Encryption & Key Management , Endpoint Security , Governance & Risk Management
EU Launches Decryption Tool for Law EnforcementMove Seen as Alternative to Weakening Encryption
Europol, the EU's law enforcement intelligence agency, and the European Commission are launching a new decryption platform to help law enforcement agencies decrypt data that has been obtained as part of a criminal investigation.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
By circumventing encryption rather than weakening it, Europol's approach aims to satisfy both law enforcement agencies and privacy advocates, says Jim Killock, executive director at the Open Rights Group.
"Where police are authorized by an independent authority to gain passwords or crack a device, then getting around encryption is legitimate," he says. "What is not legitimate is weakening encryption for the vast majority of us who are innocent bystanders and need security from crime, or stockpiling knowledge of software vulnerabilities which expose everyone to ongoing risks from criminals."
Dirk Schrader, global vice president at New Net Technologies, who is based in Germany, says: "Likely, Europol hasn't solved all of the issues, but the fact that it can do something without such weakening, while maintaining a well-established judicial process to get a wiretap warrant, should sooth privacy folks as well as politicians."
Some politicians in Europe and around the world have been demanding a weakening of the cryptographic methods used in telecommunication to ease crime investigations. But privacy advocates and the security industry have both strongly opposed encryption “backdoors” for law enforcement agencies, saying they could also be exploited by fraudsters.
What Does 'Decryption' Mean?
It's not clear exactly what functions the new EU decryption platform performs.
The platform was developed by Europol’s European Cybercrime Center, in collaboration with the European Commission's Joint Research Center.
NEW DECRYPTION PLATFORM LAUNCHED— Europol (@Europol) December 18, 2020
Developed in cooperation with @EU_ScienceHub and @EU_Commission and operated by @EC3Europol. It will significantly increase our capability to decrypt info lawfully obtained in criminal investigations.
Read more: https://t.co/xHOg5N6kP1
"The launch of the new decryption platform marks a milestone in the fight against organized crime and terrorism in Europe," Europol says in a statement. "This initiative will be available to national law enforcement authorities of all member states to help keep societies and citizens safe and secure."
Europol’s European Cybercrime Center, or EC3, will be the first agency to operate the platform, using it to provide support to law enforcement investigations. EC3 focuses on cybercrime committed by organized crime groups.
In January 2018, the 13th Security Union Progress Report noted that an additional 5 million euros ($5.8 million) was provided to strengthen EC3's technical capabilities to deal with issues related to encryption (see: Strong Crypto and Policing: EU Again Debates Encryption).
Law enforcement agencies can obtain a court order to tap phones. But online, police cannot simply install backdoors in devices because it would violate privacy rules contained in Article 8 of the EU's Charter of Fundamental Rights.
Using a decryptor, rather than weakening encryption, is an approach EC3 has previously supported. "We don't want to have any backdoors," because encryption "is a building block of our internet," Philipp Amann, the head of strategy at EC3, said in October.
'Significant Step Forward'
Europol released a report about the decryption platform. It notes that the growing use of sophisticated encryption makes it challenging for EU law enforcement and intelligence authorities to intercept communications between criminal organizations.
Commenting on the decryption platform, Catherine De Bolle, Europol’s executive director, notes: “We have made a significant step forward in combating the criminal abuse of encryption with the aim of keeping our society and citizens safe while fully respecting fundamental rights."
The report notes: "When files are protected with strong encryption or in the cases of whole disk encryption (e.g. TrueCrypt, BitLocker, FileVault2, WinRar or PGP) the use of brute-force or dictionary attacks can be extremely time-consuming (months, even years in some cases) and requires a great computational capacity (specialized commercial software and network cluster infrastructure)."
The report also states that it can be impossible to break cryptographic protection in cases when the perpetrators use technically advanced passwords or complex algorithms.
And while Europol does not offer specific details of how the new decryption tool works, a previous Council of the European Union report noted that the platform would use hardware and software tools to break encrypted communications during a lawful investigation.
Backdoors Remain Controversial
Over the last year, government officials and law enforcement agencies around the world have pushed for encryption backdoors to help with criminal investigations or have pressed device makers to provide access to encrypted data.
In April, the U.S. Department of Justice criticized Apple's refusal to offer law enforcement officials access to the data stored on two iPhones belonging to a Saudi national who killed three U.S. sailors at a military base in 2019.
While the FBI was eventually able to access the two devices on its own, some civil liberties groups questioned why the Justice Department put pressure on Apple to unlock the iPhones.
"Every time there's a traumatic event requiring investigation into digital devices, the Justice Department loudly claims that it needs backdoors to encryption, and then quietly announces it actually found a way to access information without threatening the security and privacy of the entire world," Brett Max Kaufman, a senior staff attorney at the American Civil Liberties Union, said at the time.
Tony Morbin, ISMG's executive news editor for EU, contributed to this report.