This article is part of our special report Europe’s cybersecurity agenda.
The European Commission insists that it does not want to weaken encryption as part of its latest push to give law enforcement authorities more access to private data.
Julian King, the EU Commissioner in charge of security, announced a handful of new initiatives on Wednesday (18 October) to fund more police training to crack encryption technology.
Despite King’s disavowal of so-called backdoors for police to access private data, some technology policy observers are concerned the new proposals won’t safeguard encryption.
The broad objective of the Commission’s latest announcements is to encourage national governments to develop expertise in decrypting secured communications—and to share their knowledge with other member states.
“Some member states are more equipped technically to do that than others. We want to make sure no member state is at a disadvantage,” King told a news conference on Wednesday.
King was quick to emphasise that the Commission’s proposals on encryption mark a shift towards developing advanced techniques to access data, and a turn away from earlier debates about possible legislation that would require tech companies to create backdoors.
“What we’re doing today is trying to move beyond a sometimes slightly sterile debate of backdoors versus no backdoors, to address some of the concrete practical challenges that law enforcement faces.
“For example, when they seize a device, how do they get the information and exploit the information that might be encrypted on that device?” King said.
Over the last year, several European politicians have urged the Commission to propose an EU law to give police quicker access to criminals’ communications that might be encrypted.
Those demands have often flared after deadly terrorist attacks. France and Germany’s interior ministers together pushed for EU action, writing joint letters to the Commission and speaking in European Parliament hearings on encryption earlier this year. In March, UK Home Secretary Amber Rudd said encrypted WhatsApp chats should be accessible to police after a London driver crashed into a crowd of people.
Leaders from the 28 EU countries even pressed for a solution to law enforcement’s struggles obtaining encrypted data in their official conclusions from a European Council summit this June.
But some industry groups and privacy advocates warned that although the Commission claims it has shifted its approach, the new proposals could still pose a risk to encryption—even if legislation to create backdoors is no longer part of political talks.
Lucie Krahulcova, who works on digital policy at the NGO Access Now, said that Commission officials never suggested creating ways to access the content of encrypted messages in meetings they held over the last year-and-a-half with tech industry groups and campaigners.
Instead, Krahulcova said those discussions, which were held through the Commission-led EU internet forum, focused on access to metadata of encrypted communication since that data—including the time a message is sent or an email subject—is in plain text and does not need to be decrypted like the content of messages.
“It sounds like they want providers to retain [encryption] keys to communications. They’re grazing over the privacy and data protection concerns that we have by saying ‘we don’t want backdoors, but we still want access to content behind encryption’,” Krahulcova said.
“This is more smokescreen from the Commission. They’re not taking a clear position on protecting encryption,” she added.
Dutch Liberal MEP Marietje Schaake was also wary of the proposals. “Commission wants to have its cake & eat it too: toolbox to break encryption…without weakening encryption,” she tweeted.
— Marietje Schaake (@MarietjeSchaake) October 18, 2017
The Commission’s proposal says that member should develop a “toolbox of alternative investigation techniques” that police can use to “obtain needed information encrypted by criminals”.
Tech companies have warned against legal action that could force them to weaken encryption, which they argue would lower security standards across the board and make devices and communication more vulnerable to hackers. But they also want safeguards in place if law enforcement authorities decrypt digital communication apps or other services.
A spokesman for DigitalEurope, a lobby group representing tech companies, said, “Any operational capabilities to decrypt data should be subject to independent oversight and enforcement.”
Another core element of the Commission’s proposals is its plan to make it easier for national police forces to crack encryption—without passing any new EU legislation.
The Commission had previously announced that Europol, the EU police agency, will receive a budget increase in 2018, but specified on Wednesday that many of the new jobs will be earmarked for decryption work.
The Commission also wants Europol to coordinate a new network of national law enforcement experts on encryption, as one way to help member states that lack staff with technical training to learn from more advanced countries.
A Europol spokeswoman said the agency currently provides “limited” services and advice on decryption for EU member states. But more money could turn that into an “enhanced decryption service provided as a central service for member states”.
“That investment would allow potentially greater computing power but could also include improved training procedures to educate law enforcement on the challenges of encryption and investigation possibilities,” the spokeswoman said.
The Commission also announced that it will add an extra €500,000 for police training on encryption next year.
One EU official said the network of national experts could give member states a platform to show how they have used encryption techniques in criminal investigations, and will allow national authorities to even step in and give advice to other individual countries or on a case-by-case basis.
Separately, the Commission is planning new legislation for early next year that could make it easier for police to access “necessary, but possibly encrypted, information” that is stored in clouds or other member states.