The European Union intends to simplify investigative authorities’ access to encrypted content. This emerged from the replies to a questionnaire that was circulated to all Member States by the Slovak Presidency of the EU Council. After a “reflection process”, efforts in this area are, according to the summary of the replies, intended to give rise to a framework for “cooperation” with internet providers. It remains unclear whether this will take the form of a recommendation, regulation or directive or, indeed, what “cooperation” might mean.

The replies to the questionnaire are now being examined by the Friends of the Presidency Group on Cyber Issues (FoP Cyber), which also held discussions on “increasing tendencies to exploit encrypted communication in order to hide criminal activities, identities and crime scenes”. Those taking part included the European External Action Service (EEAS), the European Defence Agency (EDA) and other EU institutions. FoP Cyber’s recommendations will then be addressed at the meeting of the next Justice and Home Affairs Council (JHA) on 17 November in Brussels.

Focus on encrypted communications sent via Facebook, Skype, WhatsApp and Telegram

The non-public questionnaire was first published online by the British civil rights organisation Statewatch. Following a freedom of information request, the Council Secretariat lifted its non-public classification. The summary of the replies is also classified, but has now also been published by Statewatch.

The questionnaire was responded to by authorities from 25 Member States. The police agency Europol also submitted replies. Twenty-one participants responded that their investigators often or almost always ran up against encrypted content or devices, and that this applied especially to encrypted communications sent via Facebook, Skype, WhatsApp and Telegram.

While neither suspects nor people charged with crimes are under the legal obligation to disclose encryption keys or passwords in the participating Member States, a number of governments are working on relevant legislation. Internet providers are obliged to disclose these encryption keys or passwords, however, and a judicial order is not always required for this. This also applies to the interception of encrypted communication with the objective of decrypting the data at a later stage. However, there is often a lack of sufficient technical capacity, which is why decryption is defined as being among the top three challenges. There are further shortcomings with respect to financial resources and personnel capacities for corresponding measures.

“Transcription, decoding or decrypting of the recording subject”

The Slovak Presidency of the EU Council arrives at the conclusion that “practical solutions” should be sought that allow for the possible disclosure of encrypted data or devices. The cooperation of public prosecution offices, which is currently scheduled for harmonisation in the area of e-evidence, may be drawn upon to this end. This likewise involves entering into cooperative partnerships with Internet Service Providers (ISPs); much of the communications data isolated in the course of cross-border investigations is encrypted.

To facilitate the cooperation between investigative authorities, the European Union in 2014 adopted the European Investigation Order, a directive that must be implemented by the Member States by 2017. An “issuing state” may request that an “executing state” assist with efforts to gather evidence in the event of criminal proceedings. The European Investigation Order stipulates the procedure for administrative cooperation regarding the “transcription, decoding or decrypting of the recording subject”.

Germany proposes “software that records communications before they are encrypted”

The extent to which state trojan programmes could also number among “practical solutions” remains unclear. The German Federal Ministry of the Interior has, at any rate, proposed appropriate tools in its reply to the questionnaire:

“For ongoing telecommunications activities, one possibility would be to access the corresponding information technology system and to install software that is specially designed for this purpose. This software records communications before they are encrypted and ensures that it is exclusively ongoing telecommunications that are intercepted.”

German federal authorities have now established a Central Authority for Information Technology in the Security Sector (ZITiS) for the deployment of state trojans, which has an initial complement of 60 permanent posts with additional staff scheduled to join them at a later stage.

Europol as a hub for investigative authorities

In the summer 2016, the European Union established the European Judicial Cybercrime Network (EJCN), which has now been tasked with addressing “the challenges stemming from encryption”. The EJCN is scheduled to commence its work on 24 November and will, along with Europol, cooperate closely with Eurojust, whose task is judicial cooperation. On 2 June 2016, Eurojust held a Strategic Seminar “Keys to Cyberspace” which focussed also on access to encrypted data and locked mobile devices, for example by using a suspect’s fingerprints previously collected or compel a suspect to provide passwords.

Further objectives of the EJCN include speeding up international legal assistance procedures and improving cooperation with ISPs and cross-border investigative measures in cyberspace. This cooperation extends to the transatlantic region; the European Union is currently working on procedures that will enable European investigative authorities to submit direct enquiries to private service providers in the US.

One of the tasks of the EJCN is to enhance the direct cooperation with service providers in the US. Eurojust reports a strong wish “for an intervention of the EU legislator” to oblige the companies to answer direct requests from national authorities or at least fix minimum requirements and standards for such requests.

In order to simplify legal assistance for digital investigations, the US has now dispatched a state attorney to Europol. The police agency is, according to the Council Document, intended to function as a hub in the area of encrypted telecommunications. Further assistance could be provided by the European Agency for Network and Information Security (ENISA). Europol and ENISA recently discussed legal and technical options for dealing with encryption at a private conference in the summer.

This article was originally published at https://digit.site36.net/2016/11/03/new-eu-network-of-judicial-authorities-to-combat-the-challenges-stemming-from-encryption/

Justice and Home Affairs Council, 08-09/12/2016

http://www.consilium.europa.eu/en/meetings/jha/2016/12/08-09/

Encryption of data – Questionnaire

https://www.parlament.gv.at/PAKT/EU/XXV/EU/11/57/EU_115720/imfname_10656033.pdf

Tackling encryption: law enforcement agencies favour practical, effective solutions for access rather than new legal powers? (27.10.2016)

http://statewatch.org/news/2016/oct/eu-council-encryption-debate.htm

Council conclusions on improving criminal justice in cyberspace (09.06.2016)

http://www.consilium.europa.eu/en/meetings/jha/2016/06/cyberspace–en_pdf/

Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32014L0041

ZITiS is the new German Government cyber unit in wake of terror attacks (15.08.2016)

http://securityaffairs.co/wordpress/50297/terrorism/zitis-german-cyber-unit.html

On lawful criminal investigation that respects 21st Century data protection, Europol and ENISA Joint Statement

https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/on-lawful-criminal-investigation-that-respects-21st-century-data-protection

Eurojust strategic seminar-Keys to cyberspace

http://www.eurojust.europa.eu/press/News/News/Pages/2016/2016_06_03_Eurojust-strategic-seminar-Keys-to-cyberspace.aspx

(Contribution by Matthias Monroy, Bürgerrechte & Polizei/CILIP, Germany)