EU Commission says it does not seek crypto backdoors, will propose legal framework in early 2018 for Member States to help each other access encrypted devices

UPDATE 2020-07-20: Golem.de reports that Europol’s decryption platform involves the use of Hashcat. (Note: which is not surprising — Hashcat is the world’s best software for cracking a very wide variety of hashes via brute-force methods. It’s free & open source. Set up a huge GPU cluster, feed Hashcat with custom dictionaries, have fun. Notably the inclusion of non-typical character sets — Cyrillic? big5 aka Chinese? — and words/dictionaries pertaining to the realms that the inputs (e.g. user-supplied passwords) originate from may impact ‘performance and necessitate more computational resources than, say, a typical pentesting company might employ when using Hashcat for non-LE purposes.)

UPDATE 2018-02-15: Five million euro for Europol’s “decryption platform” (blog by Matthias Monroy / @matthimon).

On 18 October 2017, the European Commission (EC) announced an upcoming anti-terrorism package, which addresses, inter alia, encryption challenges in criminal investigations. From the Q&A:

[…]

4. Supporting law enforcement in criminal investigations online

What is the role of encryption in criminal investigations?

Law enforcement and judicial authorities are increasingly facing challenges posed by the use of encryption by criminals in the context of criminal investigations. This is not only limited to serious crimes: in many cases, electronic data may be the only information and evidence available to prosecute and convict criminals. The challenges are not only due to attempts by criminal users to disguise their electronic communication and privately stored data, but also due to the default option of many communication services to apply encryption. The use of encryption by criminals, and therefore its impact on criminal investigations, is expected to continue to grow in the coming years.

How is the Commission proposing to support Member States on encryption?

Following consultation with Member States and stakeholders, the Commission has proposed today:

  • to support Europol to further develop its decryption capability;
  • to establish a network of centres of encryption expertise;
  • to create a toolbox for legal and technical instruments;
  • to provide training for law enforcement authorities, supported by €500,000 from the ISF–Police fund in 2018;
  • to establish an observatory for legal and technical developments;
  • to establish a structured dialogue with industry and civil society organisations.

In early 2018, the Commission will present proposals to provide for a legal framework to facilitate access to electronic evidence.

[…]

It is unclear what this might mean in practice, but Rebecca Hill (Twitter: @BekiHill) reported at El Reg that security commissioner Julian King (Twitter: @JKingEU) said the following:

“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon.”

Hill (correctly) states:

“How exactly… we don’t know. Maybe someone has an RSA-cracking supercomputer up their sleeve they’re keeping secret. Maybe someone’s particularly good with a soldering iron and can read off keys from extracted flash memory chips.

What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.”

On 16 October 2017, two days before the announcement by the EC, Maryant Fernández Pérez (Twitter: @maryantfp) stated the following in a blog post at EDRi:

“Saying ‘no’ to backdoors is a step into the right direction, but not the end of the debate, as there are still many ways to weaken encryption. The answer to security problems like those created by terrorism cannot be the creation of security risks. On the contrary, the EU should focus on stimulating the development and the use of high-grade standards for encryption, and not in any way undermine the development, production or use of high-grade encryption.

We are concerned by the potential inclusion of certain aspects of the Communication, such as the increase of capabilities of Europol and what this may entail, and references to removal of allegedly “terrorist” content without accountability in line with the Commission’s recent Communication on tackling illegal content online. We remain vigilant regarding the developments in the field of counter-terrorism.”

The EC statement that it does not seek backdoors should not be interpreted as meaning that Member States’ intelligence services / communities won’t, individually or in voluntary cooperation with peers or industry, pursue influencing crypto standards for kleptographic objectives (such as NSA did with Dual_EC_DRBG) regardless of EU-level policy. It simply means that the EC does not pursue EU-level policy on that — at this time, anyway.

Cryptanalytic efforts, such as the Edgehill (GCHQ) program, will obviously remain in existence in individual Member States, as they do elsewhere in the world (notably in the U.S.) — and the EC announcement’s Q&A excerpt cited above states the EC will seek to support Europol to further develop its decryption capability.

The EC’s announcement also says they will promote “structured dialogue with industry and civil society organisations”, with unstated objectives. To speculate: objectives might include convincing those engaged in dialogue that strong end-to-end crypto should not be enabled by default, and/or making sure certain information other than message content is still emitted and observable, and/or or otherwise changing software/hardware/protocol design (e.g. hardware backdoors – read for instance this paper) or implementation to suit LE/intel needs. Which includes needs that must, in addition to privacy interests, also be addressed to maintain democratic values. [UPDATE 2017-12-14: something along those lines seems to be happening in the U.S., going by the following statement by FBI director Christopher Wray cited by @emptywheel : “[…] The FBI is actively engaged with relevant stakeholders, including companies providing technological services, to educate them on the corrosive effects of the Going Dark challenge on both public safety and the rule of law, and with the academic community and technologists to work on technical solutions to this problem”.]

To be continued.

Related reading:

EOF