Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up

from the trading-brute-force-for-extra-keys dept

To get a general feel for European law enforcement encryption sentiment (so to speak), the European Union sent questionnaires to member countries, asking for details on what forms of encryption are encountered most frequently and what these agencies feel would be the best approach to tackling encrypted data going forward.

Surprisingly, the EU received several responses and most have been published in full. (The list of PDFs/HTML versions can be found near the bottom of this page.) They were issued in response to a public records request by Rejo Zenger of Dutch digital rights group, Bits of Freedom.

Security researcher Lukasz Olejnik went through the posted documents to find the highlights/lowlights of the submissions. Several countries responded to the EU's questionnaire, but only twelve of those made their answers public. (And, in the case of the UK and the Czech Republic, some answers were redacted.)

Most responding agencies in most countries are running into the same encryption issues.

Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime

But not every country treats encryption "problems" the same way. A few didn't consider HTTPS to be an encryption form worth noting, perhaps because it doesn't cover the sort of data or communications they frequently target.

Others, like agencies in Italy (in an ALL CAPS reply), aren't so much worried about encrypted data in transit as much as they are worried about very specific data at rest, located in very specific consumer devices.

AS FOR OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.

Hmm. I wonder which "major devices company" that would be? It seems this same "devices company" also thwarts law enforcement's wiretap efforts...

THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE INDUSTRIES/COMPANIES) RESOURCES. IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH REGARD TO ONE OF THE MAJOR BRAND.

...aaaand forensics efforts.

THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING ONE OF THE MAJOR BRAND’S DEVICES.

There seems to be no consensus on mandated encryption backdoors, but there are more than a few countries leaning that way. Estonia believes the problem is of a "technical nature," rather than one that should be solved through mandated backdoors. Belgium's submission flat-out states the country isn't interested in seeking mandated backdoors.

A regulation to prohibit or to weaken encryption for telecommunication and digital services has to be ruled out, in order to protect privacy and business secrets.

On the other end of the spectrum, Poland openly calls for deliberately weakened/compromised encryption.

One of the most crucial aspect will be adopting new legislation that allows for acquisition of data stored in EU countries “in the cloud” without need to apply for MLAT. There is also need to encourage software/hardware manufactures to put some kind “backdoors” for LEA or to use only relatively weak cryptographic algorithms.

The call for backdoors is echoed by Latvia and Italy.

In between, there are several countries that allude vaguely to working in conjunction with tech companies to find some sort of balance between user security and law enforcement's desires. (Then there's Italy, which mostly seems interested in seeing Apple devices wiped from the face of the earth.)

There are almost as many approaches as there are responding countries. We can only speculate on the contents and assertions made by countries that have refused to release their answers for "national security" reasons, but one would expect those with the most to "hide" would be more likely to expect citizens to give up their security for the good of the nation.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, going dark, law enforcement