rooms. Good people are only part of the answer. They need the right tools.
That said, it’s more than commendable that citizen privacy is a solid part of the Commission’s equation. It’s a shame one can’t unite US computer resources with European ideals.