On 18 October, the European Commission adopted some form of position on encryption, inexplicably embedded in its “anti-terrorism package”. Home affairs activity in relation to encryption is horizontal (covering all illegal activity) and not specifically related to terrorism. However, the Commission chose to include this topic in its anti-terrorism package. The decision to publish the Commission’s encryption policy in a terrorism initiative that covers a wide range of other issues (from air passenger profiling, to protecting public spaces to regulating explosive precursors) appears to be more of a political/public relations choice than a substantive decision.

Generally, the issue of encryption in the context of investigations is framed as an overall setback for law enforcement authorities, deliberately ignoring the fact that vastly more data (such as metadata of communications) is now available for law enforcement authorities as a result of electronic communications.

Cross-border access to data

The Commission builds on that confusion by presenting a planned initiative on cross-border access to electronic data (described as “electronic evidence”) inside its text on encryption. The Commission itself describes the data in the cross-border initiative as “possibly encrypted”. As a result, the Commission, in a text on encryption in a document about terrorism, is talking about possibly not encrypted data in relation to possibly not terrorist investigations.

Technical measures

The Commission then talks obliquely about “technical measures” for recovering some encrypted material. This would build on Europol’s existing, but not described, decryption capabilities. The “technical measures” could therefore mean anything, from state hacking to brute force attacks. It is unclear what the Commission means when it stated that it was not proposing measures that “could weaken encryption or could have an impact on a larger or indiscriminate number of people”.

Points of expertise

A network of national “points of expertise” would build on but not replace work being done in EU Member States. This would bring together national experts working on technical measures to address encrypted material, in the context of investigations.

“Toolbox of alternative investigation techniques”

The Commission proposes a “toolbox of alternative investigation techniques” which would be developed by the national “points of expertise”. This process is also to happen ostensibly without looking at measures that would weaken encryption or could have an impact on a larger or indiscriminate number of people, apparently in isolation from any such measure that would be developed by Member States.

Structured dialogues with industry

Even more coded is the reference to the “important role of service providers and other industry partners” to provide “solutions with encryption”. Those words have no obvious meaning – and possibly no meaning at all. Traditionally, “dialogue with industry” is a euphemism for coercion of industry to do things that industry would not otherwise have done. A non-committal reference to engaging with “civil society”, “where appropriate”, is made in the document. However, to our knowledge, no civil society was (so far) invited to the December 2017 EU Internet Forum.

Training programmes

The Commission also suggests to provide training programmes with the aim “for law enforcement and judicial authorities [to] ensure that responsible officers are better prepared to obtain necessary information encrypted by criminals”. The Commission does not explain why information encrypted by (potential) criminals is different from information encrypted by non-criminals. However, it does point out various options to provide training programmes such as the European Cybercrime Training and Education Group and the European Union Agency for Law Enforcement Training, as well as a funding option under the Internal Security Fund.

Continuous assessment of technical and legal aspects of the role of encryption

Finally, the Commission proposes an “observatory function” in cooperation with the European Cybercrime Centre at Europol, the European Judicial Cybercrime Centre and Eurojust.

Conclusion

The European Commission has consulted widely and has been more transparent than usual in its development of its current position. It also appears to resist some of the more outlandish and hysterical positions of certain European politicianslike the British government, in particular, that bounces around ideas of limiting or breaking encryption at apparently random intervals. However, the lack of clarity and overtly political elements of the text raise fears for the next steps in the Commission’s policy-making in relation to this important topic. We can only hope that the Commission will still consult civil society organisations, not just industry.

“Eleventh progress report towards an effective and genuine Security Union” (18.10.2017) https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european-agenda-security/20171018_eleventh_progress_report_towards_an_effective_and_genuine_security_union_en.pdf

EU’s plans on encryption: What is needed? (16.10.2017)

https://edri.org/eus-plans-on-encryption-what-is-needed/

EDRi delivers paper on encryption workarounds and human rights (20.09.2017)

https://edri.org/edri-paper-encryption-workarounds/

EDRi position paper on encryption (25.01.2016)

https://www.edri.org/files/20160125-edri-crypto-position-paper.pdf

Encryption – debunking the myths (03.05.2017)

https://edri.org/encryption-debunking-myths/

(Contribution by Joe McNamee, EDRi)