Last updated on March 9, 2021
The EU member states want to give investigators better access to encrypted communications. The concrete steps are still very vague.
Who should receive the keys to electronic communication?
The EU Member States want to strike a “better balance” between protecting private communications through encryption and fighting crime. This emerges from an internal paper of the EU Council of Ministers published by the Austrian Broadcasting Corporation (ORF) . The five-page document (PDF) does not, however, prefer any concrete procedures for breaking end-to-end encryption or even demand that they be banned. “There should, however, be no single prescribed technical solution to enable access to encrypted data,” the paper states.
The current position of the Council of Ministers is thus in line with a research paper published at the beginning of September 2020. This is intended to show methods to detect pedocriminal material even in encrypted communication. The EU Commission had considered the matter together with experts from Microsoft, Google, various police authorities, the secret service GCHQ and several victims’ associations.
The result is some half-baked technical suggestions (PDF) that break the end-to-end encryption in various ways to be able to evaluate the transmitted content. For example, a secondary key (“Exceptional Access”) is being discussed, which would allow law enforcement agencies or secret services to access the content that would then no longer be encrypted end-to-end.
As an alternative, it is suggested that the content be analysed with some kind of upload filter on the user’s smartphone or computer and, depending on the case, sent to authorities. This, too, would break the end-to-end encryption .
Council of Ministers calls for secure encryption and monitoring
The new Council of Ministers’ paper begins by emphasising that governments, critical infrastructures, civil society, citizens and industry “all benefit from powerful encryption technology”. This is also important for the transfer of personal data of EU citizens to third countries. However, it points out that the encryption procedures can also be used by criminals, so that the “competent authorities” would not be able to access them.
Respective concerns are regularly raised in the debate on access to encrypted communications. Most recently in an EU paper on access to communication data in the new mobile phone standard 5G.
According to the new paper, the EU should seek “active discussion” with the IT industry and security researchers “to ensure the continued implementation and use of strong encryption technology”. However, it then calls for: “Competent authorities must be able to access data in a lawful and targeted manner, fully respecting fundamental rights and data protection requirements, while ensuring cyber security. Technical solutions for access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.”
The Council of Ministers is calling for EU-wide uniform regulations to this end, which, on the one hand, respect fundamental rights and, on the other hand, are to safeguard the advantages of encryption. It concludes: “Possible solutions should be developed in a transparent manner in cooperation with communications service providers.”
Hacking & Security: The comprehensive manual. 2. updated edition of the IT standard work (German) Hardback edition Trojan, secondary key or upload filter
Such “communication service providers” (CSP), as it is called in the English original, however, are not messenger services such as Whatsapp or Signal, which encrypt the communication content of their users and are called over-the-top providers (OTT). Rather, they are usually understood to be mobile phone providers or cable network operators that merely transport the data. However, it is unclear which providers the Council of Ministers specifically understands by this term.
However, the German government also plans to oblige providers to manipulate data traffic, for example to place Trojans on the terminal devices of suspects. To what extent the EU countries will pursue this approach is also open The ORF reports, citing further information which should be available to the broadcaster, that the monitoring method “Exceptional Access” is preferred by the EU states. However, this would require a follow-up on actual messenger services such as Whatsapp. Such access could, however, also be used by investigators and secret services of other states, so that such services, as in the case of the USA, would no longer be compatible with the provisions of the Basic Data Protection Regulation (DSGVO).
Either way, pedocriminals, terrorists or organised crime can simply use messengers or encryption services that do not have backdoors. Therefore, it is currently hard to see how end-to-end encryption can be circumvented without methods such as state Trojans and at the same time still maintain its actual function.
Read the original article here.